fix(server scripts): Restrict access to python's internal attributes

frappe/__init__.py

@@ -1693,6 +1693,23 @@ def safe_eval(code, eval_globals=None, eval_locals=None):
 		"round": round
 	}
 
+	UNSAFE_ATTRIBUTES = {
+		# Generator Attributes
+		"gi_frame", "gi_code",
+		# Coroutine Attributes
+		"cr_frame", "cr_code", "cr_origin",
+		# Async Generator Attributes
+		"ag_code", "ag_frame",
+		# Traceback Attributes
+		"tb_frame", "tb_next",
+		# Format Attributes
+		"format", "format_map",
+	}
+
+	for attribute in UNSAFE_ATTRIBUTES:
+		if attribute in code:
+			throw('Illegal rule {0}. Cannot use "{1}"'.format(bold(code), attribute))
+
 	if '__' in code:
 		throw('Illegal rule {0}. Cannot use "__"'.format(bold(code)))
 

frappe/utils/safe_exec.py

@@ -150,6 +150,7 @@ def get_safe_globals():
 	# default writer allows write access
 	out._write_ = _write
 	out._getitem_ = _getitem
+	out._getattr_ = _getattr
 
 	# allow iterators and list comprehension
 	out._getiter_ = iter
@@ -176,6 +177,27 @@ def _getitem(obj, key):
 		raise SyntaxError('Key starts with _')
 	return obj[key]
 
+def _getattr(object, name, default=None):
+	# guard function for RestrictedPython
+	# allow any key to be accessed as long as
+	# 1. it does not start with an underscore (safer_getattr)
+	# 2. it is not an UNSAFE_ATTRIBUTES
+
+	UNSAFE_ATTRIBUTES = {
+		# Generator Attributes
+		"gi_frame", "gi_code",
+		# Coroutine Attributes
+		"cr_frame", "cr_code", "cr_origin",
+		# Async Generator Attributes
+		"ag_code", "ag_frame",
+		# Traceback Attributes
+		"tb_frame", "tb_next",
+	}
+
+	if isinstance(name, str) and (name in UNSAFE_ATTRIBUTES):
+		raise SyntaxError("{name} is an unsafe attribute".format(name=name))
+	return RestrictedPython.Guards.safer_getattr(object, name, default=default)
+
 def _write(obj):
 	# guard function for RestrictedPython
 	# allow writing to any object