219 lines
7.3 KiB
Python
219 lines
7.3 KiB
Python
# authentic2 - versatile identity manager
|
|
# Copyright (C) 2010-2019 Entr'ouvert
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it
|
|
# under the terms of the GNU Affero General Public License as published
|
|
# by the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import sys
|
|
|
|
from django.core.exceptions import ValidationError
|
|
try:
|
|
from functools import lru_cache
|
|
except ImportError:
|
|
from django.utils.lru_cache import lru_cache
|
|
from django.utils.translation import ugettext as _
|
|
from django.utils import six
|
|
|
|
|
|
import ast
|
|
|
|
|
|
class HTTPHeaders:
|
|
def __init__(self, request):
|
|
self.request = request
|
|
|
|
def __contains__(self, header):
|
|
meta_header = 'HTTP_' + header.replace('-', '_').upper()
|
|
return meta_header in self.request.META
|
|
|
|
def __getitem__(self, header):
|
|
meta_header = 'HTTP_' + header.replace('-', '_').upper()
|
|
return self.request.META.get(meta_header)
|
|
|
|
|
|
class Unparse(ast.NodeVisitor):
|
|
def visit_Name(self, node):
|
|
return node.id
|
|
|
|
|
|
class ExpressionError(ValidationError):
|
|
colummn = None
|
|
node = None
|
|
text = None
|
|
|
|
def __init__(self, message, code=None, params=None, node=None, column=None, text=None):
|
|
super(ExpressionError, self).__init__(message, code=code, params=params)
|
|
if hasattr(node, 'col_offset'):
|
|
self.set_node(node)
|
|
if column is not None:
|
|
self.column = column
|
|
if text is not None:
|
|
self.text = text
|
|
|
|
def set_node(self, node):
|
|
assert hasattr(node, 'col_offset'), 'only node with col_offset attribute'
|
|
self.node = node
|
|
self.column = node.col_offset
|
|
self.text = Unparse().visit(node)
|
|
|
|
|
|
class BaseExpressionValidator(ast.NodeVisitor):
|
|
authorized_nodes = []
|
|
forbidden_nodes = []
|
|
|
|
def __init__(self, authorized_nodes=None, forbidden_nodes=None):
|
|
if authorized_nodes is not None:
|
|
self.authorized_nodes = authorized_nodes
|
|
if forbidden_nodes is not None:
|
|
self.forbidden_nodes = forbidden_nodes
|
|
|
|
def generic_visit(self, node):
|
|
# generic node class checks
|
|
ok = False
|
|
if not isinstance(node, ast.Expression):
|
|
for klass in self.authorized_nodes:
|
|
if isinstance(node, klass):
|
|
ok = True
|
|
break
|
|
for klass in self.forbidden_nodes:
|
|
if isinstance(node, klass):
|
|
ok = False
|
|
else:
|
|
ok = True
|
|
if not ok:
|
|
raise ExpressionError(_('expression is forbidden'), node=node, code='forbidden-expression')
|
|
|
|
# specific node class check
|
|
node_name = node.__class__.__name__
|
|
check_method = getattr(self, 'check_' + node_name, None)
|
|
if check_method:
|
|
check_method(node)
|
|
|
|
# now recurse on subnodes
|
|
try:
|
|
return super(BaseExpressionValidator, self).generic_visit(node)
|
|
except ExpressionError as e:
|
|
# for errors in non expr nodes (so without a col_offset attribute,
|
|
# set the nearer expr node as the node of the error
|
|
if e.node is None and hasattr(node, 'col_offset'):
|
|
e.set_node(node)
|
|
six.reraise(*sys.exc_info())
|
|
|
|
@lru_cache(maxsize=1024)
|
|
def __call__(self, expression):
|
|
try:
|
|
tree = ast.parse(expression, mode='eval')
|
|
except SyntaxError as e:
|
|
raise ExpressionError(_('could not parse expression') % e,
|
|
code='parsing-error',
|
|
column=e.offset,
|
|
text=expression)
|
|
try:
|
|
self.visit(tree)
|
|
except ExpressionError as e:
|
|
if e.text is None:
|
|
e.text = expression
|
|
six.reraise(*sys.exc_info())
|
|
return compile(tree, expression, mode='eval')
|
|
|
|
# python 3.8 introduced ast.Constant to replace Num, Str, Bytes and NameConstant (True, False, None)
|
|
if sys.version_info < (3, 8):
|
|
CONSTANT_CLASSES = (ast.Num, ast.Str, ast.Bytes)
|
|
else:
|
|
CONSTANT_CLASSES = (ast.Constant,)
|
|
|
|
|
|
class ConditionValidator(BaseExpressionValidator):
|
|
'''
|
|
Only authorize :
|
|
- direct variable references, without underscore in them,
|
|
- num and str constants,
|
|
- boolean expressions with all operators,
|
|
- unary operator expressions with all operators,
|
|
- if expressions (x if y else z),
|
|
- compare expressions with all operators.
|
|
- subscript of direct variable reference.
|
|
|
|
Are implicitely forbidden:
|
|
- binary expressions (so no "'aaa' * 99999999999" or 233333333333333233**2232323233232323 bombs),
|
|
- lambda,
|
|
- literal list, tuple, dict and sets,
|
|
- comprehensions (list, dict and set),
|
|
- generators,
|
|
- yield,
|
|
- call,
|
|
- Repr node (i dunno what it is),
|
|
- attribute access,
|
|
'''
|
|
authorized_nodes = [
|
|
ast.Load,
|
|
ast.Name,
|
|
ast.Num,
|
|
ast.Str,
|
|
ast.BoolOp,
|
|
ast.UnaryOp,
|
|
ast.IfExp,
|
|
ast.Subscript,
|
|
ast.Index,
|
|
ast.boolop,
|
|
ast.cmpop,
|
|
ast.Compare,
|
|
]
|
|
|
|
def __init__(self, authorized_nodes=None, forbidden_nodes=None):
|
|
super(ConditionValidator, self).__init__(
|
|
authorized_nodes=authorized_nodes,
|
|
forbidden_nodes=forbidden_nodes)
|
|
if six.PY3:
|
|
self.authorized_nodes.append(ast.NameConstant)
|
|
|
|
def check_Name(self, node):
|
|
if node.id.startswith('_'):
|
|
raise ExpressionError(_('name must not start with a _'), code='invalid-variable', node=node)
|
|
|
|
def check_Subscript(self, node):
|
|
# check subscript are constant number or strings
|
|
if (not isinstance(node.slice, ast.Index)
|
|
or not isinstance(node.slice.value, CONSTANT_CLASSES)
|
|
# with python <3.8 the node class is enough to determine the value
|
|
or (sys.version_info >= (3, 8) and not isinstance(node.slice.value.value, (int, str, bytes)))):
|
|
raise ExpressionError(_('subscript index MUST be a constant'), code='invalid-subscript', node=node)
|
|
|
|
|
|
validate_condition = ConditionValidator()
|
|
|
|
condition_safe_globals = {
|
|
'__builtins__': {
|
|
'True': True,
|
|
'False': False,
|
|
}
|
|
}
|
|
|
|
|
|
def evaluate_condition(expression, ctx=None, validator=None, on_raise=None):
|
|
try:
|
|
code = (validator or validate_condition)(expression)
|
|
try:
|
|
return eval(code, condition_safe_globals, ctx or {})
|
|
except NameError as e:
|
|
# NameError does not report the column of the name reference :/
|
|
raise ExpressionError(
|
|
_('variable is not defined: %s') % e,
|
|
code='undefined-variable',
|
|
text=expression,
|
|
column=0)
|
|
except Exception:
|
|
if on_raise is not None:
|
|
return on_raise
|
|
six.reraise(*sys.exc_info())
|