forbid Django {{ in Python expression or condition (#23616)

tests/test_api.py

@@ -2034,6 +2034,9 @@ def test_validate_condition(pub):
     resp = get_app(pub).get('/api/validate-condition?type=python&value_python=hello -')
     assert resp.json['klass'] == 'error'
     assert resp.json['msg'].startswith('syntax error')
+    resp = get_app(pub).get('/api/validate-condition?type=python&value_python={{form_number}}==3')
+    assert resp.json['klass'] == 'error'
+    assert 'Python condition cannot contain {{' in resp.json['msg']
 
     resp = get_app(pub).get('/api/validate-condition?type=django&value_django=~2')
     assert resp.json['klass'] == 'error'

tests/test_widgets.py

@@ -500,6 +500,11 @@ def test_computed_expression_widget():
     assert widget.has_error()
     assert widget.get_error().startswith('syntax error')
 
+    widget = ComputedExpressionWidget('test')
+    mock_form_submission(req, widget, {'test': '={{form_var_foo}}'})
+    assert widget.has_error()
+    assert 'Python expression cannot contain {{' in widget.get_error()
+
     widget = ComputedExpressionWidget('test')
     mock_form_submission(req, widget, {'test': '{{ form_var_xxx }}'})
     assert not widget.has_error()

wcs/conditions.py

@@ -73,6 +73,8 @@ class Condition(object):
         return getattr(self, 'validate_' + self.type)()
 
     def validate_python(self):
+        if '{{' in self.value:
+            raise ValidationError(_('invalid usage, Python condition cannot contain {{'))
         try:
             compile(self.value, '<string>', 'eval')
         except (SyntaxError, TypeError) as e:

wcs/qommon/form.py

@@ -2270,6 +2270,8 @@ class ComputedExpressionWidget(StringWidget):
         if not expression:
             return
         if expression.startswith('='):
+            if '{{' in expression[1:]:
+                raise ValidationError(_('invalid usage, Python expression cannot contain {{'))
             try:
                 compile(expression[1:], '<string>', 'eval')
             except SyntaxError as e: