U
|
����Þ=®dø8��ã��������������������@���s(���U�d�Z�d�d�l�Z�d�d�l�Z�d�d�l�Z�d�d�l�m�Z���d�d�l�m�Z���d�d�l�m Z ��d�d�l
|
m�Z���d�d�l�m Z ��d�d�l�m�Z���d d
|
l�m�Z���d d�l�m�Z���d d�l�m�Z���d d l�m�Z���e�j�d�e�j�d�e�j�f���d��Z�d�Z�e��Z�e�j�e���e�d�<�e��Z e�j�e���e�d�<�d�d�h�Z!d�d�h�Z"d�d�h�Z#e�j$e%d�d�d�d�d�d�d d!g��f�e�j&e%d�d�d"d#d!g��f�e�j'e%d$d%d&d'd(d�g��f�e e%d$d)d�d(d*d�d+d�d,g �f�f�Z(e�j)e�j)e�j*e�j+e���f���d�f���e�d-<�e�j�e�j,e���d.�d/d0�Z-e.e/d1�d2d3�Z0e�e�d4�d5d6�Z1e�j�e�e2d7�d8d9�Z3e�j�e�e2d7�d:d;�Z4G�d<d=�d=e��Z5G�d>d?�d?e5�Z6G�d@dA�dAe��Z7G�dBdC�dCe7e �Z8d�S�)DzA sandbox layer that ensures unsafe operations cannot be performed.
|
Useful when the template itself comes from an untrusted source.
|
é����N)�Ú�formatter_field_name_split)�Ú�abc)�Ú�deque)�Ú Formatter)�Ú�EscapeFormatter)�Ú�Markupé����)�Ú�Environment)�Ú SecurityError)�Ú�Context)�Ú UndefinedÚ�F.)�Ú�boundi ��Ú�UNSAFE_FUNCTION_ATTRIBUTESÚ�UNSAFE_METHOD_ATTRIBUTESÚ�gi_frameÚ�gi_codeÚ�cr_frameÚ�cr_codeÚ�ag_codeÚ�ag_frameÚ�addÚ�clearÚ�difference_updateÚ�discardÚ�popÚ�removeÚ�symmetric_difference_updateÚ�updateÚ�popitemÚ
|
setdefaultÚ�appendÚ�reverseÚ�insertÚ�sortÚ�extendÚ
|
appendleftÚ
|
extendleftÚ�popleftÚ�rotateÚ _mutable_spec)�Ú�callableÚ�returnc��������������������C���s8���t�|�t�j�t�j�f��r�|�j�d�k�r d�S�|�j�}�t�|�t��r4|�S�d�S�)�N)�Ú�formatÚ
|
format_map)�Ú
|
isinstanceÚ�typesÚ
|
MethodTypeÚ�BuiltinMethodTypeÚ�__name__Ú�__self__Ú�str)�r+���Ú�obj©�r7���úEd:\z\workplace\vscode\pyvenv\venv\Lib\site-packages\jinja2/sandbox.pyÚ�inspect_format_methodS���s����������
|
ÿ���þ������
|
���r9���)��argsr,���c��������������������G���s(���t�|��}�t�|��t�k�r$t�d�t��d����|�S�)�zWA range that can't generate ranges with a length of more than
|
MAX_RANGE items.
|
z@Range too big. The sandbox blocks ranges larger than MAX_RANGE (z�).)�Ú�rangeÚ�lenÚ MAX_RANGEÚ OverflowError)�r:���Ú�rngr7���r7���r8���Ú
|
safe_rangea���s������������
|
ÿ��r@���)�Ú�fr,���c��������������������C���s
|
���d�|�_�|�S�)�zMarks a function or method as unsafe.
|
|
.. code-block: python
|
|
@unsafe
|
def delete(self):
|
pass
|
T)�Ú�unsafe_callable)�rA���r7���r7���r8���Ú�unsafep���s����� ��rC���)�r6���Ú�attrr,���c��������������������C���sØ���t�|�t�j��r�|�t�k�rÎd�S�n´t�|�t�j��r<|�t�k�s6|�t�k�rÎd�S�nt�|�t��rT|�d�k�rÎd�S�nzt�|�t�j�t�j�t�j f��rnd�S�t�|�t�j
|
�r|�t�k�rÎd�S�nFt�t�d��r¬t�|�t�j �r¬|�t�k�rÎd�S�n"t�t�d��rÎt�|�t�j��rÎ|�t�k�rÎd�S�|� �d�¡�S�)�a´���Test if the attribute given is an internal python attribute. For
|
example this function returns `True` for the `func_code` attribute of
|
python objects. This is useful if the environment method
|
:meth:`~SandboxedEnvironment.is_safe_attribute` is overridden.
|
|
>>> from jinja2.sandbox import is_internal_attribute
|
>>> is_internal_attribute(str, "mro")
|
True
|
>>> is_internal_attribute(str, "upper")
|
False
|
TÚ�mroÚ CoroutineTypeÚ�AsyncGeneratorTypeÚ�__)�r/���r0���Ú�FunctionTyper����r1���r����Ú�typeÚ�CodeTypeÚ TracebackTypeÚ FrameTypeÚ GeneratorTypeÚ�UNSAFE_GENERATOR_ATTRIBUTESÚ�hasattrrF���Ú�UNSAFE_COROUTINE_ATTRIBUTESrG���Ú!UNSAFE_ASYNC_GENERATOR_ATTRIBUTESÚ
|
startswith)�r6���rD���r7���r7���r8����is_internal_attribute}���s0�����������������
|
��������������������������ÿ������rT���c��������������������C���s(���t�D�]�\�}�}�t�|�|��r�|�|�k�����S�q�d�S�)�að���This function checks if an attribute on a builtin mutable object
|
(list, dict, set or deque) or the corresponding ABCs would modify it
|
if called.
|
|
>>> modifies_known_mutable({}, "clear")
|
True
|
>>> modifies_known_mutable({}, "keys")
|
False
|
>>> modifies_known_mutable([], "append")
|
True
|
>>> modifies_known_mutable([], "index")
|
False
|
|
If called with an unsupported object, ``False`` is returned.
|
|
>>> modifies_known_mutable("foo", "upper")
|
False
|
F)�r*���r/���)�r6���rD���Z�typespecrC���r7���r7���r8���Ú�modifies_known_mutable¢���s��������
|
���rU���c������������������������s��e�Z�d�Z�U�d�Z�d�Z�e�j�e�j�e�j�e�j e�j
|
e�j�e�j�d��Z e�j�e�e�j�e�j�e�j�g�e�j�f���f���e�d�<�e�j�e�j�d��Z�e�j�e�e�j�e�j�g�e�j�f���f���e�d�<�e��Z�e�j�e���e�d�<�e��Z�e�j�e���e�d�<�e�j�e�j�d d
|
��f�d�d��Z�e�j�e�e�j�e�d �d�d��Z�e�j�e�d��d�d��Z�e�e�e�j�e�j�e�j�d��d�d��Z e�e�e�j�e�j�d��d�d��Z!e�j�e�j"e�e�j�f���e�j"e�j�e#f���d��d�d��Z$e�j�e�e�j"e�j�e#f���d��d�d��Z%e�j�e�e#d��d�d �Z&d(e�e�j'e�j�d!f���e�j�e�e�j�f���e�j(e�j���e�d"�d#d$�Z)e�e�j�e�j�e�j�e�j�d%�d&d'�Z*���Z+S�))�SandboxedEnvironmenta��The sandboxed environment. It works like the regular environment but
|
tells the compiler to generate sandboxed code. Additionally subclasses of
|
this environment may override the methods that tell the runtime what
|
attributes or functions are safe to access.
|
|
If the template tries to access insecure code a :exc:`SecurityError` is
|
raised. However also other exceptions may occur during the rendering so
|
the caller has to ensure that all exceptions are caught.
|
T)�ú�+ú�-Ú�*ú�/z�//z�**ú�%Ú�default_binop_table)�rW���rX���Ú�default_unop_tableÚ�intercepted_binopsÚ�intercepted_unopsN)�r:���Ú�kwargsr,���c������������������������s4���t��j�|�|����t�|�j�d�<�|�j� �¡�|�_�|�j� �¡�|�_�d�S�)�Nr;���) Ú�superÚ�__init__r@���Ú�globalsr\���Ú�copyÚ�binop_tabler]���Ú
|
unop_table)�Ú�selfr:���r`���©�Ú __class__r7���r8���rb���ü���s��������
|
���z�SandboxedEnvironment.__init__©�r6���rD���Ú�valuer,���c��������������������C���s����|� �d�¡�p�t�|�|����S�)�aY���The sandboxed environment will call this method to check if the
|
attribute of an object is safe to access. Per default all attributes
|
starting with an underscore are considered private as well as the
|
special attributes of internal python objects as returned by the
|
:func:`is_internal_attribute` function.
|
Ú�_)�rS���rT���©�rg���r6���rD���rk���r7���r7���r8���Ú�is_safe_attribute����s������z&SandboxedEnvironment.is_safe_attribute)�r6���r,���c��������������������C���s����t�|�d�d��p�t�|�d�d����S�)�zêCheck if an object is safely callable. By default callables
|
are considered safe unless decorated with :func:`unsafe`.
|
|
This also recognizes the Django convention of setting
|
``func.alters_data = True``.
|
rB���FZ�alters_data)�Ú�getattr)�rg���r6���r7���r7���r8���Ú�is_safe_callable����s�������ÿz%SandboxedEnvironment.is_safe_callable)�Ú�contextÚ�operatorÚ�leftÚ�rightr,���c��������������������C���s����|�j�|���|�|��S�)�z÷For intercepted binary operator calls (:meth:`intercepted_binops`)
|
this function is executed instead of the builtin operator. This can
|
be used to fine tune the behavior of certain operators.
|
|
.. versionadded:: 2.6
|
)�re���)�rg���rq���rr���rs���rt���r7���r7���r8���Ú
|
call_binop����s����� z�SandboxedEnvironment.call_binop)�rq���rr���Ú�argr,���c��������������������C���s����|�j�|���|��S�)�zõFor intercepted unary operator calls (:meth:`intercepted_unops`)
|
this function is executed instead of the builtin operator. This can
|
be used to fine tune the behavior of certain operators.
|
|
.. versionadded:: 2.6
|
)�rf���)�rg���rq���rr���rv���r7���r7���r8���Ú call_unop!���s������z�SandboxedEnvironment.call_unop)�r6���Ú�argumentr,���c��������������������C���s¨���z
|
|�|���W�S���t�t�f�k
|
r������t�|�t��rz�t�|��}�W�n���t�k
|
rH������Y�nLX�z�t�|�|��}�W�n���t�k
|
rl������Y�n(X�|� �|�|�|�¡�r|���Y�S�|� �|�|�¡���Y�S�Y�n�X�|�j |�|�d��S�)�z(Subscribe an object from sandboxed code.©�r6���Ú�name)
|
Ú TypeErrorÚ�LookupErrorr/���r5���Ú Exceptionro���Ú�AttributeErrorrn���Ú�unsafe_undefinedÚ undefined)�rg���r6���rx���rD���rk���r7���r7���r8���Ú�getitem*���s �������
|
|
�����������������������z�SandboxedEnvironment.getitem)�r6���Ú attributer,���c��������������������C���sx���z�t�|�|��}�W�n<��t�k
|
rJ������z�|�|���W���Y�S���t�t�f�k
|
rD������Y�n�X�Y�n X�|� �|�|�|�¡�r^|�S�|� �|�|�¡�S�|�j�|�|�d��S�)�zSubscribe an object from sandboxed code and prefer the
|
attribute. The attribute passed *must* be a bytestring.
|
ry���)�ro���r~���r{���r|���rn���r���r���)�rg���r6���r���rk���r7���r7���r8���ro���A���s��������������������������z�SandboxedEnvironment.getattrc��������������������C���s&���|�j�d�|��d�t�|��j��d��|�|�t�d��S�)�z1Return an undefined object for unsafe attributes.z�access to attribute z� of z� object is unsafe.)�rz���r6����exc)�r���rJ���r3���r
|
���)�rg���r6���r���r7���r7���r8���r���R���s���������������ûz%SandboxedEnvironment.unsafe_undefined.)�Ú�sr:���r`���Ú�format_funcr,���c��������������������C���s���t�|�t��r�t�|�|�j�d��}�n�t�|��}�|�d�k rl|�j�d�k�rlt�|��d�k�sD|�r`t�d�t�|��|�d�k ���d����|�d���}�d�}�|� �|�|�|�¡�}�t |��|��S�) z
If a format call is detected, then this is routed through this
|
method so that our safety sandbox can be used for it.
|
)��escapeNr.���r����z(format_map() takes exactly one argument z� givenr����r7���)
|
r/���r�����SandboxedEscapeFormatterr����SandboxedFormatterr3���r<���r{����vformatrJ���)�rg���r���r:���r`���r
���Ú formatterÚ�rvr7���r7���r8���Ú format_string\���s������
|
������������ÿ��������z"SandboxedEnvironment.format_string)�Ú�_SandboxedEnvironment__contextÚ�_SandboxedEnvironment__objr:���r`���r,���c��������������������O���sJ���t�|��}�|�d�k r |� �|�|�|�|�¡�S�|� �|�¡�s8t�|��d����|�j�|�f�|��|��S�)�z#Call an object from sandboxed code.Nz� is not safely callable)�r9���r���rp���r
|
����call)�Z�_SandboxedEnvironment__selfr���r���r:���r`����fmtr7���r7���r8���r���y���s������������
|
���z�SandboxedEnvironment.call)�N),r3���Ú
|
__module__Ú�__qualname__Ú�__doc__Z sandboxedrr���r����Ú�subÚ�mulÚ�truedivÚ�floordivÚ�powÚ�modr\���Ú�tÚ�Dictr5���Ú�CallableÚ�AnyÚ�__annotations__Ú�posÚ�negr]���Ú frozensetr^���Ú FrozenSetr_���rb���Ú�boolrn���rp���r����ru���rw���Ú�Unionr����r���ro���r���Ú�TupleÚ�Optionalr���r���Ú __classcell__r7���r7���rh���r8���rV���»���sZ���
|
|
���������������ù,����þ(�������� �����������þ���
|
�����þ�� ����û��������
|
��ú�����������úrV���c������������������������s0���e�Z�d�Z�d�Z�e�j�e�e�j�e�d���f�d�d��Z����Z S�)�Ú�ImmutableSandboxedEnvironmentzÓWorks exactly like the regular `SandboxedEnvironment` but does not
|
permit modifications on the builtin mutable objects `list`, `set`, and
|
`dict` by using the :func:`modifies_known_mutable` function.
|
rj���c������������������������s ���t�� �|�|�|�¡�s�d�S�t�|�|����S�)�NF)�ra���rn���rU���rm���rh���r7���r8���rn������s����������z/ImmutableSandboxedEnvironment.is_safe_attribute)
|
r3���r���r���r���r���r���r5���r£���rn���r§���r7���r7���rh���r8���r¨������s��������r¨���c������������������������s\���e�Z�d�Z�e�e�j�d�d���f�d�d��Z�e�e�j�e�j���e�j e�e�j�f���e�j
|
e�j�e�f���d��d�d��Z����Z�S�)�r���N)�Ú�envr`���r,���c������������������������s����|�|�_�t��j�f�|����d�S�©�N)�Ú�_envra���rb���)�rg���r©���r`���rh���r7���r8���rb������s��������z�SandboxedFormatter.__init__)�Ú
|
field_namer:���r`���r,���c������������ �������C���sR���t�|��\�}�}�|� �|�|�|�¡�}�|�D�]*\�}�}�|�r:|�j� �|�|�¡�}�q�|�j� �|�|�¡�}�q�|�|�f�S�rª���)�r����Ú get_valuer«���ro���r���) rg���r¬���r:���r`���Ú�firstÚ�restr6���Ú�is_attrÚ�ir7���r7���r8���Ú get_field���s������������������z�SandboxedFormatter.get_field) r3���r���r���r ���r���r���rb���r5���Ú�SequenceÚ�Mappingr¥���r²���r§���r7���r7���rh���r8���r������s����������
|
����þr���c��������������������@���s����e�Z�d�Z�d�S�)�r���N)�r3���r���r���r7���r7���r7���r8���r���«���s������r���)9r���rr���r0���Ú�typingr���Ú�_stringr����Ú�collectionsr����r����Ú�stringr����Z
|
markupsafer����r����Ú�environmentr ���Ú
|
exceptionsr
|
���Z�runtimer����r����Ú�TypeVarr���r���r ���r=���Ú�setr����Ú�Setr5���r���r����rO���rQ���rR���Ú
|
MutableSetr¡���Ú�MutableMappingÚ�MutableSequencer*���r¥���Ú�Typer¢���r¦���r9���Ú�intr;���r@���rC���r£���rT���rU���rV���r¨���r���r���r7���r7���r7���r8���Ú�<module>����s����������������������������������������������������������������ø�ÿ�þ�����þ�����þ�����������������������÷�ÿ�þ�è(+����� �%����R� ��
|
