Harden dataclass utils (#1171)

google · Jan 3, 2025 · 748e20d · 748e20d
1 parent cbab8bf
commit 748e20d
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/mesop/dataclass_utils/dataclass_utils.py b/mesop/dataclass_utils/dataclass_utils.py
@@ -129,6 +129,10 @@ def update_dataclass_from_json(instance: Any, json_string: str):
 
 def _recursive_update_dataclass_from_json_obj(instance: Any, json_dict: Any):
   for key, value in json_dict.items():
+    if key.startswith("__") and key.endswith("__"):
+      raise MesopDeveloperException(
+        f"Cannot use dunder property: {key} in stateclass"
+      )
     if hasattr(instance, key):
       attr = getattr(instance, key)
       if isinstance(value, dict):

diff --git a/mesop/dataclass_utils/dataclass_utils_test.py b/mesop/dataclass_utils/dataclass_utils_test.py
@@ -14,6 +14,7 @@
   serialize_dataclass,
   update_dataclass_from_json,
 )
+from mesop.exceptions import MesopDeveloperException
 
 
 @dataclass
@@ -593,5 +594,23 @@ class ChildClass(ParentClass):
   assert has_parent(ParentClass) is False
 
 
+def test_globals_pollution():
+  @dataclass
+  class A:
+    val: str
+
+  initial_name = __name__
+  obj = A(val="default")
+  with pytest.raises(MesopDeveloperException) as exc_info:
+    update_dataclass_from_json(
+      obj, '{"__init__": {"__globals__": {"__name__": "polluted"}}}'
+    )
+  assert "Cannot use dunder property: __init__ in stateclass" in str(
+    exc_info.value
+  )
+  # Make sure __name__ has not been modified via the __globals__ pollution attempt
+  assert __name__ == initial_name
+
+
 if __name__ == "__main__":
   raise SystemExit(pytest.main(["-vv", __file__]))