From 124093bc962101c377d5eefbe88da77b083f44d0 Mon Sep 17 00:00:00 2001 From: Michiel Borkent Date: Thu, 3 Oct 2024 20:59:34 +0200 Subject: [PATCH 1/3] Fix #934: :allow may contain namespaced symbols --- CHANGELOG.md | 1 + src/sci/impl/resolve.cljc | 13 +++++++------ test/sci/core_test.cljc | 3 +++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c69196df..07ae1013 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ SCI is used in [babashka](https://github.com/babashka/babashka), - Fix [#926](https://github.com/babashka/sci/issues/926): Support `add-watch` on vars in CLJS - Support `aset` on primitive array using reflection - Fix [#928](https://github.com/babashka/sci/issues/928): record constructor supports optional meta + ext map +- Fix #934: `:allow` may contain namespaced symbols ## 0.8.43 (2024-08-06) diff --git a/src/sci/impl/resolve.cljc b/src/sci/impl/resolve.cljc index 76b7ce48..df76373b 100644 --- a/src/sci/impl/resolve.cljc +++ b/src/sci/impl/resolve.cljc @@ -21,13 +21,15 @@ :sci.impl/op :resolve-sym :sci.impl/idx idx)))) -(defn check-permission! [ctx sym [check-sym v]] +(defn check-permission! [ctx sym kv] (or (identical? utils/allowed-loop sym) (identical? utils/allowed-recur sym) - (let [check-sym (strip-core-ns check-sym) + (let [check-sym (strip-core-ns sym) allow (:allow ctx)] - (when-not (if allow (or (and (utils/var? v) (not (:sci/built-in (meta v)))) - (contains? allow check-sym)) + (when-not (if allow + (let [[_ v] kv] + (or (and (utils/var? v) (not (:sci/built-in (meta v)))) + (contains? allow check-sym))) true) (throw-error-with-location (str sym " is not allowed!") sym)) (let [deny (:deny ctx)] @@ -87,8 +89,7 @@ stack) (->Node (interop/get-static-fields clazz path) - stack)) - ))))])))) + stack))))))])))) ;; no sym-ns (or ;; prioritize refers over vars in the current namespace, see 527 diff --git a/test/sci/core_test.cljc b/test/sci/core_test.cljc index 5303d01a..d9a0b0e6 100644 --- a/test/sci/core_test.cljc +++ b/test/sci/core_test.cljc @@ -469,6 +469,8 @@ (is (= 3 ((tu/eval* "(fn [x] (if (> x 1) (inc x)))" {:allow '[fn fn* if > inc]}) 2)))) (is (tu/eval* (str (list `#(inc %) 10)) {:allow '[fn* inc]})) (is (tu/eval* (str (list `#(let [x %] x) 10)) {:allow '[fn* let let*]})) + (is (tu/eval* "(impl/mapv inc [1 2 3])" {:allow '[impl/mapv inc] + :namespaces {'impl {'mapv mapv}}})) (is (thrown-with-msg? #?(:clj Exception :cljs js/Error) #"allowed" (tu/eval* "(loop [] (recur))" {:deny '[loop*]}))) @@ -481,6 +483,7 @@ (is (thrown-with-msg? #?(:clj Exception :cljs js/Error) #"allowed" (tu/eval* "(clojure.core/inc 1)" {:deny '[clojure.core/inc]}))) + (testing "for/doseq are macroexpanded properly" (is (= 'loop* (first (tu/eval* "(macroexpand '(doseq [i [1 2 3]] nil))" {})))) (is (= 'let* From f6a9bb6d0ad764be38d65f7fcf9b72f4396ff811 Mon Sep 17 00:00:00 2001 From: Michiel Borkent Date: Thu, 3 Oct 2024 21:00:00 +0200 Subject: [PATCH 2/3] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 07ae1013..d74be5d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ SCI is used in [babashka](https://github.com/babashka/babashka), - Fix [#926](https://github.com/babashka/sci/issues/926): Support `add-watch` on vars in CLJS - Support `aset` on primitive array using reflection - Fix [#928](https://github.com/babashka/sci/issues/928): record constructor supports optional meta + ext map -- Fix #934: `:allow` may contain namespaced symbols +- Fix [#934](https://github.com/babashka/sci/issues/934): `:allow` may contain namespaced symbols ## 0.8.43 (2024-08-06) From 5202712fc8e8aa6515674a9d3d5e90caecf3b488 Mon Sep 17 00:00:00 2001 From: Michiel Borkent Date: Thu, 3 Oct 2024 21:05:36 +0200 Subject: [PATCH 3/3] fix tests --- test/sci/core_test.cljc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/sci/core_test.cljc b/test/sci/core_test.cljc index d9a0b0e6..c361593e 100644 --- a/test/sci/core_test.cljc +++ b/test/sci/core_test.cljc @@ -469,8 +469,8 @@ (is (= 3 ((tu/eval* "(fn [x] (if (> x 1) (inc x)))" {:allow '[fn fn* if > inc]}) 2)))) (is (tu/eval* (str (list `#(inc %) 10)) {:allow '[fn* inc]})) (is (tu/eval* (str (list `#(let [x %] x) 10)) {:allow '[fn* let let*]})) - (is (tu/eval* "(impl/mapv inc [1 2 3])" {:allow '[impl/mapv inc] - :namespaces {'impl {'mapv mapv}}})) + (is (= [2 3 4] (sci/eval-string "(impl/mapv inc [1 2 3])" {:allow '[impl/mapv inc] + :namespaces {'impl {'mapv mapv}}}))) (is (thrown-with-msg? #?(:clj Exception :cljs js/Error) #"allowed" (tu/eval* "(loop [] (recur))" {:deny '[loop*]})))