You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now get_tree is called in __init__ of many nodes, where they know what kind of child they expect. This can be a dict or a list for instance. In these cases, it'd be better for get_tree to accept an argument to limit the types of nodes it can return/construct.
This would work for some but not all cases, right? E.g. a TupleNode can't know the type of its content.
For all other cases, it probably wouldn't hurt. However, I don't see yet how this could be used as an attack, since at this stage we're not actually instantiating any objects (which doesn't mean we shouldn't still do it).
A minor problem is that this could lead to circular imports, but I haven't checked if it actually occurs.
Right now
get_tree
is called in__init__
of many nodes, where they know what kind of child they expect. This can be a dict or a list for instance. In these cases, it'd be better forget_tree
to accept an argument to limit the types of nodes it can return/construct.For instance, instead of
we could have
This would reduce the attack surface when loading a file.
The text was updated successfully, but these errors were encountered: