jsonrpc: Don't proxy "special" methods

Code that expects ServerProxy objects to be regular python objects can trigger bogus rpc calls by accessing "special" methods (i.e. methods starting and ending with two underscores). Avoid this by raising AttributeError for such names instead of returning a method proxy. A real life example for this is the "raven" sentry client calling `__getattribute__('__sentry__')` on a ServerProxy instance when reporting an exception.
tcalmant · Jun 27, 2017 · 1b6feb3 · 1b6feb3
1 parent 5f53fcd
commit 1b6feb3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/jsonrpclib/jsonrpc.py b/jsonrpclib/jsonrpc.py
@@ -583,6 +583,9 @@ def __getattr__(self, name):
         """
         Returns a callable object to call the remote service
         """
+        if name.startswith("__") and name.endswith("__"):
+            # Don't proxy special methods.
+            raise AttributeError("ServerProxy has no attribute '%s'" % name)
         # Same as original, just with new _Method reference
         return _Method(self._request, name)
 

diff --git a/tests/test_compatibility.py b/tests/test_compatibility.py
@@ -113,6 +113,10 @@ def test_non_existent_method(self):
         self.assertTrue(request == verify_request)
         self.assertTrue(response == verify_response)
 
+    def test_special_method(self):
+        self.assertRaises(AttributeError, getattr, self.client, '__special_method__')
+        self.assertIsNone(self.history.request)
+
     def test_invalid_json(self):
         invalid_json = '{"jsonrpc": "2.0", "method": "foobar, ' + \
             '"params": "bar", "baz]'