disallow imports from modules starting with '_'

zopefoundation · May 17, 2018 · 4299c95 · 4299c95
1 parent 2c4af14
commit 4299c95
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/docs/CHANGES.rst b/docs/CHANGES.rst
@@ -23,6 +23,8 @@ Changes
   protected build-ins.
   (`#102 <https://github.com/zopefoundation/RestrictedPython/issues/102>`_)
 
+- Imports like `from _a import b` or `from a._b import x` are now forbidden.
+
 
 4.0b3 (2018-04-12)
 ------------------

diff --git a/src/RestrictedPython/transformer.py b/src/RestrictedPython/transformer.py
@@ -451,6 +451,13 @@ def check_import_names(self, node):
 
         => 'from _a import x' is ok, because '_a' is not added to the scope.
         """
+        if (isinstance(node, ast.ImportFrom)
+            and not node.module == '__future__'
+            and any(
+                [name.startswith('_') for name in node.module.split('.')]
+                )):
+            self.error(node, 'module name starts "_", which is forbidden.')
+
         for name in node.names:
             if '*' in name.name:
                 self.error(node, '"*" imports are not allowed.')

diff --git a/tests/transformer/test_import.py b/tests/transformer/test_import.py
@@ -45,11 +45,30 @@ def test_RestrictingNodeTransformer__visit_Import__5(c_exec):
 
 
 @pytest.mark.parametrize(*c_exec)
-def test_RestrictingNodeTransformer__visit_Import_6(c_exec):
+def test_RestrictingNodeTransformer__visit_Import__6_1(c_exec):
     """It allows importing from a module starting with `_`."""
     result = c_exec('from _a import m')
-    assert result.errors == ()
-    assert result.code is not None
+    assert result.errors == (
+        'Line 1: module name starts "_", which is forbidden.',
+    )
+
+
+@pytest.mark.parametrize(*c_exec)
+def test_RestrictingNodeTransformer__visit_Import__6_2(c_exec):
+    """It allows importing from a module starting with `_`."""
+    result = c_exec('from a._b import m')
+    assert result.errors == (
+        'Line 1: module name starts "_", which is forbidden.',
+    )
+
+
+@pytest.mark.parametrize(*c_exec)
+def test_RestrictingNodeTransformer__visit_Import__6_3(c_exec):
+    """It allows importing from a module starting with `_`."""
+    result = c_exec('from _a.b import m')
+    assert result.errors == (
+        'Line 1: module name starts "_", which is forbidden.',
+    )
 
 
 @pytest.mark.parametrize(*c_exec)