From 546100ec60fa4962423af4a9066be1833b267f6b Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Mon, 9 Mar 2026 19:34:25 +0530
Subject: [PATCH] fix: check return type of getattr (#37873)

---
 frappe/utils/safe_exec.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frappe/utils/safe_exec.py b/frappe/utils/safe_exec.py
index 1b10fc30f1..4cea836616 100644
--- a/frappe/utils/safe_exec.py
+++ b/frappe/utils/safe_exec.py
@@ -543,7 +543,11 @@ def _getattr_for_safe_exec(object, name, default=None):
 	# 2. it is not an UNSAFE_ATTRIBUTES
 	_validate_attribute_read(object, name)
 
-	return RestrictedPython.Guards.safer_getattr(object, name, default=default)
+	ret = RestrictedPython.Guards.safer_getattr(object, name, default=default)
+	if isinstance(ret, types.ModuleType | types.CodeType | types.TracebackType | types.FrameType):
+		raise SyntaxError(f"Reading {type(ret)} is not allowed")
+
+	return ret
 
 
 def _get_attr_for_eval(object, name, default=ARGUMENT_NOT_SET):