fix: dont allow NamedExpr in safe_eval

frappe/tests/test_safe_exec.py

@@ -44,6 +44,9 @@ class TestSafeExec(FrappeTestCase):
 		)
 		self.assertEqual(1, frappe.safe_eval("int(enabled)", eval_locals=user.as_dict()))
 
+	def test_safe_eval_wal(self):
+		self.assertRaises(SyntaxError, frappe.safe_eval, "(x := (40+2))")
+
 	def test_sql(self):
 		_locals = dict(out=None)
 		safe_exec(

frappe/utils/safe_exec.py

@@ -1,3 +1,4 @@
+import ast
 import copy
 import inspect
 import json
@@ -95,12 +96,7 @@ def safe_eval(code, eval_globals=None, eval_locals=None):
 
 	code = unicodedata.normalize("NFKC", code)
 
-	for attribute in UNSAFE_ATTRIBUTES:
-		if attribute in code:
-			frappe.throw(f'Illegal rule {frappe.bold(code)}. Cannot use "{attribute}"')
-
-	if "__" in code:
-		frappe.throw(f'Illegal rule {frappe.bold(code)}. Cannot use "__"')
+	_validate_safe_eval_syntax(code)
 
 	if not eval_globals:
 		eval_globals = {}
@@ -115,6 +111,21 @@ def safe_eval(code, eval_globals=None, eval_locals=None):
 	)
 
 
+def _validate_safe_eval_syntax(code):
+	BLOCKED_NODES = (ast.NamedExpr,)
+	for attribute in UNSAFE_ATTRIBUTES:
+		if attribute in code:
+			frappe.throw(f'Illegal rule {frappe.bold(code)}. Cannot use "{attribute}"', exc=AttributeError)
+
+	if "__" in code:
+		frappe.throw(f'Illegal rule {frappe.bold(code)}. Cannot use "__"', exc=AttributeError)
+
+	tree = ast.parse(code, mode="eval")
+	for node in ast.walk(tree):
+		if isinstance(node, BLOCKED_NODES):
+			raise SyntaxError(f"Operation not allowed: line {node.lineno} column {node.col_offset}")
+
+
 @contextmanager
 def safe_exec_flags():
 	frappe.flags.in_safe_exec = True