Merge commit from fork

icemac · web-flow · commit 48a92c5bb617 · 2025-01-23T08:13:45.000+01:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,11 +1,23 @@
 Changes
 =======
 
-7.5 (unreleased)
+8.0 (unreleased)
 ----------------
 
+Backwards incompatible changes
+++++++++++++++++++++++++++++++
+
+- Disallow ``try/except*`` clauses due to a possible sandbox escape and
+  probable uselessness of this feature in the context of ``RestrictedPython``.
+  In addition, remove ``ExceptionGroup`` from ``safe_builtins`` (as useful only
+  with ``try/except*``). - This feature was introduced into
+  ``RestrictedPython`` in version 6.0 for Python 3.11+. (CVE-2025-22153)
+
 - Drop support for Python 3.8.
 
+Features
+++++++++
+
 - Update setuptools version pin.
   (`#292 <https://github.com/zopefoundation/RestrictedPython/issues/292>`_)
 
diff --git a/setup.py b/setup.py
@@ -25,7 +25,7 @@ def read(*rnames):
 
 
 setup(name='RestrictedPython',
-      version='7.5.dev0',
+      version='8.0.dev0',
       url='https://github.com/zopefoundation/RestrictedPython',
       license='ZPL-2.1',
       description=(
diff --git a/src/RestrictedPython/Guards.py b/src/RestrictedPython/Guards.py
@@ -17,7 +17,6 @@
 
 import builtins
 
-from RestrictedPython._compat import IS_PY311_OR_GREATER
 from RestrictedPython.transformer import INSPECT_ATTRIBUTES
 
 
@@ -106,9 +105,6 @@
     'ZeroDivisionError',
 ]
 
-if IS_PY311_OR_GREATER:
-    _safe_exceptions.append("ExceptionGroup")
-
 for name in _safe_names:
     safe_builtins[name] = getattr(builtins, name)
 
diff --git a/src/RestrictedPython/transformer.py b/src/RestrictedPython/transformer.py
@@ -1141,8 +1141,8 @@ def visit_Try(self, node):
         return self.node_contents_visit(node)
 
     def visit_TryStar(self, node):
-        """Allow `ExceptionGroup` without restrictions."""
-        return self.node_contents_visit(node)
+        """Disallow `ExceptionGroup` due to a potential sandbox escape."""
+        self.not_allowed(node)
 
     def visit_ExceptHandler(self, node):
         """Protect exception handlers."""
diff --git a/tests/transformer/test_try.py b/tests/transformer/test_try.py
@@ -68,19 +68,13 @@ def try_except_star(m):
     not IS_PY311_OR_GREATER,
     reason="ExceptionGroup class was added in Python 3.11.",
 )
-def test_RestrictingNodeTransformer__visit_TryStar__1(mocker):
-    """It allows try-except* PEP 654 statements."""
-    trace = mocker.stub()
-    restricted_exec(TRY_EXCEPT_STAR)['try_except_star'](trace)
-
-    trace.assert_has_calls([
-        mocker.call('try'),
-        mocker.call('IndentationError'),
-        mocker.call('ValueError')
-    ])
-
-    with pytest.raises(AssertionError):
-        trace.assert_has_calls([mocker.call('RuntimeError')])
+def test_RestrictingNodeTransformer__visit_TryStar__1():
+    """It denies try-except* PEP 654 statements."""
+    result = compile_restricted_exec(TRY_EXCEPT_STAR)
+    assert result.errors == (
+        'Line 3: TryStar statements are not allowed.',
+    )
+    assert result.code is None
 
 
 TRY_FINALLY = """
