sandbox disallows `clear` and `pop` on mutable sequence

diff --git a/CHANGES.rst b/CHANGES.rst
index 1a1a526b5fe9f98c2367fd7e66da7ccabd0e9d9d..f48eb0399555fd247074503e48f0d42dc6f77d56 100644 (file)
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -26,6 +26,8 @@ Unreleased
     objects. :issue:`2025`
 -   Fix `copy`/`pickle` support for the internal ``missing`` object.
     :issue:`2027`
+-   Sandbox does not allow ``clear`` and ``pop`` on known mutable sequence
+    types. :issue:`2032`
 
 
 Version 3.1.4

diff --git a/src/jinja2/sandbox.py b/src/jinja2/sandbox.py
index ce276156cb0aea8bfa306044646052a8029b9bcb..8200195db66dd9ca561e0530cd7c684aac74d052 100644 (file)
--- a/src/jinja2/sandbox.py
+++ b/src/jinja2/sandbox.py
@@ -60,7 +60,9 @@ _mutable_spec: t.Tuple[t.Tuple[t.Type[t.Any], t.FrozenSet[str]], ...] = (
     ),
     (
         abc.MutableSequence,
-        frozenset(["append", "reverse", "insert", "sort", "extend", "remove"]),
+        frozenset(
+            ["append", "clear", "pop", "reverse", "insert", "sort", "extend", "remove"]
+        ),
     ),
     (
         deque,

diff --git a/tests/test_security.py b/tests/test_security.py
index 0e8dc5c0385d3baffffb100353e70d7183b482e9..9c7c4427a4757f4524b97b9aa5217f6ccd3f80eb 100644 (file)
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -58,6 +58,8 @@ class TestSandbox:
     def test_immutable_environment(self, env):
         env = ImmutableSandboxedEnvironment()
         pytest.raises(SecurityError, env.from_string("{{ [].append(23) }}").render)
+        pytest.raises(SecurityError, env.from_string("{{ [].clear() }}").render)
+        pytest.raises(SecurityError, env.from_string("{{ [1].pop() }}").render)
         pytest.raises(SecurityError, env.from_string("{{ {1:2}.clear() }}").render)
 
     def test_restricted(self, env):