close security hole and backward incompatibilty in awkward.persist.wh…

…itelist handling
scikit-hep · May 20, 2019 · 627c5c7 · 627c5c7
1 parent d20f0d5
commit 627c5c7
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/awkward/array/table.py b/awkward/array/table.py
@@ -259,7 +259,7 @@ def fromrec(cls, recarray):
         return out
 
     @classmethod
-    def frompairs(cls, pairs, rowstart):
+    def frompairs(cls, pairs, rowstart=0):
         out = cls()
         for n, x in pairs:
             out[n] = x

diff --git a/awkward/persist.py b/awkward/persist.py
@@ -9,6 +9,7 @@
 import numbers
 import os
 import pickle
+import types
 import zipfile
 import zlib
 try:
@@ -39,12 +40,13 @@
         ["awkward", "Table"],
         ["awkward", "numpy", "frombuffer"],
         ["awkward.util", "frombuffer"],
-        ["awkward.persist", "*"],
+        ["awkward.persist"],
         ["awkward.arrow", "_ParquetFile", "fromjson"],
         ["uproot_methods.classes.*"],
-        ["uproot.tree._LazyFiles"],
-        ["uproot.tree._LazyTree"],
-        ["uproot.tree._LazyBranch"],
+        ["uproot_methods.profiles.*"],
+        ["uproot.tree", "_LazyFiles"],
+        ["uproot.tree", "_LazyTree"],
+        ["uproot.tree", "_LazyBranch"],
     ]
 
 def frompython(obj):
@@ -62,11 +64,17 @@ def spec2function(obj, awkwardlib="awkward", whitelist=whitelist):
             if obj[0] == "awkward":
                 obj = [awkwardlib] + obj[1:]
             gen, genname = importlib.import_module(obj[0]), obj[1:]
+            if not isinstance(gen, types.ModuleType):
+                raise TypeError("first item of a function description must be a module")
+            if genname[:1] == ["numpy"]:
+                gen, genname = getattr(gen, genname[0]), genname[1:]
             while len(genname) > 0:
                 gen, genname = getattr(gen, genname[0]), genname[1:]
+                if isinstance(gen, types.ModuleType):
+                    raise TypeError("non-first items of a function description must not be a module")
             break
     else:
-        raise RuntimeError("callable not in whitelist; add it by passing a whitelist argument:\n\n    whitelist = awkward.persist.whitelist + [{0}]".format(obj))
+        raise RuntimeError("callable not in whitelist; add it by passing a whitelist argument:\n\n    whitelist = awkward.persist.whitelist + [{0}]".format(repr(obj)))
     return gen
 
 def dtype2json(obj):

diff --git a/awkward/version.py b/awkward/version.py
@@ -4,7 +4,7 @@
 
 import re
 
-__version__ = "0.10.0"
+__version__ = "0.10.1"
 version = __version__
 version_info = tuple(re.split(r"[-\.]", __version__))