@@ -726,17 +726,8 @@ def _eval_subscript(self, node):
726726 return container [key ]
727727
728728 def _eval_attribute (self , node ):
729- if self .allowed_attrs is not None :
730- allowed_attrs = self .allowed_attrs .get (type (node .value .value ), TypeNotSpecified )
731- if allowed_attrs == TypeNotSpecified :
732- raise FeatureNotAvailable (
733- f"Sorry, attribute access not allowed on '{ type (node .value .value )}
734- )
735- if node .attr not in allowed_attrs :
736- raise FeatureNotAvailable (
737- f"Sorry, '{ node .attr } { type (node .value .value )}
738- )
739-
729+ # DISALLOW_PREFIXES & DISALLOW_METHODS are global, there's never any access to
730+ # attrs with these names, so we can bail early:
740731 for prefix in DISALLOW_PREFIXES :
741732 if node .attr .startswith (prefix ):
742733 raise FeatureNotAvailable (
@@ -748,9 +739,27 @@ def _eval_attribute(self, node):
748739 raise FeatureNotAvailable (
749740 "Sorry, this method is not available. " "({0})" .format (node .attr )
750741 )
751- # eval node
742+
743+ # Evaluate "node" - the thing that we're trying to access an attr of first:
752744 node_evaluated = self ._eval (node .value )
753745
746+ # If we've opted in to the 'allowed_attrs' checking per type, then since we now
747+ # know what kind of node we've got, we can check if we're permitted to access this
748+ # attr name on this node:
749+ if self .allowed_attrs is not None :
750+ type_to_check = type (node_evaluated )
751+
752+ allowed_attrs = self .allowed_attrs .get (type_to_check , TypeNotSpecified )
753+ if allowed_attrs == TypeNotSpecified :
754+ raise FeatureNotAvailable (
755+ f"Sorry, attribute access not allowed on '{ type_to_check }
756+ f" (attempted to access `.{ node .attr }
757+ )
758+ if node .attr not in allowed_attrs :
759+ raise FeatureNotAvailable (
760+ f"Sorry, '{ node .attr } { type_to_check }
761+ )
762+
754763 # Maybe the base object is an actual object, not just a dict
755764 try :
756765 return getattr (node_evaluated , node .attr )
0 commit comments