jsonrpc: Don't proxy "special" methods

mschmitzer · tcalmant · commit 1b6feb3c98a4 · 2017-06-27T09:45:29.000+02:00
Code that expects ServerProxy objects to be regular python objects can
trigger bogus rpc calls by accessing "special" methods (i.e. methods
starting and ending with two underscores). Avoid this by raising
AttributeError for such names instead of returning a method proxy.

A real life example for this is the "raven" sentry client calling
`__getattribute__('__sentry__')` on a ServerProxy instance when
reporting an exception.
diff --git a/jsonrpclib/jsonrpc.py b/jsonrpclib/jsonrpc.py
@@ -583,6 +583,9 @@ def __getattr__(self, name):
         """
         Returns a callable object to call the remote service
         """
+        if name.startswith("__") and name.endswith("__"):
+            # Don't proxy special methods.
+            raise AttributeError("ServerProxy has no attribute '%s'" % name)
         # Same as original, just with new _Method reference
         return _Method(self._request, name)
 
diff --git a/tests/test_compatibility.py b/tests/test_compatibility.py
@@ -113,6 +113,10 @@ def test_non_existent_method(self):
         self.assertTrue(request == verify_request)
         self.assertTrue(response == verify_response)
 
+    def test_special_method(self):
+        self.assertRaises(AttributeError, getattr, self.client, '__special_method__')
+        self.assertIsNone(self.history.request)
+
     def test_invalid_json(self):
         invalid_json = '{"jsonrpc": "2.0", "method": "foobar, ' + \
             '"params": "bar", "baz]'
