Changed deepdiff/delta.py:237 so dunder traversal from check_elem() raises immediately instead of

seperman · seperman · commit b697d65bddfe · 2026-04-27T12:20:05.000-07:00
going through _raise_or_log(). Also added full-path preflight validation in
  _get_elements_and_details() so the set_item_added path introduced in the last commit cannot
  silently skip malicious dunder paths.
diff --git a/deepdiff/delta.py b/deepdiff/delta.py
@@ -237,11 +237,7 @@ def _get_elem_and_compare_to_old_value(
         forced_old_value=None,
         next_element=None,
     ):
-        try:
-            check_elem(elem)
-        except ValueError as error:
-            self._raise_or_log(UNABLE_TO_GET_ITEM_MSG.format(path_for_err_reporting, error))
-            return not_found
+        check_elem(elem)
         # if forced_old_value is not None:
         try:
             if action == GET:
@@ -525,6 +521,8 @@ def _do_pre_process(self):
     def _get_elements_and_details(self, path):
         try:
             elements = _path_to_elements(path)
+            for elem, _ in elements:
+                check_elem(elem)
             if len(elements) > 1:
                 elements_subset = elements[:-2]
                 if len(elements_subset) != len(elements):
@@ -546,8 +544,9 @@ def _get_elements_and_details(self, path):
                 obj = self
                 # obj = self.get_nested_obj(obj=self, elements=elements[:-1])
             elem, action = elements[-1]  # type: ignore
-            check_elem(elem)
         except Exception as e:
+            if isinstance(e, ValueError) and str(e) == "traversing dunder attributes is not allowed":
+                raise
             self._raise_or_log(UNABLE_TO_GET_ITEM_MSG.format(path, e))
             return None
         else:
diff --git a/tests/test_security.py b/tests/test_security.py
@@ -42,7 +42,9 @@ def test_builtins_int(self):
         assert 42 == int("41") + 1
 
         # Apply Delta to mydict
-        result = mydict + Delta(pollute_int)
+        with pytest.raises(ValueError) as exc_info:
+            mydict + Delta(pollute_int)
+        assert "traversing dunder attributes is not allowed" == str(exc_info.value)
 
         assert 1337 == int("1337")
 
@@ -128,6 +130,8 @@ def myfunc(self):
         PWNED = False
         delta = Delta(pollute_global)
         assert PWNED is False
-        b = Foo() + delta
+        with pytest.raises(ValueError) as exc_info:
+            Foo() + delta
+        assert "traversing dunder attributes is not allowed" == str(exc_info.value)
 
         assert PWNED is False
