====== Python format string ======

<code python>
CONFIG = {
    'SECRET_KEY': 'super secret key'
}

class Event(object):
    def __init__(self, id, level, message):
        self.id = id
        self.level = level
        self.message = message

def format_event(format_string, event):
    return format_string.format(event=event)

</code>

If the user can inject format_string here they could discover the secret string like this:

<code>
{event.__init__.__globals__[CONFIG][SECRET_KEY]}
</code>


https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/

https://book.hacktricks.xyz/kr/generic-methodologies-and-resources/python/bypass-python-sandboxes#python-format-string