CONFIG = { 'SECRET_KEY': 'super secret key' } class Event(object): def __init__(self, id, level, message): self.id = id self.level = level self.message = message def format_event(format_string, event): return format_string.format(event=event)
If the user can inject format_string here they could discover the secret string like this:
{event.__init__.__globals__[CONFIG][SECRET_KEY]}
https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/