From bf9d34a907442bd134fa330e8c1b6bbc336a67a8 Mon Sep 17 00:00:00 2001
From: Teng Liu <27rabbitlt@gmail.com>
Date: Fri, 1 Dec 2023 15:28:05 +0100
Subject: [PATCH] fix sanitizer forbid usage of \d+.\d*j

---
 numexpr/necompiler.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/numexpr/necompiler.py b/numexpr/necompiler.py
index 4709957..20ec8e5 100644
--- a/numexpr/necompiler.py
+++ b/numexpr/necompiler.py
@@ -265,7 +265,7 @@ def __str__(self):
 
 _flow_pat = r'[\;\[\:]'
 _dunder_pat = r'(^|[^\w])__[\w]+__($|[^\w])'
-_attr_pat = r'\.\b(?!(real|imag|\d*[eE]?[+-]?\d+)\b)'
+_attr_pat = r'\.\b(?!(real|imag|(\d*[eE]?[+-]?\d+)|\d*j)\b)'
 _blacklist_re = re.compile(f'{_flow_pat}|{_dunder_pat}|{_attr_pat}')
 
 def stringToExpression(s, types, context, sanitize: bool=True):
@@ -275,6 +275,7 @@ def stringToExpression(s, types, context, sanitize: bool=True):
     # parse into its homebrew AST. This is to protect the call to `eval` below.
     # We forbid `;`, `:`. `[` and `__`, and attribute access via '.'.
     # We cannot ban `.real` or `.imag` however...
+    # We also cannot ban `.\d*j`, where `\d*` is some digits (or none), e.g. 1.5j, 1.j
     if sanitize:
         no_whitespace = re.sub(r'\s+', '', s)
         if _blacklist_re.search(no_whitespace) is not None: