Allow input() while updating blocked built-ins and related tests

Author: m-messer

CLAUDE.md

@@ -55,7 +55,7 @@ All source lives in `evaluation_function/`:
 `_SecurityVisitor` walks the AST before any execution and blocks:
 
 - **Modules**: `os`, `sys`, `subprocess`, `socket`, `urllib`, `http`, `requests`, `shutil`, `pathlib`, `ftplib`, `smtplib`, `ctypes`, `multiprocessing`, `threading`, `importlib`, `pickle`, `builtins`
-- **Builtins**: `exec`, `eval`, `compile`, `open`, `__import__`, `input`
+- **Builtins**: `exec`, `eval`, `compile`, `open`, `__import__`
 - **Dunder attribute access**: any `__attr__` style attribute
 
 ## Key commands

docs/dev.md

@@ -118,7 +118,7 @@ Called before evaluation. Parses the student code as an AST and checks for secur
 | Category | Blocked items |
 |----------|--------------|
 | Module imports | `os`, `sys`, `subprocess`, `socket`, `urllib`, `http`, `requests`, `shutil`, `pathlib`, `ftplib`, `smtplib`, `ctypes`, `multiprocessing`, `threading`, `importlib`, `pickle`, `builtins` |
-| Builtins | `exec`, `eval`, `compile`, `open`, `__import__`, `input` |
+| Builtins | `exec`, `eval`, `compile`, `open`, `__import__` |
 | Attribute access | Any dunder (`__attr__`) attribute |
 
 ### Response

docs/user.md

@@ -158,7 +158,7 @@ Params:
 Students' code is checked before execution. The following are blocked and will return an error before the code runs:
 
 - Importing: `os`, `sys`, `subprocess`, `socket`, `requests`, `pathlib`, and other system/network modules
-- Calling: `exec`, `eval`, `compile`, `open`, `__import__`
+- Calling: `exec`, `eval`, `compile`, `open`, `__import__` (but **`input()` is allowed**)
 - Accessing dunder attributes (`__class__`, `__dict__`, etc.)
 
 These restrictions cannot be bypassed; attempts result in an error feedback item rather than execution.

evaluation_function/preview.py

@@ -9,7 +9,7 @@
     "pickle", "builtins",
 }
 
-_BLOCKED_BUILTINS = {"exec", "eval", "compile", "open", "__import__", "input"}
+_BLOCKED_BUILTINS = {"exec", "eval", "compile", "open", "__import__"}
 
 
 class _SecurityVisitor(ast.NodeVisitor):

evaluation_function/preview_test.py

@@ -46,4 +46,11 @@ def test_dunder_access(self):
         result = preview_function(response, params)
 
         self.assertIn("preview", result)
-        self.assertIn("Unsafe", result["preview"].get("feedback", ""))
+        self.assertIn("Unsafe", result["preview"].get("feedback", ""))
+
+    def test_input_is_allowed(self):
+        response, params = "x = int(input())", Params()
+        result = preview_function(response, params)
+
+        self.assertIn("preview", result)
+        self.assertNotIn("Unsafe", result["preview"].get("feedback", ""))