#390 HIGH: Unsafe getattr() on user-controlled attribute names

variable_resolver.py:314-315 - Uses getattr() with user-controlled segment names. Could expose internal object attributes. Fix: Restrict to dict/list access only, never getattr on arbitrary objects.