Blame - tests/test_security.py - platform/external/python/jinja

blob: 6b8a5db56f1f4575e60978dd4b9d3c4ec1e6d47a [file] [log] [blame]

Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	1	# -- coding: utf-8 --
				2	"""
				3	unit test for security features
				4	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
				5
Armin Ronacher	62ccd1b	2009-01-04 14:26:19 +0100	[diff] [blame]	6	:copyright: (c) 2009 by the Jinja Team.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	7	:license: BSD, see LICENSE for more details.
				8	"""
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	9	from jinja2 import Environment
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	10	from jinja2.sandbox import SandboxedEnvironment, \
				11	ImmutableSandboxedEnvironment, unsafe
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	12	from jinja2 import Markup, escape
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame]	13	from jinja2.exceptions import SecurityError, TemplateSyntaxError
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	14
				15
Rene Leonhardt	c7e6c6d	2009-04-20 23:08:53 +0200	[diff] [blame]	16	import conftest
				17	if conftest.NOSE:
				18	from nose.tools import assert_raises as raises
				19	import sys
				20	MODULE = sys.modules[__name__]
				21	else:
				22	from py.test import raises
				23
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	24	class PrivateStuff(object):
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	25
				26	def bar(self):
				27	return 23
				28
				29	@unsafe
				30	def foo(self):
				31	return 42
				32
				33	def __repr__(self):
				34	return 'PrivateStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	35
				36
				37	class PublicStuff(object):
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	38	bar = lambda self: 23
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	39	_foo = lambda self: 42
				40
				41	def __repr__(self):
				42	return 'PublicStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	43
				44
Rene Leonhardt	c7e6c6d	2009-04-20 23:08:53 +0200	[diff] [blame]	45	def test_unsafe():
				46	'''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	47	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	48	>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	49	Traceback (most recent call last):
				50	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	51	SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	52	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
				53	u'23'
				54
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	55	>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
				56	Traceback (most recent call last):
				57	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	58	SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	59	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
				60	u'23'
				61
				62	>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
				63	u''
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	64	>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
				65	u''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	66	>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
				67	Traceback (most recent call last):
				68	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	69	SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	70	'''
				71
				72
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame]	73	def test_restricted():
				74	env = SandboxedEnvironment()
				75	raises(TemplateSyntaxError, env.from_string,
				76	"{% for item.attribute in seq %}...{% endfor %}")
				77	raises(TemplateSyntaxError, env.from_string,
				78	"{% for foo, bar.baz in seq %}...{% endfor %}")
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	79
				80
Rene Leonhardt	c7e6c6d	2009-04-20 23:08:53 +0200	[diff] [blame]	81	def test_immutable_environment():
				82	'''
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	83	>>> env = MODULE.ImmutableSandboxedEnvironment()
				84	>>> env.from_string('{{ [].append(23) }}').render()
				85	Traceback (most recent call last):
				86	...
				87	SecurityError: access to attribute 'append' of 'list' object is unsafe.
				88	>>> env.from_string('{{ {1:2}.clear() }}').render()
				89	Traceback (most recent call last):
				90	...
				91	SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
				92	'''
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	93
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame]	94
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	95	def test_markup_operations():
				96	# adding two strings should escape the unsafe one
				97	unsafe = '<script type="application/x-some-script">alert("foo");</script>'
				98	safe = Markup('<em>username</em>')
				99	assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
				100
				101	# string interpolations are safe to use too
				102	assert Markup('<em>%s</em>') % '<bad user>' == \
				103	'<em><bad user></em>'
				104	assert Markup('<em>%(username)s</em>') % {
				105	'username': '<bad user>'
				106	} == '<em><bad user></em>'
				107
				108	# an escaped object is markup too
				109	assert type(Markup('foo') + 'bar') is Markup
				110
				111	# and it implements __html__ by returning itself
				112	x = Markup("foo")
				113	assert x.__html__() is x
				114
				115	# it also knows how to treat __html__ objects
				116	class Foo(object):
				117	def __html__(self):
				118	return '<em>awesome</em>'
				119	def __unicode__(self):
				120	return 'awesome'
				121	assert Markup(Foo()) == '<em>awesome</em>'
				122	assert Markup('<strong>%s</strong>') % Foo() == \
				123	'<strong><em>awesome</em></strong>'
Armin Ronacher	9cf9591	2008-05-24 19:54:43 +0200	[diff] [blame]	124
				125	# escaping and unescaping
				126	assert escape('"<>&\'') == '"<>&''
				127	assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
				128	assert Markup("<test>").unescape() == "<test>"
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	129
				130
				131	def test_template_data():
				132	env = Environment(autoescape=True)
				133	t = env.from_string('{% macro say_hello(name) %}'
				134	'<p>Hello {{ name }}!</p>{% endmacro %}'
				135	'{{ say_hello("<blink>foo</blink>") }}')
				136	escaped_out = '<p>Hello <blink>foo</blink>!</p>'
				137	assert t.render() == escaped_out
				138	assert unicode(t.module) == escaped_out
				139	assert escape(t.module) == escaped_out
				140	assert t.module.say_hello('<blink>foo</blink>') == escaped_out
				141	assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	142
				143
				144	def test_attr_filter():
				145	env = SandboxedEnvironment()
				146	tmpl = env.from_string('{{ 42\|attr("__class__")\|attr("__subclasses__")() }}')
				147	raises(SecurityError, tmpl.render)