| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 1 | # -*- coding: utf-8 -*- |
| 2 | """ |
| 3 | jinja2.testsuite.security |
| 4 | ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 5 | |
| 6 | Checks the sandbox and other security features. |
| 7 | |
| 8 | :copyright: (c) 2010 by the Jinja Team. |
| 9 | :license: BSD, see LICENSE for more details. |
| 10 | """ |
| 11 | import os |
| 12 | import time |
| 13 | import tempfile |
| 14 | import unittest |
| 15 | |
| 16 | from jinja2.testsuite import JinjaTestCase |
| 17 | |
| 18 | from jinja2 import Environment |
| 19 | from jinja2.sandbox import SandboxedEnvironment, \ |
| 20 | ImmutableSandboxedEnvironment, unsafe |
| 21 | from jinja2 import Markup, escape |
| 22 | from jinja2.exceptions import SecurityError, TemplateSyntaxError |
| 23 | |
| 24 | |
| 25 | class PrivateStuff(object): |
| 26 | |
| 27 | def bar(self): |
| 28 | return 23 |
| 29 | |
| 30 | @unsafe |
| 31 | def foo(self): |
| 32 | return 42 |
| 33 | |
| 34 | def __repr__(self): |
| 35 | return 'PrivateStuff' |
| 36 | |
| 37 | |
| 38 | class PublicStuff(object): |
| 39 | bar = lambda self: 23 |
| 40 | _foo = lambda self: 42 |
| 41 | |
| 42 | def __repr__(self): |
| 43 | return 'PublicStuff' |
| 44 | |
| 45 | |
| 46 | class SandboxTestCase(JinjaTestCase): |
| 47 | |
| 48 | def test_unsafe(self): |
| 49 | env = SandboxedEnvironment() |
| 50 | self.assert_raises(SecurityError, env.from_string("{{ foo.foo() }}").render, |
| 51 | foo=PrivateStuff()) |
| 52 | self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()), '23') |
| 53 | |
| 54 | self.assert_raises(SecurityError, env.from_string("{{ foo._foo() }}").render, |
| 55 | foo=PublicStuff()) |
| 56 | self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()), '23') |
| 57 | self.assert_equal(env.from_string("{{ foo.__class__ }}").render(foo=42), '') |
| 58 | self.assert_equal(env.from_string("{{ foo.func_code }}").render(foo=lambda:None), '') |
| 59 | self.assert_raises(SecurityError, env.from_string( |
| 60 | "{{ foo.__class__.__subclasses__() }}").render, foo=42) |
| 61 | |
| Armin Ronacher | 1fb4269 | 2010-02-09 21:14:16 +0100 | [diff] [blame^] | 62 | def test_immutable_environment(self): |
| 63 | env = ImmutableSandboxedEnvironment() |
| 64 | self.assert_raises(SecurityError, env.from_string( |
| 65 | '{{ [].append(23) }}').render) |
| 66 | self.assert_raises(SecurityError, env.from_string( |
| 67 | '{{ {1:2}.clear() }}').render) |
| 68 | |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 69 | def test_restricted(self): |
| 70 | env = SandboxedEnvironment() |
| 71 | self.assert_raises(TemplateSyntaxError, env.from_string, |
| 72 | "{% for item.attribute in seq %}...{% endfor %}") |
| 73 | self.assert_raises(TemplateSyntaxError, env.from_string, |
| 74 | "{% for foo, bar.baz in seq %}...{% endfor %}") |
| 75 | |
| 76 | def test_markup_operations(self): |
| 77 | # adding two strings should escape the unsafe one |
| 78 | unsafe = '<script type="application/x-some-script">alert("foo");</script>' |
| 79 | safe = Markup('<em>username</em>') |
| 80 | assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe) |
| 81 | |
| 82 | # string interpolations are safe to use too |
| 83 | assert Markup('<em>%s</em>') % '<bad user>' == \ |
| 84 | '<em><bad user></em>' |
| 85 | assert Markup('<em>%(username)s</em>') % { |
| 86 | 'username': '<bad user>' |
| 87 | } == '<em><bad user></em>' |
| 88 | |
| 89 | # an escaped object is markup too |
| 90 | assert type(Markup('foo') + 'bar') is Markup |
| 91 | |
| 92 | # and it implements __html__ by returning itself |
| 93 | x = Markup("foo") |
| 94 | assert x.__html__() is x |
| 95 | |
| 96 | # it also knows how to treat __html__ objects |
| 97 | class Foo(object): |
| 98 | def __html__(self): |
| 99 | return '<em>awesome</em>' |
| 100 | def __unicode__(self): |
| 101 | return 'awesome' |
| 102 | assert Markup(Foo()) == '<em>awesome</em>' |
| 103 | assert Markup('<strong>%s</strong>') % Foo() == \ |
| 104 | '<strong><em>awesome</em></strong>' |
| 105 | |
| 106 | # escaping and unescaping |
| 107 | assert escape('"<>&\'') == '"<>&'' |
| 108 | assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar" |
| 109 | assert Markup("<test>").unescape() == "<test>" |
| 110 | |
| 111 | |
| 112 | def test_template_data(self): |
| 113 | env = Environment(autoescape=True) |
| 114 | t = env.from_string('{% macro say_hello(name) %}' |
| 115 | '<p>Hello {{ name }}!</p>{% endmacro %}' |
| 116 | '{{ say_hello("<blink>foo</blink>") }}') |
| 117 | escaped_out = '<p>Hello <blink>foo</blink>!</p>' |
| 118 | assert t.render() == escaped_out |
| 119 | assert unicode(t.module) == escaped_out |
| 120 | assert escape(t.module) == escaped_out |
| 121 | assert t.module.say_hello('<blink>foo</blink>') == escaped_out |
| 122 | assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out |
| 123 | |
| 124 | |
| 125 | def test_attr_filter(self): |
| 126 | env = SandboxedEnvironment() |
| 127 | tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}') |
| 128 | self.assert_raises(SecurityError, tmpl.render) |
| 129 | |
| 130 | |
| 131 | def suite(): |
| 132 | suite = unittest.TestSuite() |
| 133 | suite.addTest(unittest.makeSuite(SandboxTestCase)) |
| 134 | return suite |