Blame - tests/test_security.py - platform/external/python/jinja

blob: 0cacf5f433bad20dba827ef56e5d188d63efa52b [file] [log] [blame]

Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	1	# -- coding: utf-8 --
				2	"""
				3	unit test for security features
				4	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
				5
				6	:copyright: 2007 by Armin Ronacher.
				7	:license: BSD, see LICENSE for more details.
				8	"""
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	9	from jinja2.sandbox import SandboxedEnvironment, \
				10	ImmutableSandboxedEnvironment, unsafe
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame^]	11	from jinja2 import Markup, escape
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	12
				13
				14	class PrivateStuff(object):
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	15
				16	def bar(self):
				17	return 23
				18
				19	@unsafe
				20	def foo(self):
				21	return 42
				22
				23	def __repr__(self):
				24	return 'PrivateStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	25
				26
				27	class PublicStuff(object):
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	28	bar = lambda self: 23
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	29	_foo = lambda self: 42
				30
				31	def __repr__(self):
				32	return 'PublicStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	33
				34
				35	test_unsafe = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	36	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	37	>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	38	Traceback (most recent call last):
				39	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	40	SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	41	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
				42	u'23'
				43
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	44	>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
				45	Traceback (most recent call last):
				46	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	47	SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	48	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
				49	u'23'
				50
				51	>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
				52	u''
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	53	>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
				54	u''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	55	>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
				56	Traceback (most recent call last):
				57	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	58	SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	59	'''
				60
				61
				62	test_restricted = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	63	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	64	>>> env.from_string("{% for item.attribute in seq %}...{% endfor %}")
				65	Traceback (most recent call last):
				66	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	67	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ecc051b	2007-06-01 18:25:28 +0200	[diff] [blame]	68	>>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}")
				69	Traceback (most recent call last):
				70	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	71	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	72	'''
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	73
				74
				75	test_immutable_environment = '''
				76	>>> env = MODULE.ImmutableSandboxedEnvironment()
				77	>>> env.from_string('{{ [].append(23) }}').render()
				78	Traceback (most recent call last):
				79	...
				80	SecurityError: access to attribute 'append' of 'list' object is unsafe.
				81	>>> env.from_string('{{ {1:2}.clear() }}').render()
				82	Traceback (most recent call last):
				83	...
				84	SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
				85	'''
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame^]	86
				87	def test_markup_operations():
				88	# adding two strings should escape the unsafe one
				89	unsafe = '<script type="application/x-some-script">alert("foo");</script>'
				90	safe = Markup('<em>username</em>')
				91	assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
				92
				93	# string interpolations are safe to use too
				94	assert Markup('<em>%s</em>') % '<bad user>' == \
				95	'<em><bad user></em>'
				96	assert Markup('<em>%(username)s</em>') % {
				97	'username': '<bad user>'
				98	} == '<em><bad user></em>'
				99
				100	# an escaped object is markup too
				101	assert type(Markup('foo') + 'bar') is Markup
				102
				103	# and it implements __html__ by returning itself
				104	x = Markup("foo")
				105	assert x.__html__() is x
				106
				107	# it also knows how to treat __html__ objects
				108	class Foo(object):
				109	def __html__(self):
				110	return '<em>awesome</em>'
				111	def __unicode__(self):
				112	return 'awesome'
				113	assert Markup(Foo()) == '<em>awesome</em>'
				114	assert Markup('<strong>%s</strong>') % Foo() == \
				115	'<strong><em>awesome</em></strong>'