Blame - tests/test_security.py - platform/external/python/jinja

blob: 68b1515743923022c85549bda9bcfcc5aebd995e [file] [log] [blame]

Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	1	# -- coding: utf-8 --
				2	"""
				3	unit test for security features
				4	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
				5
				6	:copyright: 2007 by Armin Ronacher.
				7	:license: BSD, see LICENSE for more details.
				8	"""
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame^]	9	from jinja2 import Environment
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	10	from jinja2.sandbox import SandboxedEnvironment, \
				11	ImmutableSandboxedEnvironment, unsafe
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	12	from jinja2 import Markup, escape
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	13
				14
				15	class PrivateStuff(object):
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	16
				17	def bar(self):
				18	return 23
				19
				20	@unsafe
				21	def foo(self):
				22	return 42
				23
				24	def __repr__(self):
				25	return 'PrivateStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	26
				27
				28	class PublicStuff(object):
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	29	bar = lambda self: 23
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	30	_foo = lambda self: 42
				31
				32	def __repr__(self):
				33	return 'PublicStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	34
				35
				36	test_unsafe = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	37	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	38	>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	39	Traceback (most recent call last):
				40	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	41	SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	42	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
				43	u'23'
				44
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	45	>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
				46	Traceback (most recent call last):
				47	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	48	SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	49	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
				50	u'23'
				51
				52	>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
				53	u''
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	54	>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
				55	u''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	56	>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
				57	Traceback (most recent call last):
				58	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	59	SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	60	'''
				61
				62
				63	test_restricted = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	64	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	65	>>> env.from_string("{% for item.attribute in seq %}...{% endfor %}")
				66	Traceback (most recent call last):
				67	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	68	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ecc051b	2007-06-01 18:25:28 +0200	[diff] [blame]	69	>>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}")
				70	Traceback (most recent call last):
				71	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	72	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	73	'''
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	74
				75
				76	test_immutable_environment = '''
				77	>>> env = MODULE.ImmutableSandboxedEnvironment()
				78	>>> env.from_string('{{ [].append(23) }}').render()
				79	Traceback (most recent call last):
				80	...
				81	SecurityError: access to attribute 'append' of 'list' object is unsafe.
				82	>>> env.from_string('{{ {1:2}.clear() }}').render()
				83	Traceback (most recent call last):
				84	...
				85	SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
				86	'''
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	87
				88	def test_markup_operations():
				89	# adding two strings should escape the unsafe one
				90	unsafe = '<script type="application/x-some-script">alert("foo");</script>'
				91	safe = Markup('<em>username</em>')
				92	assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
				93
				94	# string interpolations are safe to use too
				95	assert Markup('<em>%s</em>') % '<bad user>' == \
				96	'<em><bad user></em>'
				97	assert Markup('<em>%(username)s</em>') % {
				98	'username': '<bad user>'
				99	} == '<em><bad user></em>'
				100
				101	# an escaped object is markup too
				102	assert type(Markup('foo') + 'bar') is Markup
				103
				104	# and it implements __html__ by returning itself
				105	x = Markup("foo")
				106	assert x.__html__() is x
				107
				108	# it also knows how to treat __html__ objects
				109	class Foo(object):
				110	def __html__(self):
				111	return '<em>awesome</em>'
				112	def __unicode__(self):
				113	return 'awesome'
				114	assert Markup(Foo()) == '<em>awesome</em>'
				115	assert Markup('<strong>%s</strong>') % Foo() == \
				116	'<strong><em>awesome</em></strong>'
Armin Ronacher	9cf9591	2008-05-24 19:54:43 +0200	[diff] [blame]	117
				118	# escaping and unescaping
				119	assert escape('"<>&\'') == '"<>&''
				120	assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
				121	assert Markup("<test>").unescape() == "<test>"
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame^]	122
				123
				124	def test_template_data():
				125	env = Environment(autoescape=True)
				126	t = env.from_string('{% macro say_hello(name) %}'
				127	'<p>Hello {{ name }}!</p>{% endmacro %}'
				128	'{{ say_hello("<blink>foo</blink>") }}')
				129	escaped_out = '<p>Hello <blink>foo</blink>!</p>'
				130	assert t.render() == escaped_out
				131	assert unicode(t.module) == escaped_out
				132	assert escape(t.module) == escaped_out
				133	assert t.module.say_hello('<blink>foo</blink>') == escaped_out
				134	assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out