| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 1 | # -*- coding: utf-8 -*- |
| 2 | """ |
| 3 | jinja2.testsuite.security |
| 4 | ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 5 | |
| 6 | Checks the sandbox and other security features. |
| 7 | |
| 8 | :copyright: (c) 2010 by the Jinja Team. |
| 9 | :license: BSD, see LICENSE for more details. |
| 10 | """ |
| 11 | import os |
| 12 | import time |
| 13 | import tempfile |
| 14 | import unittest |
| 15 | |
| 16 | from jinja2.testsuite import JinjaTestCase |
| 17 | |
| 18 | from jinja2 import Environment |
| 19 | from jinja2.sandbox import SandboxedEnvironment, \ |
| 20 | ImmutableSandboxedEnvironment, unsafe |
| 21 | from jinja2 import Markup, escape |
| 22 | from jinja2.exceptions import SecurityError, TemplateSyntaxError |
| 23 | |
| 24 | |
| 25 | class PrivateStuff(object): |
| 26 | |
| 27 | def bar(self): |
| 28 | return 23 |
| 29 | |
| 30 | @unsafe |
| 31 | def foo(self): |
| 32 | return 42 |
| 33 | |
| 34 | def __repr__(self): |
| 35 | return 'PrivateStuff' |
| 36 | |
| 37 | |
| 38 | class PublicStuff(object): |
| 39 | bar = lambda self: 23 |
| 40 | _foo = lambda self: 42 |
| 41 | |
| 42 | def __repr__(self): |
| 43 | return 'PublicStuff' |
| 44 | |
| 45 | |
| 46 | class SandboxTestCase(JinjaTestCase): |
| 47 | |
| 48 | def test_unsafe(self): |
| 49 | env = SandboxedEnvironment() |
| 50 | self.assert_raises(SecurityError, env.from_string("{{ foo.foo() }}").render, |
| 51 | foo=PrivateStuff()) |
| 52 | self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()), '23') |
| 53 | |
| 54 | self.assert_raises(SecurityError, env.from_string("{{ foo._foo() }}").render, |
| 55 | foo=PublicStuff()) |
| 56 | self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()), '23') |
| 57 | self.assert_equal(env.from_string("{{ foo.__class__ }}").render(foo=42), '') |
| 58 | self.assert_equal(env.from_string("{{ foo.func_code }}").render(foo=lambda:None), '') |
| Armin Ronacher | 6a3e95d | 2010-11-19 13:51:38 +0100 | [diff] [blame^] | 59 | # security error comes from __class__ already. |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 60 | self.assert_raises(SecurityError, env.from_string( |
| 61 | "{{ foo.__class__.__subclasses__() }}").render, foo=42) |
| 62 | |
| Armin Ronacher | 1fb4269 | 2010-02-09 21:14:16 +0100 | [diff] [blame] | 63 | def test_immutable_environment(self): |
| 64 | env = ImmutableSandboxedEnvironment() |
| 65 | self.assert_raises(SecurityError, env.from_string( |
| 66 | '{{ [].append(23) }}').render) |
| 67 | self.assert_raises(SecurityError, env.from_string( |
| 68 | '{{ {1:2}.clear() }}').render) |
| 69 | |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 70 | def test_restricted(self): |
| 71 | env = SandboxedEnvironment() |
| 72 | self.assert_raises(TemplateSyntaxError, env.from_string, |
| 73 | "{% for item.attribute in seq %}...{% endfor %}") |
| 74 | self.assert_raises(TemplateSyntaxError, env.from_string, |
| 75 | "{% for foo, bar.baz in seq %}...{% endfor %}") |
| 76 | |
| 77 | def test_markup_operations(self): |
| 78 | # adding two strings should escape the unsafe one |
| 79 | unsafe = '<script type="application/x-some-script">alert("foo");</script>' |
| 80 | safe = Markup('<em>username</em>') |
| 81 | assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe) |
| 82 | |
| 83 | # string interpolations are safe to use too |
| 84 | assert Markup('<em>%s</em>') % '<bad user>' == \ |
| 85 | '<em><bad user></em>' |
| 86 | assert Markup('<em>%(username)s</em>') % { |
| 87 | 'username': '<bad user>' |
| 88 | } == '<em><bad user></em>' |
| 89 | |
| 90 | # an escaped object is markup too |
| 91 | assert type(Markup('foo') + 'bar') is Markup |
| 92 | |
| 93 | # and it implements __html__ by returning itself |
| 94 | x = Markup("foo") |
| 95 | assert x.__html__() is x |
| 96 | |
| 97 | # it also knows how to treat __html__ objects |
| 98 | class Foo(object): |
| 99 | def __html__(self): |
| 100 | return '<em>awesome</em>' |
| 101 | def __unicode__(self): |
| 102 | return 'awesome' |
| 103 | assert Markup(Foo()) == '<em>awesome</em>' |
| 104 | assert Markup('<strong>%s</strong>') % Foo() == \ |
| 105 | '<strong><em>awesome</em></strong>' |
| 106 | |
| 107 | # escaping and unescaping |
| 108 | assert escape('"<>&\'') == '"<>&'' |
| 109 | assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar" |
| 110 | assert Markup("<test>").unescape() == "<test>" |
| 111 | |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 112 | def test_template_data(self): |
| 113 | env = Environment(autoescape=True) |
| 114 | t = env.from_string('{% macro say_hello(name) %}' |
| 115 | '<p>Hello {{ name }}!</p>{% endmacro %}' |
| 116 | '{{ say_hello("<blink>foo</blink>") }}') |
| 117 | escaped_out = '<p>Hello <blink>foo</blink>!</p>' |
| 118 | assert t.render() == escaped_out |
| 119 | assert unicode(t.module) == escaped_out |
| 120 | assert escape(t.module) == escaped_out |
| 121 | assert t.module.say_hello('<blink>foo</blink>') == escaped_out |
| 122 | assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out |
| 123 | |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 124 | def test_attr_filter(self): |
| 125 | env = SandboxedEnvironment() |
| Armin Ronacher | 6a3e95d | 2010-11-19 13:51:38 +0100 | [diff] [blame^] | 126 | tmpl = env.from_string('{{ cls|attr("__subclasses__")() }}') |
| 127 | self.assert_raises(SecurityError, tmpl.render, cls=int) |
| Armin Ronacher | 644a281 | 2010-02-09 18:06:32 +0100 | [diff] [blame] | 128 | |
| 129 | |
| 130 | def suite(): |
| 131 | suite = unittest.TestSuite() |
| 132 | suite.addTest(unittest.makeSuite(SandboxTestCase)) |
| 133 | return suite |