Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / jinja / 9d8ff9e497248df574c63b578bf73f41fd4b621b / . / tests / test_security.py
blob: 9d910b646485aa5bd8ea395258b6caef80143d89 [file] [log] [blame]
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]1# -*- coding: utf-8 -*-
2"""
3 unit test for security features
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5
Armin Ronacher62ccd1b2009-01-04 14:26:19 +0100[diff] [blame]6 :copyright: (c) 2009 by the Jinja Team.
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]7 :license: BSD, see LICENSE for more details.
8"""
Armin Ronacher5411ce72008-05-25 11:36:22 +0200[diff] [blame]9from jinja2 import Environment
Armin Ronacher6df604e2008-05-23 22:18:38 +0200[diff] [blame]10from jinja2.sandbox import SandboxedEnvironment, \
11 ImmutableSandboxedEnvironment, unsafe
Armin Ronacher4e6f9a22008-05-23 23:57:38 +0200[diff] [blame]12from jinja2 import Markup, escape
Armin Ronacherccae0552008-10-05 23:08:58 +0200[diff] [blame]13from jinja2.exceptions import SecurityError, TemplateSyntaxError
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]14
15
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]16from nose.tools import assert_raises
Rene Leonhardtc7e6c6d2009-04-20 23:08:53 +0200[diff] [blame]17
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]18class PrivateStuff(object):
Armin Ronacher4f7d2d52008-04-22 10:40:26 +0200[diff] [blame]19
20 def bar(self):
21 return 23
22
23 @unsafe
24 def foo(self):
25 return 42
26
27 def __repr__(self):
28 return 'PrivateStuff'
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]29
30
31class PublicStuff(object):
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]32 bar = lambda self: 23
Armin Ronacher4f7d2d52008-04-22 10:40:26 +0200[diff] [blame]33 _foo = lambda self: 42
34
35 def __repr__(self):
36 return 'PublicStuff'
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]37
38
Rene Leonhardtc7e6c6d2009-04-20 23:08:53 +0200[diff] [blame]39def test_unsafe():
40 '''
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]41>>> env = SandboxedEnvironment()
42>>> env.from_string("{{ foo.foo() }}").render(foo=PrivateStuff())
Armin Ronacher4f7d2d52008-04-22 10:40:26 +0200[diff] [blame]43Traceback (most recent call last):
44 ...
Armin Ronacher5cdc1ac2008-05-07 12:17:18 +0200[diff] [blame]45SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]46>>> env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff())
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]47u'23'
48
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]49>>> env.from_string("{{ foo._foo() }}").render(foo=PublicStuff())
Armin Ronacher4f7d2d52008-04-22 10:40:26 +0200[diff] [blame]50Traceback (most recent call last):
51 ...
Armin Ronacher5cdc1ac2008-05-07 12:17:18 +0200[diff] [blame]52SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]53>>> env.from_string("{{ foo.bar() }}").render(foo=PublicStuff())
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]54u'23'
55
56>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
57u''
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]58>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
59u''
Armin Ronacher4f7d2d52008-04-22 10:40:26 +0200[diff] [blame]60>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
61Traceback (most recent call last):
62 ...
Armin Ronacher5cdc1ac2008-05-07 12:17:18 +0200[diff] [blame]63SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacherccf284b2007-05-21 16:44:26 +0200[diff] [blame]64'''
65
66
Armin Ronacherccae0552008-10-05 23:08:58 +0200[diff] [blame]67def test_restricted():
68 env = SandboxedEnvironment()
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]69 assert_raises(TemplateSyntaxError, env.from_string,
70 "{% for item.attribute in seq %}...{% endfor %}")
71 assert_raises(TemplateSyntaxError, env.from_string,
72 "{% for foo, bar.baz in seq %}...{% endfor %}")
Armin Ronacher6df604e2008-05-23 22:18:38 +0200[diff] [blame]73
74
Rene Leonhardtc7e6c6d2009-04-20 23:08:53 +0200[diff] [blame]75def test_immutable_environment():
76 '''
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]77>>> env = ImmutableSandboxedEnvironment()
Armin Ronacher6df604e2008-05-23 22:18:38 +0200[diff] [blame]78>>> env.from_string('{{ [].append(23) }}').render()
79Traceback (most recent call last):
80 ...
81SecurityError: access to attribute 'append' of 'list' object is unsafe.
82>>> env.from_string('{{ {1:2}.clear() }}').render()
83Traceback (most recent call last):
84 ...
85SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
86'''
Armin Ronacher4e6f9a22008-05-23 23:57:38 +0200[diff] [blame]87
Armin Ronacherccae0552008-10-05 23:08:58 +0200[diff] [blame]88
Armin Ronacher4e6f9a22008-05-23 23:57:38 +0200[diff] [blame]89def test_markup_operations():
90 # adding two strings should escape the unsafe one
91 unsafe = '<script type="application/x-some-script">alert("foo");</script>'
92 safe = Markup('<em>username</em>')
93 assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
94
95 # string interpolations are safe to use too
96 assert Markup('<em>%s</em>') % '<bad user>' == \
97 '<em>&lt;bad user&gt;</em>'
98 assert Markup('<em>%(username)s</em>') % {
99 'username': '<bad user>'
100 } == '<em>&lt;bad user&gt;</em>'
101
102 # an escaped object is markup too
103 assert type(Markup('foo') + 'bar') is Markup
104
105 # and it implements __html__ by returning itself
106 x = Markup("foo")
107 assert x.__html__() is x
108
109 # it also knows how to treat __html__ objects
110 class Foo(object):
111 def __html__(self):
112 return '<em>awesome</em>'
113 def __unicode__(self):
114 return 'awesome'
115 assert Markup(Foo()) == '<em>awesome</em>'
116 assert Markup('<strong>%s</strong>') % Foo() == \
117 '<strong><em>awesome</em></strong>'
Armin Ronacher9cf95912008-05-24 19:54:43 +0200[diff] [blame]118
119 # escaping and unescaping
120 assert escape('"<>&\'') == '&#34;&lt;&gt;&amp;&#39;'
121 assert Markup("<em>Foo &amp; Bar</em>").striptags() == "Foo & Bar"
122 assert Markup("&lt;test&gt;").unescape() == "<test>"
Armin Ronacher5411ce72008-05-25 11:36:22 +0200[diff] [blame]123
124
125def test_template_data():
126 env = Environment(autoescape=True)
127 t = env.from_string('{% macro say_hello(name) %}'
128 '<p>Hello {{ name }}!</p>{% endmacro %}'
129 '{{ say_hello("<blink>foo</blink>") }}')
130 escaped_out = '<p>Hello &lt;blink&gt;foo&lt;/blink&gt;!</p>'
131 assert t.render() == escaped_out
132 assert unicode(t.module) == escaped_out
133 assert escape(t.module) == escaped_out
134 assert t.module.say_hello('<blink>foo</blink>') == escaped_out
135 assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
Armin Ronacher24b65582008-05-26 13:35:58 +0200[diff] [blame]136
137
138def test_attr_filter():
139 env = SandboxedEnvironment()
140 tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}')
Armin Ronacher42979eb2009-07-26 11:08:50 +0200[diff] [blame]141 assert_raises(SecurityError, tmpl.render)