Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 1 | # -*- coding: utf-8 -*- |
| 2 | """ |
| 3 | unit test for security features |
| 4 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 5 | |
| 6 | :copyright: 2007 by Armin Ronacher. |
| 7 | :license: BSD, see LICENSE for more details. |
| 8 | """ |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 9 | from jinja2.sandbox import SandboxedEnvironment, unsafe |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 10 | |
| 11 | |
| 12 | class PrivateStuff(object): |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 13 | |
| 14 | def bar(self): |
| 15 | return 23 |
| 16 | |
| 17 | @unsafe |
| 18 | def foo(self): |
| 19 | return 42 |
| 20 | |
| 21 | def __repr__(self): |
| 22 | return 'PrivateStuff' |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 23 | |
| 24 | |
| 25 | class PublicStuff(object): |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 26 | bar = lambda self: 23 |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 27 | _foo = lambda self: 42 |
| 28 | |
| 29 | def __repr__(self): |
| 30 | return 'PublicStuff' |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 31 | |
| 32 | |
| 33 | test_unsafe = ''' |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 34 | >>> env = MODULE.SandboxedEnvironment() |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 35 | >>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff()) |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 36 | Traceback (most recent call last): |
| 37 | ... |
Armin Ronacher | 5cdc1ac | 2008-05-07 12:17:18 +0200 | [diff] [blame] | 38 | SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 39 | >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff()) |
| 40 | u'23' |
| 41 | |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 42 | >>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff()) |
| 43 | Traceback (most recent call last): |
| 44 | ... |
Armin Ronacher | 5cdc1ac | 2008-05-07 12:17:18 +0200 | [diff] [blame] | 45 | SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe. |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 46 | >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff()) |
| 47 | u'23' |
| 48 | |
| 49 | >>> env.from_string("{{ foo.__class__ }}").render(foo=42) |
| 50 | u'' |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 51 | >>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None) |
| 52 | u'' |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 53 | >>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42) |
| 54 | Traceback (most recent call last): |
| 55 | ... |
Armin Ronacher | 5cdc1ac | 2008-05-07 12:17:18 +0200 | [diff] [blame] | 56 | SecurityError: access to attribute '__class__' of 'int' object is unsafe. |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 57 | ''' |
| 58 | |
| 59 | |
| 60 | test_restricted = ''' |
Armin Ronacher | 4f7d2d5 | 2008-04-22 10:40:26 +0200 | [diff] [blame] | 61 | >>> env = MODULE.SandboxedEnvironment() |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 62 | >>> env.from_string("{% for item.attribute in seq %}...{% endfor %}") |
| 63 | Traceback (most recent call last): |
| 64 | ... |
Armin Ronacher | 09c002e | 2008-05-10 22:21:30 +0200 | [diff] [blame] | 65 | TemplateSyntaxError: expected token 'in', got '.' (line 1) |
Armin Ronacher | ecc051b | 2007-06-01 18:25:28 +0200 | [diff] [blame] | 66 | >>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}") |
| 67 | Traceback (most recent call last): |
| 68 | ... |
Armin Ronacher | 09c002e | 2008-05-10 22:21:30 +0200 | [diff] [blame] | 69 | TemplateSyntaxError: expected token 'in', got '.' (line 1) |
Armin Ronacher | ccf284b | 2007-05-21 16:44:26 +0200 | [diff] [blame] | 70 | ''' |