Blame - tests/test_security.py - platform/external/python/jinja

blob: 7c812c0942e357beccce07763e96d8cbacd9139a [file] [log] [blame]

Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	1	# -- coding: utf-8 --
				2	"""
				3	unit test for security features
				4	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
				5
				6	:copyright: 2007 by Armin Ronacher.
				7	:license: BSD, see LICENSE for more details.
				8	"""
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	9	from py.test import raises
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	10	from jinja2 import Environment
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	11	from jinja2.sandbox import SandboxedEnvironment, \
				12	ImmutableSandboxedEnvironment, unsafe
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	13	from jinja2 import Markup, escape
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	14	from jinja2.exceptions import SecurityError
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	15
				16
				17	class PrivateStuff(object):
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	18
				19	def bar(self):
				20	return 23
				21
				22	@unsafe
				23	def foo(self):
				24	return 42
				25
				26	def __repr__(self):
				27	return 'PrivateStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	28
				29
				30	class PublicStuff(object):
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	31	bar = lambda self: 23
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	32	_foo = lambda self: 42
				33
				34	def __repr__(self):
				35	return 'PublicStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	36
				37
				38	test_unsafe = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	39	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	40	>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	41	Traceback (most recent call last):
				42	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	43	SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	44	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
				45	u'23'
				46
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	47	>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
				48	Traceback (most recent call last):
				49	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	50	SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	51	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
				52	u'23'
				53
				54	>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
				55	u''
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	56	>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
				57	u''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	58	>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
				59	Traceback (most recent call last):
				60	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	61	SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	62	'''
				63
				64
				65	test_restricted = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	66	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	67	>>> env.from_string("{% for item.attribute in seq %}...{% endfor %}")
				68	Traceback (most recent call last):
				69	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	70	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ecc051b	2007-06-01 18:25:28 +0200	[diff] [blame]	71	>>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}")
				72	Traceback (most recent call last):
				73	...
Armin Ronacher	09c002e	2008-05-10 22:21:30 +0200	[diff] [blame]	74	TemplateSyntaxError: expected token 'in', got '.' (line 1)
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	75	'''
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	76
				77
				78	test_immutable_environment = '''
				79	>>> env = MODULE.ImmutableSandboxedEnvironment()
				80	>>> env.from_string('{{ [].append(23) }}').render()
				81	Traceback (most recent call last):
				82	...
				83	SecurityError: access to attribute 'append' of 'list' object is unsafe.
				84	>>> env.from_string('{{ {1:2}.clear() }}').render()
				85	Traceback (most recent call last):
				86	...
				87	SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
				88	'''
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	89
				90	def test_markup_operations():
				91	# adding two strings should escape the unsafe one
				92	unsafe = '<script type="application/x-some-script">alert("foo");</script>'
				93	safe = Markup('<em>username</em>')
				94	assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
				95
				96	# string interpolations are safe to use too
				97	assert Markup('<em>%s</em>') % '<bad user>' == \
				98	'<em><bad user></em>'
				99	assert Markup('<em>%(username)s</em>') % {
				100	'username': '<bad user>'
				101	} == '<em><bad user></em>'
				102
				103	# an escaped object is markup too
				104	assert type(Markup('foo') + 'bar') is Markup
				105
				106	# and it implements __html__ by returning itself
				107	x = Markup("foo")
				108	assert x.__html__() is x
				109
				110	# it also knows how to treat __html__ objects
				111	class Foo(object):
				112	def __html__(self):
				113	return '<em>awesome</em>'
				114	def __unicode__(self):
				115	return 'awesome'
				116	assert Markup(Foo()) == '<em>awesome</em>'
				117	assert Markup('<strong>%s</strong>') % Foo() == \
				118	'<strong><em>awesome</em></strong>'
Armin Ronacher	9cf9591	2008-05-24 19:54:43 +0200	[diff] [blame]	119
				120	# escaping and unescaping
				121	assert escape('"<>&\'') == '"<>&''
				122	assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
				123	assert Markup("<test>").unescape() == "<test>"
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	124
				125
				126	def test_template_data():
				127	env = Environment(autoescape=True)
				128	t = env.from_string('{% macro say_hello(name) %}'
				129	'<p>Hello {{ name }}!</p>{% endmacro %}'
				130	'{{ say_hello("<blink>foo</blink>") }}')
				131	escaped_out = '<p>Hello <blink>foo</blink>!</p>'
				132	assert t.render() == escaped_out
				133	assert unicode(t.module) == escaped_out
				134	assert escape(t.module) == escaped_out
				135	assert t.module.say_hello('<blink>foo</blink>') == escaped_out
				136	assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	137
				138
				139	def test_attr_filter():
				140	env = SandboxedEnvironment()
				141	tmpl = env.from_string('{{ 42\|attr("__class__")\|attr("__subclasses__")() }}')
				142	raises(SecurityError, tmpl.render)