Blame - tests/test_security.py - platform/external/python/jinja

blob: 8ef3edf7980d44f732af1747539cdeae236a5076 [file] [log] [blame]

Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	1	# -- coding: utf-8 --
				2	"""
				3	unit test for security features
				4	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
				5
				6	:copyright: 2007 by Armin Ronacher.
				7	:license: BSD, see LICENSE for more details.
				8	"""
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	9	from py.test import raises
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	10	from jinja2 import Environment
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	11	from jinja2.sandbox import SandboxedEnvironment, \
				12	ImmutableSandboxedEnvironment, unsafe
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	13	from jinja2 import Markup, escape
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame^]	14	from jinja2.exceptions import SecurityError, TemplateSyntaxError
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	15
				16
				17	class PrivateStuff(object):
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	18
				19	def bar(self):
				20	return 23
				21
				22	@unsafe
				23	def foo(self):
				24	return 42
				25
				26	def __repr__(self):
				27	return 'PrivateStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	28
				29
				30	class PublicStuff(object):
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	31	bar = lambda self: 23
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	32	_foo = lambda self: 42
				33
				34	def __repr__(self):
				35	return 'PublicStuff'
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	36
				37
				38	test_unsafe = '''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	39	>>> env = MODULE.SandboxedEnvironment()
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	40	>>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	41	Traceback (most recent call last):
				42	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	43	SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	44	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
				45	u'23'
				46
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	47	>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
				48	Traceback (most recent call last):
				49	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	50	SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	51	>>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
				52	u'23'
				53
				54	>>> env.from_string("{{ foo.__class__ }}").render(foo=42)
				55	u''
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	56	>>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
				57	u''
Armin Ronacher	4f7d2d5	2008-04-22 10:40:26 +0200	[diff] [blame]	58	>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
				59	Traceback (most recent call last):
				60	...
Armin Ronacher	5cdc1ac	2008-05-07 12:17:18 +0200	[diff] [blame]	61	SecurityError: access to attribute '__class__' of 'int' object is unsafe.
Armin Ronacher	ccf284b	2007-05-21 16:44:26 +0200	[diff] [blame]	62	'''
				63
				64
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame^]	65	def test_restricted():
				66	env = SandboxedEnvironment()
				67	raises(TemplateSyntaxError, env.from_string,
				68	"{% for item.attribute in seq %}...{% endfor %}")
				69	raises(TemplateSyntaxError, env.from_string,
				70	"{% for foo, bar.baz in seq %}...{% endfor %}")
Armin Ronacher	6df604e	2008-05-23 22:18:38 +0200	[diff] [blame]	71
				72
				73	test_immutable_environment = '''
				74	>>> env = MODULE.ImmutableSandboxedEnvironment()
				75	>>> env.from_string('{{ [].append(23) }}').render()
				76	Traceback (most recent call last):
				77	...
				78	SecurityError: access to attribute 'append' of 'list' object is unsafe.
				79	>>> env.from_string('{{ {1:2}.clear() }}').render()
				80	Traceback (most recent call last):
				81	...
				82	SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
				83	'''
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	84
Armin Ronacher	ccae055	2008-10-05 23:08:58 +0200	[diff] [blame^]	85
Armin Ronacher	4e6f9a2	2008-05-23 23:57:38 +0200	[diff] [blame]	86	def test_markup_operations():
				87	# adding two strings should escape the unsafe one
				88	unsafe = '<script type="application/x-some-script">alert("foo");</script>'
				89	safe = Markup('<em>username</em>')
				90	assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
				91
				92	# string interpolations are safe to use too
				93	assert Markup('<em>%s</em>') % '<bad user>' == \
				94	'<em><bad user></em>'
				95	assert Markup('<em>%(username)s</em>') % {
				96	'username': '<bad user>'
				97	} == '<em><bad user></em>'
				98
				99	# an escaped object is markup too
				100	assert type(Markup('foo') + 'bar') is Markup
				101
				102	# and it implements __html__ by returning itself
				103	x = Markup("foo")
				104	assert x.__html__() is x
				105
				106	# it also knows how to treat __html__ objects
				107	class Foo(object):
				108	def __html__(self):
				109	return '<em>awesome</em>'
				110	def __unicode__(self):
				111	return 'awesome'
				112	assert Markup(Foo()) == '<em>awesome</em>'
				113	assert Markup('<strong>%s</strong>') % Foo() == \
				114	'<strong><em>awesome</em></strong>'
Armin Ronacher	9cf9591	2008-05-24 19:54:43 +0200	[diff] [blame]	115
				116	# escaping and unescaping
				117	assert escape('"<>&\'') == '"<>&''
				118	assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
				119	assert Markup("<test>").unescape() == "<test>"
Armin Ronacher	5411ce7	2008-05-25 11:36:22 +0200	[diff] [blame]	120
				121
				122	def test_template_data():
				123	env = Environment(autoescape=True)
				124	t = env.from_string('{% macro say_hello(name) %}'
				125	'<p>Hello {{ name }}!</p>{% endmacro %}'
				126	'{{ say_hello("<blink>foo</blink>") }}')
				127	escaped_out = '<p>Hello <blink>foo</blink>!</p>'
				128	assert t.render() == escaped_out
				129	assert unicode(t.module) == escaped_out
				130	assert escape(t.module) == escaped_out
				131	assert t.module.say_hello('<blink>foo</blink>') == escaped_out
				132	assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
Armin Ronacher	24b6558	2008-05-26 13:35:58 +0200	[diff] [blame]	133
				134
				135	def test_attr_filter():
				136	env = SandboxedEnvironment()
				137	tmpl = env.from_string('{{ 42\|attr("__class__")\|attr("__subclasses__")() }}')
				138	raises(SecurityError, tmpl.render)