1 # -*- coding: utf-8 -*-
3 unit test for security features
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 :copyright: (c) 2009 by the Jinja Team.
7 :license: BSD, see LICENSE for more details.
9 from py.test import raises
10 from jinja2 import Environment
11 from jinja2.sandbox import SandboxedEnvironment, \
12 ImmutableSandboxedEnvironment, unsafe
13 from jinja2 import Markup, escape
14 from jinja2.exceptions import SecurityError, TemplateSyntaxError
17 class PrivateStuff(object):
30 class PublicStuff(object):
32 _foo = lambda self: 42
39 >>> env = MODULE.SandboxedEnvironment()
40 >>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
41 Traceback (most recent call last):
43 SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
44 >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
47 >>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
48 Traceback (most recent call last):
50 SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
51 >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
54 >>> env.from_string("{{ foo.__class__ }}").render(foo=42)
56 >>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
58 >>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
59 Traceback (most recent call last):
61 SecurityError: access to attribute '__class__' of 'int' object is unsafe.
65 def test_restricted():
66 env = SandboxedEnvironment()
67 raises(TemplateSyntaxError, env.from_string,
68 "{% for item.attribute in seq %}...{% endfor %}")
69 raises(TemplateSyntaxError, env.from_string,
70 "{% for foo, bar.baz in seq %}...{% endfor %}")
73 test_immutable_environment = '''
74 >>> env = MODULE.ImmutableSandboxedEnvironment()
75 >>> env.from_string('{{ [].append(23) }}').render()
76 Traceback (most recent call last):
78 SecurityError: access to attribute 'append' of 'list' object is unsafe.
79 >>> env.from_string('{{ {1:2}.clear() }}').render()
80 Traceback (most recent call last):
82 SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
86 def test_markup_operations():
87 # adding two strings should escape the unsafe one
88 unsafe = '<script type="application/x-some-script">alert("foo");</script>'
89 safe = Markup('<em>username</em>')
90 assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
92 # string interpolations are safe to use too
93 assert Markup('<em>%s</em>') % '<bad user>' == \
94 '<em><bad user></em>'
95 assert Markup('<em>%(username)s</em>') % {
96 'username': '<bad user>'
97 } == '<em><bad user></em>'
99 # an escaped object is markup too
100 assert type(Markup('foo') + 'bar') is Markup
102 # and it implements __html__ by returning itself
104 assert x.__html__() is x
106 # it also knows how to treat __html__ objects
109 return '<em>awesome</em>'
110 def __unicode__(self):
112 assert Markup(Foo()) == '<em>awesome</em>'
113 assert Markup('<strong>%s</strong>') % Foo() == \
114 '<strong><em>awesome</em></strong>'
116 # escaping and unescaping
117 assert escape('"<>&\'') == '"<>&''
118 assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
119 assert Markup("<test>").unescape() == "<test>"
122 def test_template_data():
123 env = Environment(autoescape=True)
124 t = env.from_string('{% macro say_hello(name) %}'
125 '<p>Hello {{ name }}!</p>{% endmacro %}'
126 '{{ say_hello("<blink>foo</blink>") }}')
127 escaped_out = '<p>Hello <blink>foo</blink>!</p>'
128 assert t.render() == escaped_out
129 assert unicode(t.module) == escaped_out
130 assert escape(t.module) == escaped_out
131 assert t.module.say_hello('<blink>foo</blink>') == escaped_out
132 assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
135 def test_attr_filter():
136 env = SandboxedEnvironment()
137 tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}')
138 raises(SecurityError, tmpl.render)