1 # -*- coding: utf-8 -*-
3 unit test for security features
4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6 :copyright: 2007 by Armin Ronacher.
7 :license: BSD, see LICENSE for more details.
9 from py.test import raises
10 from jinja2 import Environment
11 from jinja2.sandbox import SandboxedEnvironment, \
12 ImmutableSandboxedEnvironment, unsafe
13 from jinja2 import Markup, escape
14 from jinja2.exceptions import SecurityError
17 class PrivateStuff(object):
30 class PublicStuff(object):
32 _foo = lambda self: 42
39 >>> env = MODULE.SandboxedEnvironment()
40 >>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff())
41 Traceback (most recent call last):
43 SecurityError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable
44 >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff())
47 >>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff())
48 Traceback (most recent call last):
50 SecurityError: access to attribute '_foo' of 'PublicStuff' object is unsafe.
51 >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff())
54 >>> env.from_string("{{ foo.__class__ }}").render(foo=42)
56 >>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None)
58 >>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42)
59 Traceback (most recent call last):
61 SecurityError: access to attribute '__class__' of 'int' object is unsafe.
66 >>> env = MODULE.SandboxedEnvironment()
67 >>> env.from_string("{% for item.attribute in seq %}...{% endfor %}")
68 Traceback (most recent call last):
70 TemplateSyntaxError: expected token 'in', got '.' (line 1)
71 >>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}")
72 Traceback (most recent call last):
74 TemplateSyntaxError: expected token 'in', got '.' (line 1)
78 test_immutable_environment = '''
79 >>> env = MODULE.ImmutableSandboxedEnvironment()
80 >>> env.from_string('{{ [].append(23) }}').render()
81 Traceback (most recent call last):
83 SecurityError: access to attribute 'append' of 'list' object is unsafe.
84 >>> env.from_string('{{ {1:2}.clear() }}').render()
85 Traceback (most recent call last):
87 SecurityError: access to attribute 'clear' of 'dict' object is unsafe.
90 def test_markup_operations():
91 # adding two strings should escape the unsafe one
92 unsafe = '<script type="application/x-some-script">alert("foo");</script>'
93 safe = Markup('<em>username</em>')
94 assert unsafe + safe == unicode(escape(unsafe)) + unicode(safe)
96 # string interpolations are safe to use too
97 assert Markup('<em>%s</em>') % '<bad user>' == \
98 '<em><bad user></em>'
99 assert Markup('<em>%(username)s</em>') % {
100 'username': '<bad user>'
101 } == '<em><bad user></em>'
103 # an escaped object is markup too
104 assert type(Markup('foo') + 'bar') is Markup
106 # and it implements __html__ by returning itself
108 assert x.__html__() is x
110 # it also knows how to treat __html__ objects
113 return '<em>awesome</em>'
114 def __unicode__(self):
116 assert Markup(Foo()) == '<em>awesome</em>'
117 assert Markup('<strong>%s</strong>') % Foo() == \
118 '<strong><em>awesome</em></strong>'
120 # escaping and unescaping
121 assert escape('"<>&\'') == '"<>&''
122 assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar"
123 assert Markup("<test>").unescape() == "<test>"
126 def test_template_data():
127 env = Environment(autoescape=True)
128 t = env.from_string('{% macro say_hello(name) %}'
129 '<p>Hello {{ name }}!</p>{% endmacro %}'
130 '{{ say_hello("<blink>foo</blink>") }}')
131 escaped_out = '<p>Hello <blink>foo</blink>!</p>'
132 assert t.render() == escaped_out
133 assert unicode(t.module) == escaped_out
134 assert escape(t.module) == escaped_out
135 assert t.module.say_hello('<blink>foo</blink>') == escaped_out
136 assert escape(t.module.say_hello('<blink>foo</blink>')) == escaped_out
139 def test_attr_filter():
140 env = SandboxedEnvironment()
141 tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}')
142 raises(SecurityError, tmpl.render)