diff options
| author | Armin Ronacher <armin.ronacher@active-4.com> | 2008-04-22 10:40:26 +0200 |
|---|---|---|
| committer | Armin Ronacher <armin.ronacher@active-4.com> | 2008-04-22 10:40:26 +0200 |
| commit | 4f7d2d56ab996050c9094f9426969028db0c8aa6 (patch) | |
| tree | 538e40cc763cceac85af69f2731dc277e0e6669b /tests/test_security.py | |
| parent | 2b60fe5c916a34d9ac857749451e7f6ce59c67bb (diff) | |
| download | jinja2-4f7d2d56ab996050c9094f9426969028db0c8aa6.tar.gz | |
fixed more unittests
--HG--
branch : trunk
Diffstat (limited to 'tests/test_security.py')
| -rw-r--r-- | tests/test_security.py | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/tests/test_security.py b/tests/test_security.py index cb470f8..331e8b9 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -6,62 +6,65 @@ :copyright: 2007 by Armin Ronacher. :license: BSD, see LICENSE for more details. """ -from jinja2 import Environment +from jinja2.sandbox import SandboxedEnvironment, unsafe -NONLOCALSET = '''\ -{% for item in range(10) %} - {%- set outer = item! -%} -{% endfor -%} -{{ outer }}''' +class PrivateStuff(object): + def bar(self): + return 23 -class PrivateStuff(object): - bar = lambda self: 23 - foo = lambda self: 42 - foo.jinja_unsafe_call = True + @unsafe + def foo(self): + return 42 + + def __repr__(self): + return 'PrivateStuff' class PublicStuff(object): - jinja_allowed_attributes = ['bar'] bar = lambda self: 23 - foo = lambda self: 42 + _foo = lambda self: 42 + + def __repr__(self): + return 'PublicStuff' test_unsafe = ''' +>>> env = MODULE.SandboxedEnvironment() >>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PrivateStuff()) -u'' +Traceback (most recent call last): + ... +TypeError: <bound method PrivateStuff.foo of PrivateStuff> is not safely callable >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PrivateStuff()) u'23' ->>> env.from_string("{{ foo.foo() }}").render(foo=MODULE.PublicStuff()) -u'' +>>> env.from_string("{{ foo._foo() }}").render(foo=MODULE.PublicStuff()) +Traceback (most recent call last): + ... +UndefinedError: access to attribute '_foo' of 'PublicStuff' object is unsafe. >>> env.from_string("{{ foo.bar() }}").render(foo=MODULE.PublicStuff()) u'23' >>> env.from_string("{{ foo.__class__ }}").render(foo=42) u'' - >>> env.from_string("{{ foo.func_code }}").render(foo=lambda:None) u'' +>>> env.from_string("{{ foo.__class__.__subclasses__() }}").render(foo=42) +Traceback (most recent call last): + ... +UndefinedError: access to attribute '__class__' of 'int' object is unsafe. ''' test_restricted = ''' +>>> env = MODULE.SandboxedEnvironment() >>> env.from_string("{% for item.attribute in seq %}...{% endfor %}") Traceback (most recent call last): ... -TemplateSyntaxError: cannot assign to expression (line 1) +TemplateSyntaxError: can't assign to 'subscript' (line 1) >>> env.from_string("{% for foo, bar.baz in seq %}...{% endfor %}") Traceback (most recent call last): ... -TemplateSyntaxError: cannot assign to expression (line 1) +TemplateSyntaxError: can't assign to 'tuple' (line 1) ''' - - -def test_nonlocal_set(): - env = Environment() - env.globals['outer'] = 42 - tmpl = env.from_string(NONLOCALSET) - assert tmpl.render() == '9' - assert env.globals['outer'] == 42 |