diff options
| author | floatdrop <floatdrop@yandex-team.ru> | 2022-02-10 16:47:15 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:47:15 +0300 |
| commit | e63b84f1d39557d9e46ac380b1f388271894293c (patch) | |
| tree | 338cdaff3fb027e030b847db66df06019a0e3149 /contrib/python/Jinja2/py2/tests/test_security.py | |
| parent | f60febb7ea449535e7b073c386c7ff0539637fc0 (diff) | |
| download | ydb-e63b84f1d39557d9e46ac380b1f388271894293c.tar.gz | |
Restoring authorship annotation for <floatdrop@yandex-team.ru>. Commit 1 of 2.
Diffstat (limited to 'contrib/python/Jinja2/py2/tests/test_security.py')
| -rw-r--r-- | contrib/python/Jinja2/py2/tests/test_security.py | 196 |
1 files changed, 98 insertions, 98 deletions
diff --git a/contrib/python/Jinja2/py2/tests/test_security.py b/contrib/python/Jinja2/py2/tests/test_security.py index 7e8974c891b..76a7ab079fb 100644 --- a/contrib/python/Jinja2/py2/tests/test_security.py +++ b/contrib/python/Jinja2/py2/tests/test_security.py @@ -1,70 +1,70 @@ -# -*- coding: utf-8 -*- -import pytest - -from jinja2 import Environment +# -*- coding: utf-8 -*- +import pytest + +from jinja2 import Environment from jinja2 import escape from jinja2 import Markup from jinja2._compat import text_type from jinja2.exceptions import SecurityError from jinja2.exceptions import TemplateRuntimeError from jinja2.exceptions import TemplateSyntaxError -from jinja2.nodes import EvalContext +from jinja2.nodes import EvalContext from jinja2.sandbox import ImmutableSandboxedEnvironment from jinja2.sandbox import SandboxedEnvironment from jinja2.sandbox import unsafe - - -class PrivateStuff(object): - def bar(self): - return 23 - - @unsafe - def foo(self): - return 42 - - def __repr__(self): + + +class PrivateStuff(object): + def bar(self): + return 23 + + @unsafe + def foo(self): + return 42 + + def __repr__(self): return "PrivateStuff" - - -class PublicStuff(object): + + +class PublicStuff(object): def bar(self): return 23 - + def _foo(self): return 42 - def __repr__(self): + def __repr__(self): return "PublicStuff" - - -class TestSandbox(object): - def test_unsafe(self, env): - env = SandboxedEnvironment() + + +class TestSandbox(object): + def test_unsafe(self, env): + env = SandboxedEnvironment() pytest.raises( SecurityError, env.from_string("{{ foo.foo() }}").render, foo=PrivateStuff() ) assert env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()) == "23" - + pytest.raises( SecurityError, env.from_string("{{ foo._foo() }}").render, foo=PublicStuff() ) assert env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()) == "23" assert env.from_string("{{ foo.__class__ }}").render(foo=42) == "" assert env.from_string("{{ foo.func_code }}").render(foo=lambda: None) == "" - # security error comes from __class__ already. + # security error comes from __class__ already. pytest.raises( SecurityError, env.from_string("{{ foo.__class__.__subclasses__() }}").render, foo=42, ) - - def test_immutable_environment(self, env): - env = ImmutableSandboxedEnvironment() + + def test_immutable_environment(self, env): + env = ImmutableSandboxedEnvironment() pytest.raises(SecurityError, env.from_string("{{ [].append(23) }}").render) pytest.raises(SecurityError, env.from_string("{{ {1:2}.clear() }}").render) - - def test_restricted(self, env): - env = SandboxedEnvironment() + + def test_restricted(self, env): + env = SandboxedEnvironment() pytest.raises( TemplateSyntaxError, env.from_string, @@ -75,116 +75,116 @@ class TestSandbox(object): env.from_string, "{% for foo, bar.baz in seq %}...{% endfor %}", ) - - def test_markup_operations(self, env): - # adding two strings should escape the unsafe one - unsafe = '<script type="application/x-some-script">alert("foo");</script>' + + def test_markup_operations(self, env): + # adding two strings should escape the unsafe one + unsafe = '<script type="application/x-some-script">alert("foo");</script>' safe = Markup("<em>username</em>") - assert unsafe + safe == text_type(escape(unsafe)) + text_type(safe) - - # string interpolations are safe to use too + assert unsafe + safe == text_type(escape(unsafe)) + text_type(safe) + + # string interpolations are safe to use too assert Markup("<em>%s</em>") % "<bad user>" == "<em><bad user></em>" assert ( Markup("<em>%(username)s</em>") % {"username": "<bad user>"} == "<em><bad user></em>" ) - - # an escaped object is markup too + + # an escaped object is markup too assert type(Markup("foo") + "bar") is Markup - - # and it implements __html__ by returning itself - x = Markup("foo") - assert x.__html__() is x - - # it also knows how to treat __html__ objects - class Foo(object): - def __html__(self): + + # and it implements __html__ by returning itself + x = Markup("foo") + assert x.__html__() is x + + # it also knows how to treat __html__ objects + class Foo(object): + def __html__(self): return "<em>awesome</em>" - - def __unicode__(self): + + def __unicode__(self): return "awesome" - + assert Markup(Foo()) == "<em>awesome</em>" assert ( Markup("<strong>%s</strong>") % Foo() == "<strong><em>awesome</em></strong>" ) - # escaping and unescaping + # escaping and unescaping assert escape("\"<>&'") == ""<>&'" - assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar" - assert Markup("<test>").unescape() == "<test>" - - def test_template_data(self, env): - env = Environment(autoescape=True) + assert Markup("<em>Foo & Bar</em>").striptags() == "Foo & Bar" + assert Markup("<test>").unescape() == "<test>" + + def test_template_data(self, env): + env = Environment(autoescape=True) t = env.from_string( "{% macro say_hello(name) %}" "<p>Hello {{ name }}!</p>{% endmacro %}" '{{ say_hello("<blink>foo</blink>") }}' ) escaped_out = "<p>Hello <blink>foo</blink>!</p>" - assert t.render() == escaped_out - assert text_type(t.module) == escaped_out - assert escape(t.module) == escaped_out + assert t.render() == escaped_out + assert text_type(t.module) == escaped_out + assert escape(t.module) == escaped_out assert t.module.say_hello("<blink>foo</blink>") == escaped_out assert ( escape(t.module.say_hello(EvalContext(env), "<blink>foo</blink>")) == escaped_out ) assert escape(t.module.say_hello("<blink>foo</blink>")) == escaped_out - - def test_attr_filter(self, env): - env = SandboxedEnvironment() - tmpl = env.from_string('{{ cls|attr("__subclasses__")() }}') - pytest.raises(SecurityError, tmpl.render, cls=int) - - def test_binary_operator_intercepting(self, env): - def disable_op(left, right): + + def test_attr_filter(self, env): + env = SandboxedEnvironment() + tmpl = env.from_string('{{ cls|attr("__subclasses__")() }}') + pytest.raises(SecurityError, tmpl.render, cls=int) + + def test_binary_operator_intercepting(self, env): + def disable_op(left, right): raise TemplateRuntimeError("that operator so does not work") for expr, ctx, rv in ("1 + 2", {}, "3"), ("a + 2", {"a": 2}, "4"): - env = SandboxedEnvironment() + env = SandboxedEnvironment() env.binop_table["+"] = disable_op t = env.from_string("{{ %s }}" % expr) - assert t.render(ctx) == rv + assert t.render(ctx) == rv env.intercepted_binops = frozenset(["+"]) t = env.from_string("{{ %s }}" % expr) with pytest.raises(TemplateRuntimeError): - t.render(ctx) - - def test_unary_operator_intercepting(self, env): - def disable_op(arg): + t.render(ctx) + + def test_unary_operator_intercepting(self, env): + def disable_op(arg): raise TemplateRuntimeError("that operator so does not work") for expr, ctx, rv in ("-1", {}, "-1"), ("-a", {"a": 2}, "-2"): - env = SandboxedEnvironment() + env = SandboxedEnvironment() env.unop_table["-"] = disable_op t = env.from_string("{{ %s }}" % expr) - assert t.render(ctx) == rv + assert t.render(ctx) == rv env.intercepted_unops = frozenset(["-"]) t = env.from_string("{{ %s }}" % expr) with pytest.raises(TemplateRuntimeError): - t.render(ctx) - - -class TestStringFormat(object): - def test_basic_format_safety(self): - env = SandboxedEnvironment() - t = env.from_string('{{ "a{0.__class__}b".format(42) }}') + t.render(ctx) + + +class TestStringFormat(object): + def test_basic_format_safety(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{0.__class__}b".format(42) }}') assert t.render() == "ab" - - def test_basic_format_all_okay(self): - env = SandboxedEnvironment() - t = env.from_string('{{ "a{0.foo}b".format({"foo": 42}) }}') + + def test_basic_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{0.foo}b".format({"foo": 42}) }}') assert t.render() == "a42b" - - def test_safe_format_safety(self): - env = SandboxedEnvironment() - t = env.from_string('{{ ("a{0.__class__}b{1}"|safe).format(42, "<foo>") }}') + + def test_safe_format_safety(self): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{0.__class__}b{1}"|safe).format(42, "<foo>") }}') assert t.render() == "ab<foo>" - - def test_safe_format_all_okay(self): - env = SandboxedEnvironment() - t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}') + + def test_safe_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}') assert t.render() == "a42b<foo>" |