diff options
| author | floatdrop <floatdrop@yandex-team.ru> | 2022-02-10 16:47:15 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:47:15 +0300 |
| commit | e63b84f1d39557d9e46ac380b1f388271894293c (patch) | |
| tree | 338cdaff3fb027e030b847db66df06019a0e3149 /contrib/python/Jinja2/py3/tests/test_security.py | |
| parent | f60febb7ea449535e7b073c386c7ff0539637fc0 (diff) | |
| download | ydb-e63b84f1d39557d9e46ac380b1f388271894293c.tar.gz | |
Restoring authorship annotation for <floatdrop@yandex-team.ru>. Commit 1 of 2.
Diffstat (limited to 'contrib/python/Jinja2/py3/tests/test_security.py')
| -rw-r--r-- | contrib/python/Jinja2/py3/tests/test_security.py | 138 |
1 files changed, 69 insertions, 69 deletions
diff --git a/contrib/python/Jinja2/py3/tests/test_security.py b/contrib/python/Jinja2/py3/tests/test_security.py index 0e8dc5c0385..d045c30f8b5 100644 --- a/contrib/python/Jinja2/py3/tests/test_security.py +++ b/contrib/python/Jinja2/py3/tests/test_security.py @@ -1,67 +1,67 @@ -import pytest +import pytest from markupsafe import escape - -from jinja2 import Environment + +from jinja2 import Environment from jinja2.exceptions import SecurityError from jinja2.exceptions import TemplateRuntimeError from jinja2.exceptions import TemplateSyntaxError -from jinja2.nodes import EvalContext +from jinja2.nodes import EvalContext from jinja2.sandbox import ImmutableSandboxedEnvironment from jinja2.sandbox import SandboxedEnvironment from jinja2.sandbox import unsafe - - + + class PrivateStuff: - def bar(self): - return 23 - - @unsafe - def foo(self): - return 42 - - def __repr__(self): + def bar(self): + return 23 + + @unsafe + def foo(self): + return 42 + + def __repr__(self): return "PrivateStuff" - - + + class PublicStuff: def bar(self): return 23 - + def _foo(self): return 42 - def __repr__(self): + def __repr__(self): return "PublicStuff" - - + + class TestSandbox: - def test_unsafe(self, env): - env = SandboxedEnvironment() + def test_unsafe(self, env): + env = SandboxedEnvironment() pytest.raises( SecurityError, env.from_string("{{ foo.foo() }}").render, foo=PrivateStuff() ) assert env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()) == "23" - + pytest.raises( SecurityError, env.from_string("{{ foo._foo() }}").render, foo=PublicStuff() ) assert env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()) == "23" assert env.from_string("{{ foo.__class__ }}").render(foo=42) == "" assert env.from_string("{{ foo.func_code }}").render(foo=lambda: None) == "" - # security error comes from __class__ already. + # security error comes from __class__ already. pytest.raises( SecurityError, env.from_string("{{ foo.__class__.__subclasses__() }}").render, foo=42, ) - - def test_immutable_environment(self, env): - env = ImmutableSandboxedEnvironment() + + def test_immutable_environment(self, env): + env = ImmutableSandboxedEnvironment() pytest.raises(SecurityError, env.from_string("{{ [].append(23) }}").render) pytest.raises(SecurityError, env.from_string("{{ {1:2}.clear() }}").render) - - def test_restricted(self, env): - env = SandboxedEnvironment() + + def test_restricted(self, env): + env = SandboxedEnvironment() pytest.raises( TemplateSyntaxError, env.from_string, @@ -72,78 +72,78 @@ class TestSandbox: env.from_string, "{% for foo, bar.baz in seq %}...{% endfor %}", ) - - def test_template_data(self, env): - env = Environment(autoescape=True) + + def test_template_data(self, env): + env = Environment(autoescape=True) t = env.from_string( "{% macro say_hello(name) %}" "<p>Hello {{ name }}!</p>{% endmacro %}" '{{ say_hello("<blink>foo</blink>") }}' ) escaped_out = "<p>Hello <blink>foo</blink>!</p>" - assert t.render() == escaped_out + assert t.render() == escaped_out assert str(t.module) == escaped_out - assert escape(t.module) == escaped_out + assert escape(t.module) == escaped_out assert t.module.say_hello("<blink>foo</blink>") == escaped_out assert ( escape(t.module.say_hello(EvalContext(env), "<blink>foo</blink>")) == escaped_out ) assert escape(t.module.say_hello("<blink>foo</blink>")) == escaped_out - - def test_attr_filter(self, env): - env = SandboxedEnvironment() - tmpl = env.from_string('{{ cls|attr("__subclasses__")() }}') - pytest.raises(SecurityError, tmpl.render, cls=int) - - def test_binary_operator_intercepting(self, env): - def disable_op(left, right): + + def test_attr_filter(self, env): + env = SandboxedEnvironment() + tmpl = env.from_string('{{ cls|attr("__subclasses__")() }}') + pytest.raises(SecurityError, tmpl.render, cls=int) + + def test_binary_operator_intercepting(self, env): + def disable_op(left, right): raise TemplateRuntimeError("that operator so does not work") for expr, ctx, rv in ("1 + 2", {}, "3"), ("a + 2", {"a": 2}, "4"): - env = SandboxedEnvironment() + env = SandboxedEnvironment() env.binop_table["+"] = disable_op t = env.from_string(f"{{{{ {expr} }}}}") - assert t.render(ctx) == rv + assert t.render(ctx) == rv env.intercepted_binops = frozenset(["+"]) t = env.from_string(f"{{{{ {expr} }}}}") with pytest.raises(TemplateRuntimeError): - t.render(ctx) - - def test_unary_operator_intercepting(self, env): - def disable_op(arg): + t.render(ctx) + + def test_unary_operator_intercepting(self, env): + def disable_op(arg): raise TemplateRuntimeError("that operator so does not work") for expr, ctx, rv in ("-1", {}, "-1"), ("-a", {"a": 2}, "-2"): - env = SandboxedEnvironment() + env = SandboxedEnvironment() env.unop_table["-"] = disable_op t = env.from_string(f"{{{{ {expr} }}}}") - assert t.render(ctx) == rv + assert t.render(ctx) == rv env.intercepted_unops = frozenset(["-"]) t = env.from_string(f"{{{{ {expr} }}}}") with pytest.raises(TemplateRuntimeError): - t.render(ctx) - - + t.render(ctx) + + class TestStringFormat: - def test_basic_format_safety(self): - env = SandboxedEnvironment() - t = env.from_string('{{ "a{0.__class__}b".format(42) }}') + def test_basic_format_safety(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{0.__class__}b".format(42) }}') assert t.render() == "ab" - - def test_basic_format_all_okay(self): - env = SandboxedEnvironment() - t = env.from_string('{{ "a{0.foo}b".format({"foo": 42}) }}') + + def test_basic_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ "a{0.foo}b".format({"foo": 42}) }}') assert t.render() == "a42b" - - def test_safe_format_safety(self): - env = SandboxedEnvironment() - t = env.from_string('{{ ("a{0.__class__}b{1}"|safe).format(42, "<foo>") }}') + + def test_safe_format_safety(self): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{0.__class__}b{1}"|safe).format(42, "<foo>") }}') assert t.render() == "ab<foo>" - - def test_safe_format_all_okay(self): - env = SandboxedEnvironment() - t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}') + + def test_safe_format_all_okay(self): + env = SandboxedEnvironment() + t = env.from_string('{{ ("a{0.foo}b{1}"|safe).format({"foo": 42}, "<foo>") }}') assert t.render() == "a42b<foo>" def test_empty_braces_format(self): |