2015-02-15 08:47:07 +08:00
|
|
|
from __future__ import unicode_literals
|
|
|
|
|
2014-11-12 09:32:44 +08:00
|
|
|
import os
|
|
|
|
|
2015-02-22 03:10:21 +08:00
|
|
|
from django.template import Context, Engine
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.test import SimpleTestCase, ignore_warnings
|
2015-06-23 01:54:35 +08:00
|
|
|
from django.utils.deprecation import RemovedInDjango110Warning
|
2014-11-12 09:32:44 +08:00
|
|
|
|
2014-12-07 16:43:10 +08:00
|
|
|
from ..utils import ROOT, setup
|
2014-11-12 09:32:44 +08:00
|
|
|
|
|
|
|
|
2015-06-23 01:54:35 +08:00
|
|
|
@ignore_warnings(category=RemovedInDjango110Warning)
|
2014-12-04 04:36:17 +08:00
|
|
|
class SsiTagTests(SimpleTestCase):
|
2014-11-12 09:32:44 +08:00
|
|
|
|
|
|
|
# Test normal behavior
|
|
|
|
@setup({'ssi01': '{%% ssi "%s" %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'templates', 'ssi_include.html',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi01(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi01')
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, 'This is for testing an ssi include. {{ test }}\n')
|
|
|
|
|
|
|
|
@setup({'ssi02': '{%% ssi "%s" %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'not_here',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi02(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi02')
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, ''),
|
|
|
|
|
|
|
|
@setup({'ssi03': "{%% ssi '%s' %%}" % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'not_here',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi03(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi03')
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, ''),
|
|
|
|
|
|
|
|
# Test passing as a variable
|
2015-01-18 02:29:52 +08:00
|
|
|
@setup({'ssi04': '{% ssi ssi_file %}'})
|
2014-11-12 09:32:44 +08:00
|
|
|
def test_ssi04(self):
|
2014-12-22 04:19:05 +08:00
|
|
|
output = self.engine.render_to_string('ssi04', {
|
|
|
|
'ssi_file': os.path.join(ROOT, 'templates', 'ssi_include.html')
|
|
|
|
})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, 'This is for testing an ssi include. {{ test }}\n')
|
|
|
|
|
2015-01-18 02:29:52 +08:00
|
|
|
@setup({'ssi05': '{% ssi ssi_file %}'})
|
2014-11-12 09:32:44 +08:00
|
|
|
def test_ssi05(self):
|
2014-12-22 04:19:05 +08:00
|
|
|
output = self.engine.render_to_string('ssi05', {'ssi_file': 'no_file'})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, '')
|
|
|
|
|
|
|
|
# Test parsed output
|
|
|
|
@setup({'ssi06': '{%% ssi "%s" parsed %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'templates', 'ssi_include.html',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi06(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi06', {'test': 'Look ma! It parsed!'})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, 'This is for testing an ssi include. '
|
|
|
|
'Look ma! It parsed!\n')
|
|
|
|
|
|
|
|
@setup({'ssi07': '{%% ssi "%s" parsed %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'not_here',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi07(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi07', {'test': 'Look ma! It parsed!'})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, '')
|
|
|
|
|
|
|
|
# Test space in file name
|
|
|
|
@setup({'ssi08': '{%% ssi "%s" %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'templates', 'ssi include with spaces.html',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi08(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi08')
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, 'This is for testing an ssi include '
|
|
|
|
'with spaces in its name. {{ test }}\n')
|
|
|
|
|
|
|
|
@setup({'ssi09': '{%% ssi "%s" parsed %%}' % os.path.join(
|
2014-12-07 16:43:10 +08:00
|
|
|
ROOT, 'templates', 'ssi include with spaces.html',
|
2014-11-12 09:32:44 +08:00
|
|
|
)})
|
|
|
|
def test_ssi09(self):
|
2014-12-07 16:43:10 +08:00
|
|
|
output = self.engine.render_to_string('ssi09', {'test': 'Look ma! It parsed!'})
|
2014-11-12 09:32:44 +08:00
|
|
|
self.assertEqual(output, 'This is for testing an ssi include '
|
|
|
|
'with spaces in its name. Look ma! It parsed!\n')
|
2015-02-22 03:10:21 +08:00
|
|
|
|
|
|
|
|
2015-06-23 01:54:35 +08:00
|
|
|
@ignore_warnings(category=RemovedInDjango110Warning)
|
2015-02-22 03:10:21 +08:00
|
|
|
class SSISecurityTests(SimpleTestCase):
|
|
|
|
|
|
|
|
def setUp(self):
|
|
|
|
self.ssi_dir = os.path.join(ROOT, "templates", "first")
|
|
|
|
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
|
|
|
|
|
|
|
|
def render_ssi(self, path):
|
|
|
|
# the path must exist for the test to be reliable
|
|
|
|
self.assertTrue(os.path.exists(path))
|
|
|
|
return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
|
|
|
|
|
|
|
|
def test_allowed_paths(self):
|
|
|
|
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
|
|
|
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
|
|
|
|
|
|
|
def test_relative_include_exploit(self):
|
|
|
|
"""
|
|
|
|
May not bypass allowed_include_roots with relative paths
|
|
|
|
|
|
|
|
e.g. if allowed_include_roots = ("/var/www",), it should not be
|
|
|
|
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
|
|
|
"""
|
|
|
|
disallowed_paths = [
|
|
|
|
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
|
|
|
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
|
|
|
]
|
|
|
|
for disallowed_path in disallowed_paths:
|
|
|
|
self.assertEqual(self.render_ssi(disallowed_path), '')
|