[1.8.x] Moved ssi tests into syntax_tests/test_ssi.py.
Backport of 441a47e1ef from master
This commit is contained in:
Preston Timmons
Tim Graham
parent
210bf24ddb
commit
cdb73ec8cd
|
|
@ -2,6 +2,7 @@ from __future__ import unicode_literals
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
from django.template import Context, Engine
|
||||||
from django.test import SimpleTestCase, ignore_warnings
|
from django.test import SimpleTestCase, ignore_warnings
|
||||||
from django.utils.deprecation import (
|
from django.utils.deprecation import (
|
||||||
RemovedInDjango19Warning, RemovedInDjango20Warning,
|
RemovedInDjango19Warning, RemovedInDjango20Warning,
|
||||||
|
|
@ -82,3 +83,34 @@ class SsiTagTests(SimpleTestCase):
|
||||||
output = self.engine.render_to_string('ssi09', {'test': 'Look ma! It parsed!'})
|
output = self.engine.render_to_string('ssi09', {'test': 'Look ma! It parsed!'})
|
||||||
self.assertEqual(output, 'This is for testing an ssi include '
|
self.assertEqual(output, 'This is for testing an ssi include '
|
||||||
'with spaces in its name. Look ma! It parsed!\n')
|
'with spaces in its name. Look ma! It parsed!\n')
|
||||||
|
|
||||||
|
|
||||||
|
@ignore_warnings(category=RemovedInDjango20Warning)
|
||||||
|
class SSISecurityTests(SimpleTestCase):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.ssi_dir = os.path.join(ROOT, "templates", "first")
|
||||||
|
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
|
||||||
|
|
||||||
|
def render_ssi(self, path):
|
||||||
|
# the path must exist for the test to be reliable
|
||||||
|
self.assertTrue(os.path.exists(path))
|
||||||
|
return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
|
||||||
|
|
||||||
|
def test_allowed_paths(self):
|
||||||
|
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
||||||
|
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
||||||
|
|
||||||
|
def test_relative_include_exploit(self):
|
||||||
|
"""
|
||||||
|
May not bypass allowed_include_roots with relative paths
|
||||||
|
|
||||||
|
e.g. if allowed_include_roots = ("/var/www",), it should not be
|
||||||
|
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
||||||
|
"""
|
||||||
|
disallowed_paths = [
|
||||||
|
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
||||||
|
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
||||||
|
]
|
||||||
|
for disallowed_path in disallowed_paths:
|
||||||
|
self.assertEqual(self.render_ssi(disallowed_path), '')
|
||||||
|
|
|
||||||
|
|
@ -12,13 +12,9 @@ from django.template import (
|
||||||
Context, RequestContext, Template, TemplateSyntaxError,
|
Context, RequestContext, Template, TemplateSyntaxError,
|
||||||
base as template_base, engines, loader,
|
base as template_base, engines, loader,
|
||||||
)
|
)
|
||||||
from django.template.engine import Engine
|
|
||||||
from django.test import RequestFactory, SimpleTestCase
|
from django.test import RequestFactory, SimpleTestCase
|
||||||
from django.test.utils import (
|
from django.test.utils import extend_sys_path, override_settings
|
||||||
extend_sys_path, ignore_warnings, override_settings,
|
|
||||||
)
|
|
||||||
from django.utils._os import upath
|
from django.utils._os import upath
|
||||||
from django.utils.deprecation import RemovedInDjango20Warning
|
|
||||||
|
|
||||||
TEMPLATES_DIR = os.path.join(os.path.dirname(upath(__file__)), 'templates')
|
TEMPLATES_DIR = os.path.join(os.path.dirname(upath(__file__)), 'templates')
|
||||||
|
|
||||||
|
|
@ -416,34 +412,3 @@ class RequestContextTests(unittest.TestCase):
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
RequestContext(request, dict_=test_data),
|
RequestContext(request, dict_=test_data),
|
||||||
RequestContext(request, dict_=test_data))
|
RequestContext(request, dict_=test_data))
|
||||||
|
|
||||||
|
|
||||||
@ignore_warnings(category=RemovedInDjango20Warning)
|
|
||||||
class SSITests(SimpleTestCase):
|
|
||||||
def setUp(self):
|
|
||||||
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
|
|
||||||
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
|
|
||||||
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
|
|
||||||
|
|
||||||
def render_ssi(self, path):
|
|
||||||
# the path must exist for the test to be reliable
|
|
||||||
self.assertTrue(os.path.exists(path))
|
|
||||||
return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
|
|
||||||
|
|
||||||
def test_allowed_paths(self):
|
|
||||||
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
|
||||||
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
|
||||||
|
|
||||||
def test_relative_include_exploit(self):
|
|
||||||
"""
|
|
||||||
May not bypass allowed_include_roots with relative paths
|
|
||||||
|
|
||||||
e.g. if allowed_include_roots = ("/var/www",), it should not be
|
|
||||||
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
|
||||||
"""
|
|
||||||
disallowed_paths = [
|
|
||||||
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
|
||||||
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
|
||||||
]
|
|
||||||
for disallowed_path in disallowed_paths:
|
|
||||||
self.assertEqual(self.render_ssi(disallowed_path), '')
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue