def test_loaders_security(self):
ad_loader = app_directories.Loader(Engine.get_default())
fs_loader = filesystem.Loader(Engine.get_default())
def test_template_sources(path, template_dirs, expected_sources):
if isinstance(expected_sources, list):
# Fix expected sources so they are abspathed
expected_sources = [
os.path.abspath(s) for s in expected_sources
]
# Test the two loaders (app_directores and filesystem).
func1 = lambda p, t: list(ad_loader.get_template_sources(p, t))
func2 = lambda p, t: list(fs_loader.get_template_sources(p, t))
for func in (func1, func2):
if isinstance(expected_sources, list):
self.assertEqual(func(path, template_dirs),
expected_sources)
else:
self.assertRaises(expected_sources, func, path,
template_dirs)
template_dirs = ['/dir1', '/dir2']
test_template_sources('index.html', template_dirs,
['/dir1/index.html', '/dir2/index.html'])
test_template_sources('/etc/passwd', template_dirs, [])
test_template_sources('etc/passwd', template_dirs,
['/dir1/etc/passwd', '/dir2/etc/passwd'])
test_template_sources('../etc/passwd', template_dirs, [])
test_template_sources('../../../etc/passwd', template_dirs, [])
test_template_sources('/dir1/index.html', template_dirs,
['/dir1/index.html'])
test_template_sources('../dir2/index.html', template_dirs,
['/dir2/index.html'])
test_template_sources('/dir1blah', template_dirs, [])
test_template_sources('../dir1blah', template_dirs, [])
# UTF-8 bytestrings are permitted.
test_template_sources(b'\xc3\x85ngstr\xc3\xb6m', template_dirs,
['/dir1/Ångström', '/dir2/Ångström'])
# Unicode strings are permitted.
test_template_sources('Ångström', template_dirs,
['/dir1/Ångström', '/dir2/Ångström'])
test_template_sources('Ångström', [b'/Stra\xc3\x9fe'],
['/Straße/Ångström'])
test_template_sources(b'\xc3\x85ngstr\xc3\xb6m', [b'/Stra\xc3\x9fe'],
['/Straße/Ångström'])
# Invalid UTF-8 encoding in bytestrings is not. Should raise a
# semi-useful error message.
test_template_sources(b'\xc3\xc3', template_dirs, UnicodeDecodeError)
# Case insensitive tests (for win32). Not run unless we're on
# a case insensitive operating system.
if os.path.normcase('/TEST') == os.path.normpath('/test'):
template_dirs = ['/dir1', '/DIR2']
test_template_sources('index.html', template_dirs,
['/dir1/index.html', '/DIR2/index.html'])
test_template_sources('/DIR1/index.HTML', template_dirs,
['/DIR1/index.HTML'])
def test_load_template(self):
app_namespace_loader = Loader(Engine())
app_directory_loader = app_directories.Loader(Engine())
template_directory = app_directory_loader.load_template(
'admin/base.html')[0]
template_namespace = app_namespace_loader.load_template(
'admin:admin/base.html')[0]
context = Context({})
self.assertEquals(template_directory.render(context),
template_namespace.render(context))
def test_load_template_source_empty_namespace(self):
app_namespace_loader = Loader(Engine())
app_directory_loader = app_directories.Loader(Engine())
template_directory = app_directory_loader.load_template_source(
'admin/base.html')
template_namespace = app_namespace_loader.load_template_source(
':admin/base.html')
self.assertEquals(template_directory[0], template_namespace[0])
self.assertTrue(
'app_namespace:django.contrib.admin:' in template_namespace[1])
self.assertTrue('admin/base.html' in template_namespace[1])
self.assertRaises(TemplateDoesNotExist,
app_namespace_loader.load_template_source,
':template')
def test_load_template_source(self):
app_namespace_loader = Loader()
app_directory_loader = app_directories.Loader()
template_directory = app_directory_loader.load_template_source(
'admin/base.html')
template_namespace = app_namespace_loader.load_template_source(
'admin:admin/base.html')
self.assertEquals(template_directory[0], template_namespace[0])
self.assertTrue('app_namespace:admin:' in template_namespace[1])
self.assertTrue('admin/base.html' in template_namespace[1])
self.assertRaises(TemplateDoesNotExist,
app_namespace_loader.load_template_source,
'no-namespace-template')
self.assertRaises(TemplateDoesNotExist,
app_namespace_loader.load_template_source,
'no.app.namespace:template')
def test_load_template(self):
libraries = {
'i18n': 'django.templatetags.i18n',
'static': 'django.templatetags.static',
'admin_static': 'django.contrib.admin.templatetags.admin_static'}
def build_engine():
try:
return Engine(libraries=libraries)
except TypeError:
return Engine()
app_namespace_loader = Loader(build_engine())
app_directory_loader = app_directories.Loader(build_engine())
template_directory = app_directory_loader.load_template(
'admin/base.html')[0]
template_namespace = app_namespace_loader.load_template(
'admin:admin/base.html')[0]
context = Context({})
self.assertEquals(template_directory.render(context),
template_namespace.render(context))
def check_xss_vulnerabilities(self, xss_warnings_are_silenced,
suppression_path, rule_path):
engine_obj = engine_loader._engine_list()[0]
template_loader = template_dir_loader.Loader(engine_obj)
template_directories = template_loader.get_dirs()
user_template_directory = template_directories[0]
template_paths = glob.glob(
os.path.join(user_template_directory, "*.html"))
xssdetector = XSSDetector(template_paths, suppression_path, rule_path)
xssdetector.check()
num_errors = xssdetector.get_num_errors()
messages = xssdetector.get_error_messages()
if num_errors > 0:
if not xss_warnings_are_silenced:
self.stdout.write(
str(num_errors) +
" potential XSS vulnerabilities were found:\n")
self.stdout.write(messages)
else:
self.stdout.write(
"Potential XSS vulnerabilities were found (%s silenced).\n"
% str(num_errors))
else:
self.stdout.write("No XSS threats detected (0 silenced).")
