def test_loaders_security(self): ad_loader = app_directories.Loader(Engine.get_default()) fs_loader = filesystem.Loader(Engine.get_default()) def test_template_sources(path, template_dirs, expected_sources): if isinstance(expected_sources, list): # Fix expected sources so they are abspathed expected_sources = [ os.path.abspath(s) for s in expected_sources ] # Test the two loaders (app_directores and filesystem). func1 = lambda p, t: list(ad_loader.get_template_sources(p, t)) func2 = lambda p, t: list(fs_loader.get_template_sources(p, t)) for func in (func1, func2): if isinstance(expected_sources, list): self.assertEqual(func(path, template_dirs), expected_sources) else: self.assertRaises(expected_sources, func, path, template_dirs) template_dirs = ['/dir1', '/dir2'] test_template_sources('index.html', template_dirs, ['/dir1/index.html', '/dir2/index.html']) test_template_sources('/etc/passwd', template_dirs, []) test_template_sources('etc/passwd', template_dirs, ['/dir1/etc/passwd', '/dir2/etc/passwd']) test_template_sources('../etc/passwd', template_dirs, []) test_template_sources('../../../etc/passwd', template_dirs, []) test_template_sources('/dir1/index.html', template_dirs, ['/dir1/index.html']) test_template_sources('../dir2/index.html', template_dirs, ['/dir2/index.html']) test_template_sources('/dir1blah', template_dirs, []) test_template_sources('../dir1blah', template_dirs, []) # UTF-8 bytestrings are permitted. test_template_sources(b'\xc3\x85ngstr\xc3\xb6m', template_dirs, ['/dir1/Ångström', '/dir2/Ångström']) # Unicode strings are permitted. test_template_sources('Ångström', template_dirs, ['/dir1/Ångström', '/dir2/Ångström']) test_template_sources('Ångström', [b'/Stra\xc3\x9fe'], ['/Straße/Ångström']) test_template_sources(b'\xc3\x85ngstr\xc3\xb6m', [b'/Stra\xc3\x9fe'], ['/Straße/Ångström']) # Invalid UTF-8 encoding in bytestrings is not. Should raise a # semi-useful error message. test_template_sources(b'\xc3\xc3', template_dirs, UnicodeDecodeError) # Case insensitive tests (for win32). Not run unless we're on # a case insensitive operating system. if os.path.normcase('/TEST') == os.path.normpath('/test'): template_dirs = ['/dir1', '/DIR2'] test_template_sources('index.html', template_dirs, ['/dir1/index.html', '/DIR2/index.html']) test_template_sources('/DIR1/index.HTML', template_dirs, ['/DIR1/index.HTML'])
def test_load_template(self): app_namespace_loader = Loader(Engine()) app_directory_loader = app_directories.Loader(Engine()) template_directory = app_directory_loader.load_template( 'admin/base.html')[0] template_namespace = app_namespace_loader.load_template( 'admin:admin/base.html')[0] context = Context({}) self.assertEquals(template_directory.render(context), template_namespace.render(context))
def test_load_template_source_empty_namespace(self): app_namespace_loader = Loader(Engine()) app_directory_loader = app_directories.Loader(Engine()) template_directory = app_directory_loader.load_template_source( 'admin/base.html') template_namespace = app_namespace_loader.load_template_source( ':admin/base.html') self.assertEquals(template_directory[0], template_namespace[0]) self.assertTrue( 'app_namespace:django.contrib.admin:' in template_namespace[1]) self.assertTrue('admin/base.html' in template_namespace[1]) self.assertRaises(TemplateDoesNotExist, app_namespace_loader.load_template_source, ':template')
def test_load_template_source(self): app_namespace_loader = Loader() app_directory_loader = app_directories.Loader() template_directory = app_directory_loader.load_template_source( 'admin/base.html') template_namespace = app_namespace_loader.load_template_source( 'admin:admin/base.html') self.assertEquals(template_directory[0], template_namespace[0]) self.assertTrue('app_namespace:admin:' in template_namespace[1]) self.assertTrue('admin/base.html' in template_namespace[1]) self.assertRaises(TemplateDoesNotExist, app_namespace_loader.load_template_source, 'no-namespace-template') self.assertRaises(TemplateDoesNotExist, app_namespace_loader.load_template_source, 'no.app.namespace:template')
def test_load_template(self): libraries = { 'i18n': 'django.templatetags.i18n', 'static': 'django.templatetags.static', 'admin_static': 'django.contrib.admin.templatetags.admin_static'} def build_engine(): try: return Engine(libraries=libraries) except TypeError: return Engine() app_namespace_loader = Loader(build_engine()) app_directory_loader = app_directories.Loader(build_engine()) template_directory = app_directory_loader.load_template( 'admin/base.html')[0] template_namespace = app_namespace_loader.load_template( 'admin:admin/base.html')[0] context = Context({}) self.assertEquals(template_directory.render(context), template_namespace.render(context))
def check_xss_vulnerabilities(self, xss_warnings_are_silenced, suppression_path, rule_path): engine_obj = engine_loader._engine_list()[0] template_loader = template_dir_loader.Loader(engine_obj) template_directories = template_loader.get_dirs() user_template_directory = template_directories[0] template_paths = glob.glob( os.path.join(user_template_directory, "*.html")) xssdetector = XSSDetector(template_paths, suppression_path, rule_path) xssdetector.check() num_errors = xssdetector.get_num_errors() messages = xssdetector.get_error_messages() if num_errors > 0: if not xss_warnings_are_silenced: self.stdout.write( str(num_errors) + " potential XSS vulnerabilities were found:\n") self.stdout.write(messages) else: self.stdout.write( "Potential XSS vulnerabilities were found (%s silenced).\n" % str(num_errors)) else: self.stdout.write("No XSS threats detected (0 silenced).")