def test_unsafe(self):
env = SandboxedEnvironment()
self.assert_raises(SecurityError, env.from_string("{{ foo.foo() }}").render, foo=PrivateStuff())
self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()), "23")
self.assert_raises(SecurityError, env.from_string("{{ foo._foo() }}").render, foo=PublicStuff())
self.assert_equal(env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()), "23")
self.assert_equal(env.from_string("{{ foo.__class__ }}").render(foo=42), "")
self.assert_equal(env.from_string("{{ foo.func_code }}").render(foo=lambda: None), "")
self.assert_raises(SecurityError, env.from_string("{{ foo.__class__.__subclasses__() }}").render, foo=42)
def test_unsafe(self):
env = SandboxedEnvironment()
self.assert_raises(SecurityError,
env.from_string("{{ foo.foo() }}").render,
foo=PrivateStuff())
self.assert_equal(
env.from_string("{{ foo.bar() }}").render(foo=PrivateStuff()),
'23')
self.assert_raises(SecurityError,
env.from_string("{{ foo._foo() }}").render,
foo=PublicStuff())
self.assert_equal(
env.from_string("{{ foo.bar() }}").render(foo=PublicStuff()), '23')
self.assert_equal(
env.from_string("{{ foo.__class__ }}").render(foo=42), '')
self.assert_equal(
env.from_string("{{ foo.func_code }}").render(foo=lambda: None),
'')
self.assert_raises(
SecurityError,
env.from_string("{{ foo.__class__.__subclasses__() }}").render,
foo=42)
def test_attr_filter(self):
env = SandboxedEnvironment()
tmpl = env.from_string('{{ 42|attr("__class__")|attr("__subclasses__")() }}')
self.assert_raises(SecurityError, tmpl.render)
def test_attr_filter(self):
env = SandboxedEnvironment()
tmpl = env.from_string(
'{{ 42|attr("__class__")|attr("__subclasses__")() }}')
self.assert_raises(SecurityError, tmpl.render)
