"Fossies" - the Fresh Open Source Software Archive

Member "Zope-5.2.1/src/Zope2/App/tests/test_safe_formatter.py" (8 Jun 2021, 11527 Bytes) of package /linux/www/Zope-5.2.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_safe_formatter.py": 5.2_vs_5.2.1.

    1 """This module contains integration tests for AccessControl.safe_formatter."""
    2 
    3 from Testing.ZopeTestCase import FunctionalTestCase
    4 from zExceptions import Unauthorized
    5 
    6 
    7 BAD_ATTR_STR = """
    8 <p tal:content="python:'class of {0} is {0.__class__}'.format(context)" />
    9 """
   10 BAD_ATTR_UNICODE = """
   11 <p tal:content="python:u'class of {0} is {0.__class__}'.format(context)" />
   12 """
   13 BAD_KEY_STR = """
   14 <p tal:content="python:'access by key: {0[test_folder_1_]}'.format(context)" />
   15 """
   16 BAD_KEY_UNICODE = """
   17 <p tal:content="python:u'access by key:
   18 {0[test_folder_1_]}'.format(context)" />
   19 """
   20 BAD_ITEM_STR = """
   21 <p tal:content="python:'access by item: {0[0]}'.format(context)" />
   22 """
   23 BAD_ITEM_UNICODE = """
   24 <p tal:content="python:u'access by item: {0[0]}'.format(context)" />
   25 """
   26 GOOD_STR = '<p tal:content="python:(\'%s\' % context).lower()" />'
   27 GOOD_UNICODE = '<p tal:content="python:(\'%s\' % context).lower()" />'
   28 # Attribute access is not completely forbidden, it is simply checked.
   29 GOOD_FORMAT_ATTR_STR = """
   30 <p tal:content="python:'title of {0} is {0.title}'.format(context)" />
   31 """
   32 GOOD_FORMAT_ATTR_UNICODE = """
   33 <p tal:content="python:u'title of {0} is {0.title}'.format(context)" />
   34 """
   35 
   36 
   37 def noop(context=None):
   38     return lambda: context
   39 
   40 
   41 def hack_pt(pt, context=None):
   42     # hacks to avoid getting error in pt_render.
   43     pt.getPhysicalRoot = noop()
   44     pt._getContext = noop(context)
   45     pt._getContainer = noop(context)
   46     pt.context = context
   47 
   48 
   49 class UnauthorizedSecurityPolicy:
   50     """Policy which denies every access."""
   51 
   52     def validate(self, *args, **kw):
   53         from AccessControl.unauthorized import Unauthorized
   54         raise Unauthorized('Nothing is allowed!')
   55 
   56 
   57 class FormatterFunctionalTest(FunctionalTestCase):
   58 
   59     maxDiff = None
   60 
   61     def test_cook_zope2_page_templates_bad_attr_str(self):
   62         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
   63         pt = ZopePageTemplate('mytemplate', BAD_ATTR_STR)
   64         hack_pt(pt)
   65         with self.assertRaises(Unauthorized) as err:
   66             pt.pt_render()
   67         self.assertEqual(
   68             "You are not allowed to access '__class__' in this context",
   69             str(err.exception))
   70         hack_pt(pt, context=self.app)
   71         with self.assertRaises(Unauthorized) as err:
   72             pt.pt_render()
   73         self.assertEqual(
   74             "You are not allowed to access '__class__' in this context",
   75             str(err.exception))
   76 
   77     def test_cook_zope2_page_templates_bad_attr_unicode(self):
   78         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
   79         pt = ZopePageTemplate('mytemplate', BAD_ATTR_UNICODE)
   80         hack_pt(pt)
   81         with self.assertRaises(Unauthorized) as err:
   82             pt.pt_render()
   83         self.assertEqual(
   84             "You are not allowed to access '__class__' in this context",
   85             str(err.exception))
   86         hack_pt(pt, context=self.app)
   87         with self.assertRaises(Unauthorized) as err:
   88             pt.pt_render()
   89         self.assertEqual(
   90             "You are not allowed to access '__class__' in this context",
   91             str(err.exception))
   92 
   93     def test_cook_zope2_page_templates_good_str(self):
   94         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
   95         pt = ZopePageTemplate('mytemplate', GOOD_STR)
   96         hack_pt(pt)
   97         self.assertEqual(pt.pt_render().strip(), '<p>none</p>')
   98         hack_pt(pt, context=self.app)
   99         self.assertEqual(
  100             pt.pt_render().strip(), '<p>&lt;application at &gt;</p>')
  101 
  102     def test_cook_zope2_page_templates_good_unicode(self):
  103         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  104         pt = ZopePageTemplate('mytemplate', GOOD_UNICODE)
  105         hack_pt(pt)
  106         self.assertEqual(pt.pt_render().strip(), '<p>none</p>')
  107         hack_pt(pt, self.app)
  108         self.assertEqual(
  109             pt.pt_render().strip(), '<p>&lt;application at &gt;</p>')
  110 
  111     def test_cook_zope2_page_templates_good_format_attr_str(self):
  112         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  113         pt = ZopePageTemplate('mytemplate', GOOD_FORMAT_ATTR_STR)
  114         hack_pt(pt, self.app)
  115         self.assertEqual(
  116             pt.pt_render().strip(),
  117             '<p>title of &lt;Application at &gt; is Zope</p>')
  118 
  119     def test_cook_zope2_page_templates_good_format_attr_unicode(self):
  120         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  121         pt = ZopePageTemplate('mytemplate', GOOD_FORMAT_ATTR_UNICODE)
  122         hack_pt(pt, self.app)
  123         self.assertEqual(
  124             pt.pt_render().strip(),
  125             '<p>title of &lt;Application at &gt; is Zope</p>')
  126 
  127     def test_access_to_private_content_not_allowed_via_any_attribute(self):
  128         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  129 
  130         # If access to _delObject would be allowed, it would still only say
  131         # something like 'bound method _delObject', without actually deleting
  132         # anything, because methods are not executed in str.format, but there
  133         # may be @properties that give an attacker secret info.
  134         pt = ZopePageTemplate(
  135             'mytemplate',
  136             """<p tal:content="python:'{0._delObject}'.format(context)" />""")
  137         hack_pt(pt, context=self.app)
  138         with self.assertRaises(Unauthorized) as err:
  139             pt.pt_render()
  140         self.assertEqual(
  141             "You are not allowed to access '_delObject' in this context",
  142             str(err.exception))
  143 
  144     def assert_is_checked_via_security_manager(self, pt_content):
  145         from AccessControl.SecurityManagement import getSecurityManager
  146         from AccessControl.SecurityManagement import noSecurityManager
  147         from AccessControl.SecurityManager import setSecurityPolicy
  148         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  149 
  150         pt = ZopePageTemplate('mytemplate', pt_content)
  151         noSecurityManager()
  152         old_security_policy = setSecurityPolicy(UnauthorizedSecurityPolicy())
  153         getSecurityManager()
  154         try:
  155             hack_pt(pt, context=self.app)
  156             with self.assertRaises(Unauthorized) as err:
  157                 pt.pt_render()
  158             self.assertEqual("Nothing is allowed!", str(err.exception))
  159         finally:
  160             setSecurityPolicy(old_security_policy)
  161 
  162     def test_getattr_access_is_checked_via_security_manager(self):
  163         self.assert_is_checked_via_security_manager(
  164             """<p tal:content="python:'{0.acl_users}'.format(context)" />""")
  165 
  166     def test_getitem_access_is_checked_via_security_manager(self):
  167         self.assert_is_checked_via_security_manager(
  168             """<p tal:content="python:'{c[acl_users]}'.format(c=context)" />"""
  169         )
  170 
  171     # Zope 3 templates are always file system templates.  So we actually have
  172     # no problems allowing str.format there.
  173 
  174     def test_cook_zope3_page_templates_normal(self):
  175         from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
  176         pt = ViewPageTemplateFile('normal_zope3_page_template.pt')
  177         hack_pt(pt)
  178         # Need to pass a namespace.
  179         namespace = {'context': self.app}
  180         self.assertEqual(
  181             pt.pt_render(namespace).strip().replace('\r\n', '\n'),
  182             '<p>&lt;application at &gt;</p>\n'
  183             '<p>&lt;APPLICATION AT &gt;</p>')
  184 
  185     def test_cook_zope3_page_templates_using_format(self):
  186         from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
  187         pt = ViewPageTemplateFile('using_format_zope3_page_template.pt')
  188         hack_pt(pt)
  189         # Need to pass a namespace.
  190         namespace = {'context': self.app}
  191         # Even when one of the accessed items requires a role that we do
  192         # not have, we get no Unauthorized, because this is a filesystem
  193         # template.
  194         self.app.test_folder_1_.__roles__ = ['Manager']
  195         self.assertEqual(
  196             pt.pt_render(namespace).strip().replace('\r\n', '\n'),
  197             "<p>class of &lt;application at &gt; is "
  198             "&lt;class 'ofs.application.application'&gt;</p>\n"
  199             "<p>CLASS OF &lt;APPLICATION AT &gt; IS "
  200             "&lt;CLASS 'OFS.APPLICATION.APPLICATION'&gt;</p>\n"
  201             "<p>{'foo': &lt;Folder at /test_folder_1_&gt;} has "
  202             "foo=&lt;Folder at test_folder_1_&gt;</p>\n"
  203             "<p>{'foo': &lt;Folder at /test_folder_1_&gt;} has "
  204             "foo=&lt;Folder at test_folder_1_&gt;</p>\n"
  205             "<p>[&lt;Folder at /test_folder_1_&gt;] has "
  206             "first item &lt;Folder at test_folder_1_&gt;</p>\n"
  207             "<p>[&lt;Folder at /test_folder_1_&gt;] has "
  208             "first item &lt;Folder at test_folder_1_&gt;</p>"
  209         )
  210 
  211     def test_cook_zope2_page_templates_bad_key_str(self):
  212         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  213         pt = ZopePageTemplate('mytemplate', BAD_KEY_STR)
  214         hack_pt(pt, self.app)
  215         self.assertEqual(
  216             pt.pt_render(),
  217             '<p>access by key: &lt;Folder at test_folder_1_&gt;</p>')
  218         self.app.test_folder_1_.__roles__ = ['Manager']
  219         with self.assertRaises(Unauthorized) as err:
  220             pt.pt_render()
  221         self.assertEqual(
  222             "You are not allowed to access 'test_folder_1_' in this context",
  223             str(err.exception))
  224 
  225     def test_cook_zope2_page_templates_bad_key_unicode(self):
  226         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  227         pt = ZopePageTemplate('mytemplate', BAD_KEY_UNICODE)
  228         hack_pt(pt, self.app)
  229         self.assertEqual(
  230             pt.pt_render(),
  231             '<p>access by key: &lt;Folder at test_folder_1_&gt;</p>')
  232         self.app.test_folder_1_.__roles__ = ['Manager']
  233         with self.assertRaises(Unauthorized) as err:
  234             pt.pt_render()
  235         self.assertEqual(
  236             "You are not allowed to access 'test_folder_1_' in this context",
  237             str(err.exception))
  238 
  239     def test_cook_zope2_page_templates_bad_item_str(self):
  240         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  241         self.app.testlist = [self.app.test_folder_1_]
  242         pt = ZopePageTemplate('mytemplate', BAD_ITEM_STR)
  243         hack_pt(pt, self.app.testlist)
  244         self.assertEqual(
  245             pt.pt_render(),
  246             '<p>access by item: &lt;Folder at test_folder_1_&gt;</p>')
  247         self.app.test_folder_1_.__roles__ = ['Manager']
  248         with self.assertRaises(Unauthorized) as err:
  249             pt.pt_render()
  250         self.assertEqual(
  251             "You are not allowed to access 'test_folder_1_' in this context",
  252             str(err.exception))
  253 
  254     def test_cook_zope2_page_templates_bad_item_unicode(self):
  255         from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
  256         self.app.testlist = [self.app.test_folder_1_]
  257         pt = ZopePageTemplate('mytemplate', BAD_ITEM_UNICODE)
  258         hack_pt(pt, self.app.testlist)
  259         self.assertEqual(
  260             pt.pt_render(),
  261             '<p>access by item: &lt;Folder at test_folder_1_&gt;</p>')
  262         self.app.test_folder_1_.__roles__ = ['Manager']
  263         with self.assertRaises(Unauthorized) as err:
  264             pt.pt_render()
  265         self.assertEqual(
  266             "You are not allowed to access 'test_folder_1_' in this context",
  267             str(err.exception))
  268 
  269     def test_key_access_is_checked_via_security_manager(self):
  270         self.assert_is_checked_via_security_manager(
  271             """<p tal:content="python:'{c[0]}'.format(c=[context])" />"""
  272         )