Home Explore Help
Sign In
bux
/
muzich
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
743 Commits
1 Branches
Tree: 13a40ad5a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '13a40ad5a2'
${ noResults }
muzich/vendor/twig/test/Twig/Tests/Extension/SandboxTest.php

SandboxTest.php 8.8KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. <?php

  2. 

  3. /*

  4.  * This file is part of Twig.

  5.  *

  6.  * (c) Fabien Potencier

  7.  *

  8.  * For the full copyright and license information, please view the LICENSE

  9.  * file that was distributed with this source code.

  10.  */

  11. 

  12. class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase

  13. {

  14.     static protected $params, $templates;

  15. 

  16.     public function setUp()

  17.     {

  18.         self::$params = array(

  19.             'name' => 'Fabien',

  20.             'obj'  => new FooObject(),

  21.             'arr'  => array('obj' => new FooObject()),

  22.         );

  23. 

  24.         self::$templates = array(

  25.             '1_basic1' => '{{ obj.foo }}',

  26.             '1_basic2' => '{{ name|upper }}',

  27.             '1_basic3' => '{% if name %}foo{% endif %}',

  28.             '1_basic4' => '{{ obj.bar }}',

  29.             '1_basic5' => '{{ obj }}',

  30.             '1_basic6' => '{{ arr.obj }}',

  31.             '1_basic7' => '{{ cycle(["foo","bar"], 1) }}',

  32.             '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}',

  33.             '1_basic'  => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  34.             '1_layout' => '{% block content %}{% endblock %}',

  35.             '1_child'  => '{% extends "1_layout" %}{% block content %}{{ "a"|json_encode }}{% endblock %}',

  36.         );

  37.     }

  38. 

  39.     /**

  40.      * @expectedException        Twig_Sandbox_SecurityError

  41.      * @expectedExceptionMessage Filter "json_encode" is not allowed in "1_child".

  42.      */

  43.     public function testSandboxWithInheritance()

  44.     {

  45.         $twig = $this->getEnvironment(true, array(), self::$templates, array('block'));

  46.         $twig->loadTemplate('1_child')->render(array());

  47.     }

  48. 

  49.     public function testSandboxGloballySet()

  50.     {

  51.         $twig = $this->getEnvironment(false, array(), self::$templates);

  52.         $this->assertEquals('FOO', $twig->loadTemplate('1_basic')->render(self::$params), 'Sandbox does nothing if it is disabled globally');

  53. 

  54.         $twig = $this->getEnvironment(true, array(), self::$templates);

  55.         try {

  56.             $twig->loadTemplate('1_basic1')->render(self::$params);

  57.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method is called');

  58.         } catch (Twig_Sandbox_SecurityError $e) {

  59.         }

  60. 

  61.         $twig = $this->getEnvironment(true, array(), self::$templates);

  62.         try {

  63.             $twig->loadTemplate('1_basic2')->render(self::$params);

  64.             $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');

  65.         } catch (Twig_Sandbox_SecurityError $e) {

  66.         }

  67. 

  68.         $twig = $this->getEnvironment(true, array(), self::$templates);

  69.         try {

  70.             $twig->loadTemplate('1_basic3')->render(self::$params);

  71.             $this->fail('Sandbox throws a SecurityError exception if an unallowed tag is used in the template');

  72.         } catch (Twig_Sandbox_SecurityError $e) {

  73.         }

  74. 

  75.         $twig = $this->getEnvironment(true, array(), self::$templates);

  76.         try {

  77.             $twig->loadTemplate('1_basic4')->render(self::$params);

  78.             $this->fail('Sandbox throws a SecurityError exception if an unallowed property is called in the template');

  79.         } catch (Twig_Sandbox_SecurityError $e) {

  80.         }

  81. 

  82.         $twig = $this->getEnvironment(true, array(), self::$templates);

  83.         try {

  84.             $twig->loadTemplate('1_basic5')->render(self::$params);

  85.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');

  86.         } catch (Twig_Sandbox_SecurityError $e) {

  87.         }

  88. 

  89.         $twig = $this->getEnvironment(true, array(), self::$templates);

  90.         try {

  91.             $twig->loadTemplate('1_basic6')->render(self::$params);

  92.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');

  93.         } catch (Twig_Sandbox_SecurityError $e) {

  94.         }

  95. 

  96.         $twig = $this->getEnvironment(true, array(), self::$templates);

  97.         try {

  98.             $twig->loadTemplate('1_basic7')->render(self::$params);

  99.             $this->fail('Sandbox throws a SecurityError exception if an unallowed function is called in the template');

  100.         } catch (Twig_Sandbox_SecurityError $e) {

  101.         }

  102. 

  103.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => 'foo'));

  104.         FooObject::reset();

  105.         $this->assertEquals('foo', $twig->loadTemplate('1_basic1')->render(self::$params), 'Sandbox allow some methods');

  106.         $this->assertEquals(1, FooObject::$called['foo'], 'Sandbox only calls method once');

  107. 

  108.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => '__toString'));

  109.         FooObject::reset();

  110.         $this->assertEquals('foo', $twig->loadTemplate('1_basic5')->render(self::$params), 'Sandbox allow some methods');

  111.         $this->assertEquals(1, FooObject::$called['__toString'], 'Sandbox only calls method once');

  112. 

  113.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array('upper'));

  114.         $this->assertEquals('FABIEN', $twig->loadTemplate('1_basic2')->render(self::$params), 'Sandbox allow some filters');

  115. 

  116.         $twig = $this->getEnvironment(true, array(), self::$templates, array('if'));

  117.         $this->assertEquals('foo', $twig->loadTemplate('1_basic3')->render(self::$params), 'Sandbox allow some tags');

  118. 

  119.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array('FooObject' => 'bar'));

  120.         $this->assertEquals('bar', $twig->loadTemplate('1_basic4')->render(self::$params), 'Sandbox allow some properties');

  121. 

  122.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('cycle'));

  123.         $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions');

  124. 

  125.         foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) {

  126.             $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => $name));

  127.             FooObject::reset();

  128.             $this->assertEquals('foobarfoobar', $twig->loadTemplate('1_basic8')->render(self::$params), 'Sandbox allow methods in a case-insensitive way');

  129.             $this->assertEquals(2, FooObject::$called['getFooBar'], 'Sandbox only calls method once');

  130.         }

  131.     }

  132. 

  133.     public function testSandboxLocallySetForAnInclude()

  134.     {

  135.         self::$templates = array(

  136.             '2_basic'    => '{{ obj.foo }}{% include "2_included" %}{{ obj.foo }}',

  137.             '2_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  138.         );

  139. 

  140.         $twig = $this->getEnvironment(false, array(), self::$templates);

  141.         $this->assertEquals('fooFOOfoo', $twig->loadTemplate('2_basic')->render(self::$params), 'Sandbox does nothing if disabled globally and sandboxed not used for the include');

  142. 

  143.         self::$templates = array(

  144.             '3_basic'    => '{{ obj.foo }}{% sandbox %}{% include "3_included" %}{% endsandbox %}{{ obj.foo }}',

  145.             '3_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  146.         );

  147. 

  148.         $twig = $this->getEnvironment(true, array(), self::$templates);

  149.         try {

  150.             $twig->loadTemplate('3_basic')->render(self::$params);

  151.             $this->fail('Sandbox throws a SecurityError exception when the included file is sandboxed');

  152.         } catch (Twig_Sandbox_SecurityError $e) {

  153.         }

  154.     }

  155. 

  156.     public function testMacrosInASandbox()

  157.     {

  158.         $twig = $this->getEnvironment(true, array('autoescape' => true), array('index' => <<<EOF

  159. {% macro test(text) %}<p>{{ text }}</p>{% endmacro %}

  160. {{ _self.test('username') }}

  161. EOF

  162.         ), array('macro'), array('escape'));

  163. 

  164.         $this->assertEquals('<p>username</p>', $twig->loadTemplate('index')->render(array()));

  165.     }

  166. 

  167.     protected function getEnvironment($sandboxed, $options, $templates, $tags = array(), $filters = array(), $methods = array(), $properties = array(), $functions = array())

  168.     {

  169.         $loader = new Twig_Loader_Array($templates);

  170.         $twig = new Twig_Environment($loader, array_merge(array('debug' => true, 'cache' => false, 'autoescape' => false), $options));

  171.         $policy = new Twig_Sandbox_SecurityPolicy($tags, $filters, $methods, $properties, $functions);

  172.         $twig->addExtension(new Twig_Extension_Sandbox($policy, $sandboxed));

  173. 

  174.         return $twig;

  175.     }

  176. }

  177. 

  178. class FooObject

  179. {

  180.     static public $called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);

  181. 

  182.     public $bar = 'bar';

  183. 

  184.     static public function reset()

  185.     {

  186.         self::$called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);

  187.     }

  188. 

  189.     public function __toString()

  190.     {

  191.         ++self::$called['__toString'];

  192. 

  193.         return 'foo';

  194.     }

  195. 

  196.     public function foo()

  197.     {

  198.         ++self::$called['foo'];

  199. 

  200.         return 'foo';

  201.     }

  202. 

  203.     public function getFooBar()

  204.     {

  205.         ++self::$called['getFooBar'];

  206. 

  207.         return 'foobar';

  208.     }

  209. }