Domů Procházet Nápověda
Přihlásit se
bux
/
muzich
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Activity
22 Revize
1 Větve
Strom: b7791ee38e
Větve Značky
${ item.name }
Create branch ${ searchTerm }
from 'b7791ee38e'
${ noResults }
muzich/vendor/twig/test/Twig/Tests/Extension/SandboxTest.php

SandboxTest.php 8.2KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 
  1. <?php

  2. 

  3. /*

  4.  * This file is part of Twig.

  5.  *

  6.  * (c) Fabien Potencier

  7.  *

  8.  * For the full copyright and license information, please view the LICENSE

  9.  * file that was distributed with this source code.

  10.  */

  11. 

  12. class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase

  13. {

  14.     static protected $params, $templates;

  15. 

  16.     public function setUp()

  17.     {

  18.         self::$params = array(

  19.             'name' => 'Fabien',

  20.             'obj'  => new Object(),

  21.             'arr'  => array('obj' => new Object()),

  22.         );

  23. 

  24.         self::$templates = array(

  25.             '1_basic1' => '{{ obj.foo }}',

  26.             '1_basic2' => '{{ name|upper }}',

  27.             '1_basic3' => '{% if name %}foo{% endif %}',

  28.             '1_basic4' => '{{ obj.bar }}',

  29.             '1_basic5' => '{{ obj }}',

  30.             '1_basic6' => '{{ arr.obj }}',

  31.             '1_basic7' => '{{ cycle(["foo","bar"], 1) }}',

  32.             '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}',

  33.             '1_basic'  => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  34.         );

  35.     }

  36. 

  37.     public function testSandboxGloballySet()

  38.     {

  39.         $twig = $this->getEnvironment(false, array(), self::$templates);

  40.         $this->assertEquals('FOO', $twig->loadTemplate('1_basic')->render(self::$params), 'Sandbox does nothing if it is disabled globally');

  41. 

  42.         $twig = $this->getEnvironment(true, array(), self::$templates);

  43.         try {

  44.             $twig->loadTemplate('1_basic1')->render(self::$params);

  45.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method is called');

  46.         } catch (Twig_Sandbox_SecurityError $e) {

  47.         }

  48. 

  49.         $twig = $this->getEnvironment(true, array(), self::$templates);

  50.         try {

  51.             $twig->loadTemplate('1_basic2')->render(self::$params);

  52.             $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');

  53.         } catch (Twig_Sandbox_SecurityError $e) {

  54.         }

  55. 

  56.         $twig = $this->getEnvironment(true, array(), self::$templates);

  57.         try {

  58.             $twig->loadTemplate('1_basic3')->render(self::$params);

  59.             $this->fail('Sandbox throws a SecurityError exception if an unallowed tag is used in the template');

  60.         } catch (Twig_Sandbox_SecurityError $e) {

  61.         }

  62. 

  63.         $twig = $this->getEnvironment(true, array(), self::$templates);

  64.         try {

  65.             $twig->loadTemplate('1_basic4')->render(self::$params);

  66.             $this->fail('Sandbox throws a SecurityError exception if an unallowed property is called in the template');

  67.         } catch (Twig_Sandbox_SecurityError $e) {

  68.         }

  69. 

  70.         $twig = $this->getEnvironment(true, array(), self::$templates);

  71.         try {

  72.             $twig->loadTemplate('1_basic5')->render(self::$params);

  73.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');

  74.         } catch (Twig_Sandbox_SecurityError $e) {

  75.         }

  76. 

  77.         $twig = $this->getEnvironment(true, array(), self::$templates);

  78.         try {

  79.             $twig->loadTemplate('1_basic6')->render(self::$params);

  80.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');

  81.         } catch (Twig_Sandbox_SecurityError $e) {

  82.         }

  83. 

  84.         $twig = $this->getEnvironment(true, array(), self::$templates);

  85.         try {

  86.             $twig->loadTemplate('1_basic7')->render(self::$params);

  87.             $this->fail('Sandbox throws a SecurityError exception if an unallowed function is called in the template');

  88.         } catch (Twig_Sandbox_SecurityError $e) {

  89.         }

  90. 

  91.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('Object' => 'foo'));

  92.         Object::reset();

  93.         $this->assertEquals('foo', $twig->loadTemplate('1_basic1')->render(self::$params), 'Sandbox allow some methods');

  94.         $this->assertEquals(1, Object::$called['foo'], 'Sandbox only calls method once');

  95. 

  96.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('Object' => '__toString'));

  97.         Object::reset();

  98.         $this->assertEquals('foo', $twig->loadTemplate('1_basic5')->render(self::$params), 'Sandbox allow some methods');

  99.         $this->assertEquals(1, Object::$called['__toString'], 'Sandbox only calls method once');

  100. 

  101.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array('upper'));

  102.         $this->assertEquals('FABIEN', $twig->loadTemplate('1_basic2')->render(self::$params), 'Sandbox allow some filters');

  103. 

  104.         $twig = $this->getEnvironment(true, array(), self::$templates, array('if'));

  105.         $this->assertEquals('foo', $twig->loadTemplate('1_basic3')->render(self::$params), 'Sandbox allow some tags');

  106. 

  107.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array('Object' => 'bar'));

  108.         $this->assertEquals('bar', $twig->loadTemplate('1_basic4')->render(self::$params), 'Sandbox allow some properties');

  109. 

  110.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('cycle'));

  111.         $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions');

  112. 

  113.         foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) {

  114.             $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('Object' => $name));

  115.             Object::reset();

  116.             $this->assertEquals('foobarfoobar', $twig->loadTemplate('1_basic8')->render(self::$params), 'Sandbox allow methods in a case-insensitive way');

  117.             $this->assertEquals(2, Object::$called['getFooBar'], 'Sandbox only calls method once');

  118.         }

  119.     }

  120. 

  121.     public function testSandboxLocallySetForAnInclude()

  122.     {

  123.         self::$templates = array(

  124.             '2_basic'    => '{{ obj.foo }}{% include "2_included" %}{{ obj.foo }}',

  125.             '2_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  126.         );

  127. 

  128.         $twig = $this->getEnvironment(false, array(), self::$templates);

  129.         $this->assertEquals('fooFOOfoo', $twig->loadTemplate('2_basic')->render(self::$params), 'Sandbox does nothing if disabled globally and sandboxed not used for the include');

  130. 

  131.         self::$templates = array(

  132.             '3_basic'    => '{{ obj.foo }}{% sandbox %}{% include "3_included" %}{% endsandbox %}{{ obj.foo }}',

  133.             '3_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',

  134.         );

  135. 

  136.         $twig = $this->getEnvironment(true, array(), self::$templates);

  137.         try {

  138.             $twig->loadTemplate('3_basic')->render(self::$params);

  139.             $this->fail('Sandbox throws a SecurityError exception when the included file is sandboxed');

  140.         } catch (Twig_Sandbox_SecurityError $e) {

  141.         }

  142.     }

  143. 

  144.     public function testMacrosInASandbox()

  145.     {

  146.         $twig = $this->getEnvironment(true, array('autoescape' => true), array('index' => <<<EOF

  147. {% macro test(text) %}<p>{{ text }}</p>{% endmacro %}

  148. {{ _self.test('username') }}

  149. EOF

  150.         ), array('macro'), array('escape'));

  151. 

  152.         $this->assertEquals('<p>username</p>', $twig->loadTemplate('index')->render(array()));

  153.     }

  154. 

  155.     protected function getEnvironment($sandboxed, $options, $templates, $tags = array(), $filters = array(), $methods = array(), $properties = array(), $functions = array())

  156.     {

  157.         $loader = new Twig_Loader_Array($templates);

  158.         $twig = new Twig_Environment($loader, array_merge(array('debug' => true, 'cache' => false, 'autoescape' => false), $options));

  159.         $policy = new Twig_Sandbox_SecurityPolicy($tags, $filters, $methods, $properties, $functions);

  160.         $twig->addExtension(new Twig_Extension_Sandbox($policy, $sandboxed));

  161. 

  162.         return $twig;

  163.     }

  164. }

  165. 

  166. class Object

  167. {

  168.     static public $called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);

  169. 

  170.     public $bar = 'bar';

  171. 

  172.     static public function reset()

  173.     {

  174.         self::$called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);

  175.     }

  176. 

  177.     public function __toString()

  178.     {

  179.         ++self::$called['__toString'];

  180. 

  181.         return 'foo';

  182.     }

  183. 

  184.     public function foo()

  185.     {

  186.         ++self::$called['foo'];

  187. 

  188.         return 'foo';

  189.     }

  190. 

  191.     public function getFooBar()

  192.     {

  193.         ++self::$called['getFooBar'];

  194. 

  195.         return 'foobar';

  196.     }

  197. }