PageRenderTime 54ms CodeModel.GetById 26ms RepoModel.GetById 0ms app.codeStats 0ms

/vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php

https://gitlab.com/gideonmarked/PLCPortal
PHP | 285 lines | 232 code | 41 blank | 12 comment | 0 complexity | a844adb32bcfbb32e03b2ebbf12e76e0 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4.  * This file is part of Twig.
    5. 

  5.  *
    6. 

  6.  * (c) Fabien Potencier
    7. 

  7.  *
    8. 

  8.  * For the full copyright and license information, please view the LICENSE
    9. 

  9.  * file that was distributed with this source code.
    10. 

  10.  */
    11. 

  11. 

  12. class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase
    13. 

  13. {
    14. 

  14.     protected static $params, $templates;
    15. 

  15. 

  16.     protected function setUp()
    17. 

  17.     {
    18. 

  18.         self::$params = array(
    19. 

  19.             'name' => 'Fabien',
    20. 

  20.             'obj' => new FooObject(),
    21. 

  21.             'arr' => array('obj' => new FooObject()),
    22. 

  22.         );
    23. 

  23. 

  24.         self::$templates = array(
    25. 

  25.             '1_basic1' => '{{ obj.foo }}',
    26. 

  26.             '1_basic2' => '{{ name|upper }}',
    27. 

  27.             '1_basic3' => '{% if name %}foo{% endif %}',
    28. 

  28.             '1_basic4' => '{{ obj.bar }}',
    29. 

  29.             '1_basic5' => '{{ obj }}',
    30. 

  30.             '1_basic6' => '{{ arr.obj }}',
    31. 

  31.             '1_basic7' => '{{ cycle(["foo","bar"], 1) }}',
    32. 

  32.             '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}',
    33. 

  33.             '1_basic9' => '{{ obj.foobar }}{{ obj.fooBar }}',
    34. 

  34.             '1_basic' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',
    35. 

  35.             '1_layout' => '{% block content %}{% endblock %}',
    36. 

  36.             '1_child' => "{% extends \"1_layout\" %}\n{% block content %}\n{{ \"a\"|json_encode }}\n{% endblock %}",
    37. 

  37.         );
    38. 

  38.     }
    39. 

  39. 

  40.     /**
    41. 

  41.      * @expectedException        Twig_Sandbox_SecurityError
    42. 

  42.      * @expectedExceptionMessage Filter "json_encode" is not allowed in "1_child" at line 3.
    43. 

  43.      */
    44. 

  44.     public function testSandboxWithInheritance()
    45. 

  45.     {
    46. 

  46.         $twig = $this->getEnvironment(true, array(), self::$templates, array('block'));
    47. 

  47.         $twig->loadTemplate('1_child')->render(array());
    48. 

  48.     }
    49. 

  49. 

  50.     public function testSandboxGloballySet()
    51. 

  51.     {
    52. 

  52.         $twig = $this->getEnvironment(false, array(), self::$templates);
    53. 

  53.         $this->assertEquals('FOO', $twig->loadTemplate('1_basic')->render(self::$params), 'Sandbox does nothing if it is disabled globally');
    54. 

  54.     }
    55. 

  55. 

  56.     public function testSandboxUnallowedMethodAccessor()
    57. 

  57.     {
    58. 

  58.         $twig = $this->getEnvironment(true, array(), self::$templates);
    59. 

  59.         try {
    60. 

  60.             $twig->loadTemplate('1_basic1')->render(self::$params);
    61. 

  61.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method is called');
    62. 

  62.         } catch (Twig_Sandbox_SecurityError $e) {
    63. 

  63.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedMethodError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedMethodError');
    64. 

  64.             $this->assertEquals('FooObject', $e->getClassName(), 'Exception should be raised on the "FooObject" class');
    65. 

  65.             $this->assertEquals('foo', $e->getMethodName(), 'Exception should be raised on the "foo" method');
    66. 

  66.         }
    67. 

  67.     }
    68. 

  68. 

  69.     public function testSandboxUnallowedFilter()
    70. 

  70.     {
    71. 

  71.         $twig = $this->getEnvironment(true, array(), self::$templates);
    72. 

  72.         try {
    73. 

  73.             $twig->loadTemplate('1_basic2')->render(self::$params);
    74. 

  74.             $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called');
    75. 

  75.         } catch (Twig_Sandbox_SecurityError $e) {
    76. 

  76.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedFilterError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFilterError');
    77. 

  77.             $this->assertEquals('upper', $e->getFilterName(), 'Exception should be raised on the "upper" filter');
    78. 

  78.         }
    79. 

  79.     }
    80. 

  80. 

  81.     public function testSandboxUnallowedTag()
    82. 

  82.     {
    83. 

  83.         $twig = $this->getEnvironment(true, array(), self::$templates);
    84. 

  84.         try {
    85. 

  85.             $twig->loadTemplate('1_basic3')->render(self::$params);
    86. 

  86.             $this->fail('Sandbox throws a SecurityError exception if an unallowed tag is used in the template');
    87. 

  87.         } catch (Twig_Sandbox_SecurityError $e) {
    88. 

  88.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedTagError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedTagError');
    89. 

  89.             $this->assertEquals('if', $e->getTagName(), 'Exception should be raised on the "if" tag');
    90. 

  90.         }
    91. 

  91.     }
    92. 

  92. 

  93.     public function testSandboxUnallowedProperty()
    94. 

  94.     {
    95. 

  95.         $twig = $this->getEnvironment(true, array(), self::$templates);
    96. 

  96.         try {
    97. 

  97.             $twig->loadTemplate('1_basic4')->render(self::$params);
    98. 

  98.             $this->fail('Sandbox throws a SecurityError exception if an unallowed property is called in the template');
    99. 

  99.         } catch (Twig_Sandbox_SecurityError $e) {
    100. 

  100.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedPropertyError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedPropertyError');
    101. 

  101.             $this->assertEquals('FooObject', $e->getClassName(), 'Exception should be raised on the "FooObject" class');
    102. 

  102.             $this->assertEquals('bar', $e->getPropertyName(), 'Exception should be raised on the "bar" property');
    103. 

  103.         }
    104. 

  104.     }
    105. 

  105. 

  106.     public function testSandboxUnallowedToString()
    107. 

  107.     {
    108. 

  108.         $twig = $this->getEnvironment(true, array(), self::$templates);
    109. 

  109.         try {
    110. 

  110.             $twig->loadTemplate('1_basic5')->render(self::$params);
    111. 

  111.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');
    112. 

  112.         } catch (Twig_Sandbox_SecurityError $e) {
    113. 

  113.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedMethodError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedMethodError');
    114. 

  114.             $this->assertEquals('FooObject', $e->getClassName(), 'Exception should be raised on the "FooObject" class');
    115. 

  115.             $this->assertEquals('__tostring', $e->getMethodName(), 'Exception should be raised on the "__toString" method');
    116. 

  116.         }
    117. 

  117.     }
    118. 

  118. 

  119.     public function testSandboxUnallowedToStringArray()
    120. 

  120.     {
    121. 

  121.         $twig = $this->getEnvironment(true, array(), self::$templates);
    122. 

  122.         try {
    123. 

  123.             $twig->loadTemplate('1_basic6')->render(self::$params);
    124. 

  124.             $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template');
    125. 

  125.         } catch (Twig_Sandbox_SecurityError $e) {
    126. 

  126.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedMethodError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedMethodError');
    127. 

  127.             $this->assertEquals('FooObject', $e->getClassName(), 'Exception should be raised on the "FooObject" class');
    128. 

  128.             $this->assertEquals('__tostring', $e->getMethodName(), 'Exception should be raised on the "__toString" method');
    129. 

  129.         }
    130. 

  130.     }
    131. 

  131. 

  132.     public function testSandboxUnallowedFunction()
    133. 

  133.     {
    134. 

  134.         $twig = $this->getEnvironment(true, array(), self::$templates);
    135. 

  135.         try {
    136. 

  136.             $twig->loadTemplate('1_basic7')->render(self::$params);
    137. 

  137.             $this->fail('Sandbox throws a SecurityError exception if an unallowed function is called in the template');
    138. 

  138.         } catch (Twig_Sandbox_SecurityError $e) {
    139. 

  139.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedFunctionError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFunctionError');
    140. 

  140.             $this->assertEquals('cycle', $e->getFunctionName(), 'Exception should be raised on the "cycle" function');
    141. 

  141.         }
    142. 

  142.     }
    143. 

  143. 

  144.     public function testSandboxAllowMethodFoo()
    145. 

  145.     {
    146. 

  146.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => 'foo'));
    147. 

  147.         FooObject::reset();
    148. 

  148.         $this->assertEquals('foo', $twig->loadTemplate('1_basic1')->render(self::$params), 'Sandbox allow some methods');
    149. 

  149.         $this->assertEquals(1, FooObject::$called['foo'], 'Sandbox only calls method once');
    150. 

  150.     }
    151. 

  151. 

  152.     public function testSandboxAllowMethodToString()
    153. 

  153.     {
    154. 

  154.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => '__toString'));
    155. 

  155.         FooObject::reset();
    156. 

  156.         $this->assertEquals('foo', $twig->loadTemplate('1_basic5')->render(self::$params), 'Sandbox allow some methods');
    157. 

  157.         $this->assertEquals(1, FooObject::$called['__toString'], 'Sandbox only calls method once');
    158. 

  158.     }
    159. 

  159. 

  160.     public function testSandboxAllowMethodToStringDisabled()
    161. 

  161.     {
    162. 

  162.         $twig = $this->getEnvironment(false, array(), self::$templates);
    163. 

  163.         FooObject::reset();
    164. 

  164.         $this->assertEquals('foo', $twig->loadTemplate('1_basic5')->render(self::$params), 'Sandbox allows __toString when sandbox disabled');
    165. 

  165.         $this->assertEquals(1, FooObject::$called['__toString'], 'Sandbox only calls method once');
    166. 

  166.     }
    167. 

  167. 

  168.     public function testSandboxAllowFilter()
    169. 

  169.     {
    170. 

  170.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array('upper'));
    171. 

  171.         $this->assertEquals('FABIEN', $twig->loadTemplate('1_basic2')->render(self::$params), 'Sandbox allow some filters');
    172. 

  172.     }
    173. 

  173. 

  174.     public function testSandboxAllowTag()
    175. 

  175.     {
    176. 

  176.         $twig = $this->getEnvironment(true, array(), self::$templates, array('if'));
    177. 

  177.         $this->assertEquals('foo', $twig->loadTemplate('1_basic3')->render(self::$params), 'Sandbox allow some tags');
    178. 

  178.     }
    179. 

  179. 

  180.     public function testSandboxAllowProperty()
    181. 

  181.     {
    182. 

  182.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array('FooObject' => 'bar'));
    183. 

  183.         $this->assertEquals('bar', $twig->loadTemplate('1_basic4')->render(self::$params), 'Sandbox allow some properties');
    184. 

  184.     }
    185. 

  185. 

  186.     public function testSandboxAllowFunction()
    187. 

  187.     {
    188. 

  188.         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('cycle'));
    189. 

  189.         $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions');
    190. 

  190.     }
    191. 

  191. 

  192.     public function testSandboxAllowFunctionsCaseInsensitive()
    193. 

  193.     {
    194. 

  194.         foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) {
    195. 

  195.             $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => $name));
    196. 

  196.             FooObject::reset();
    197. 

  197.             $this->assertEquals('foobarfoobar', $twig->loadTemplate('1_basic8')->render(self::$params), 'Sandbox allow methods in a case-insensitive way');
    198. 

  198.             $this->assertEquals(2, FooObject::$called['getFooBar'], 'Sandbox only calls method once');
    199. 

  199. 

  200.             $this->assertEquals('foobarfoobar', $twig->loadTemplate('1_basic9')->render(self::$params), 'Sandbox allow methods via shortcut names (ie. without get/set)');
    201. 

  201.         }
    202. 

  202.     }
    203. 

  203. 

  204.     public function testSandboxLocallySetForAnInclude()
    205. 

  205.     {
    206. 

  206.         self::$templates = array(
    207. 

  207.             '2_basic' => '{{ obj.foo }}{% include "2_included" %}{{ obj.foo }}',
    208. 

  208.             '2_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',
    209. 

  209.         );
    210. 

  210. 

  211.         $twig = $this->getEnvironment(false, array(), self::$templates);
    212. 

  212.         $this->assertEquals('fooFOOfoo', $twig->loadTemplate('2_basic')->render(self::$params), 'Sandbox does nothing if disabled globally and sandboxed not used for the include');
    213. 

  213. 

  214.         self::$templates = array(
    215. 

  215.             '3_basic' => '{{ obj.foo }}{% sandbox %}{% include "3_included" %}{% endsandbox %}{{ obj.foo }}',
    216. 

  216.             '3_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}',
    217. 

  217.         );
    218. 

  218. 

  219.         $twig = $this->getEnvironment(true, array(), self::$templates);
    220. 

  220.         try {
    221. 

  221.             $twig->loadTemplate('3_basic')->render(self::$params);
    222. 

  222.             $this->fail('Sandbox throws a SecurityError exception when the included file is sandboxed');
    223. 

  223.         } catch (Twig_Sandbox_SecurityError $e) {
    224. 

  224.             $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedTagError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedTagError');
    225. 

  225.             $this->assertEquals('sandbox', $e->getTagName());
    226. 

  226.         }
    227. 

  227.     }
    228. 

  228. 

  229.     public function testMacrosInASandbox()
    230. 

  230.     {
    231. 

  231.         $twig = $this->getEnvironment(true, array('autoescape' => 'html'), array('index' => <<<EOF
    232. 

  232. {%- import _self as macros %}
    233. 

  233. 

  234. {%- macro test(text) %}<p>{{ text }}</p>{% endmacro %}
    235. 

  235. 

  236. {{- macros.test('username') }}
    237. 

  237. EOF
    238. 

  238.         ), array('macro', 'import'), array('escape'));
    239. 

  239. 

  240.         $this->assertEquals('<p>username</p>', $twig->loadTemplate('index')->render(array()));
    241. 

  241.     }
    242. 

  242. 

  243.     protected function getEnvironment($sandboxed, $options, $templates, $tags = array(), $filters = array(), $methods = array(), $properties = array(), $functions = array())
    244. 

  244.     {
    245. 

  245.         $loader = new Twig_Loader_Array($templates);
    246. 

  246.         $twig = new Twig_Environment($loader, array_merge(array('debug' => true, 'cache' => false, 'autoescape' => false), $options));
    247. 

  247.         $policy = new Twig_Sandbox_SecurityPolicy($tags, $filters, $methods, $properties, $functions);
    248. 

  248.         $twig->addExtension(new Twig_Extension_Sandbox($policy, $sandboxed));
    249. 

  249. 

  250.         return $twig;
    251. 

  251.     }
    252. 

  252. }
    253. 

  253. 

  254. class FooObject
    255. 

  255. {
    256. 

  256.     public static $called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);
    257. 

  257. 

  258.     public $bar = 'bar';
    259. 

  259. 

  260.     public static function reset()
    261. 

  261.     {
    262. 

  262.         self::$called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0);
    263. 

  263.     }
    264. 

  264. 

  265.     public function __toString()
    266. 

  266.     {
    267. 

  267.         ++self::$called['__toString'];
    268. 

  268. 

  269.         return 'foo';
    270. 

  270.     }
    271. 

  271. 

  272.     public function foo()
    273. 

  273.     {
    274. 

  274.         ++self::$called['foo'];
    275. 

  275. 

  276.         return 'foo';
    277. 

  277.     }
    278. 

  278. 

  279.     public function getFooBar()
    280. 

  280.     {
    281. 

  281.         ++self::$called['getFooBar'];
    282. 

  282. 

  283.         return 'foobar';
    284. 

  284.     }
    285. 

  285. }
    286. 

  286.