diff options
Diffstat (limited to 'vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php')
-rw-r--r-- | vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php | 212 |
1 files changed, 0 insertions, 212 deletions
diff --git a/vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php b/vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php deleted file mode 100644 index 72253c88..00000000 --- a/vendor/twig/twig/test/Twig/Tests/Extension/SandboxTest.php +++ /dev/null | |||
@@ -1,212 +0,0 @@ | |||
1 | <?php | ||
2 | |||
3 | /* | ||
4 | * This file is part of Twig. | ||
5 | * | ||
6 | * (c) Fabien Potencier | ||
7 | * | ||
8 | * For the full copyright and license information, please view the LICENSE | ||
9 | * file that was distributed with this source code. | ||
10 | */ | ||
11 | |||
12 | class Twig_Tests_Extension_SandboxTest extends PHPUnit_Framework_TestCase | ||
13 | { | ||
14 | protected static $params, $templates; | ||
15 | |||
16 | public function setUp() | ||
17 | { | ||
18 | self::$params = array( | ||
19 | 'name' => 'Fabien', | ||
20 | 'obj' => new FooObject(), | ||
21 | 'arr' => array('obj' => new FooObject()), | ||
22 | ); | ||
23 | |||
24 | self::$templates = array( | ||
25 | '1_basic1' => '{{ obj.foo }}', | ||
26 | '1_basic2' => '{{ name|upper }}', | ||
27 | '1_basic3' => '{% if name %}foo{% endif %}', | ||
28 | '1_basic4' => '{{ obj.bar }}', | ||
29 | '1_basic5' => '{{ obj }}', | ||
30 | '1_basic6' => '{{ arr.obj }}', | ||
31 | '1_basic7' => '{{ cycle(["foo","bar"], 1) }}', | ||
32 | '1_basic8' => '{{ obj.getfoobar }}{{ obj.getFooBar }}', | ||
33 | '1_basic' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}', | ||
34 | '1_layout' => '{% block content %}{% endblock %}', | ||
35 | '1_child' => '{% extends "1_layout" %}{% block content %}{{ "a"|json_encode }}{% endblock %}', | ||
36 | ); | ||
37 | } | ||
38 | |||
39 | /** | ||
40 | * @expectedException Twig_Sandbox_SecurityError | ||
41 | * @expectedExceptionMessage Filter "json_encode" is not allowed in "1_child". | ||
42 | */ | ||
43 | public function testSandboxWithInheritance() | ||
44 | { | ||
45 | $twig = $this->getEnvironment(true, array(), self::$templates, array('block')); | ||
46 | $twig->loadTemplate('1_child')->render(array()); | ||
47 | } | ||
48 | |||
49 | public function testSandboxGloballySet() | ||
50 | { | ||
51 | $twig = $this->getEnvironment(false, array(), self::$templates); | ||
52 | $this->assertEquals('FOO', $twig->loadTemplate('1_basic')->render(self::$params), 'Sandbox does nothing if it is disabled globally'); | ||
53 | |||
54 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
55 | try { | ||
56 | $twig->loadTemplate('1_basic1')->render(self::$params); | ||
57 | $this->fail('Sandbox throws a SecurityError exception if an unallowed method is called'); | ||
58 | } catch (Twig_Sandbox_SecurityError $e) { | ||
59 | } | ||
60 | |||
61 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
62 | try { | ||
63 | $twig->loadTemplate('1_basic2')->render(self::$params); | ||
64 | $this->fail('Sandbox throws a SecurityError exception if an unallowed filter is called'); | ||
65 | } catch (Twig_Sandbox_SecurityError $e) { | ||
66 | } | ||
67 | |||
68 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
69 | try { | ||
70 | $twig->loadTemplate('1_basic3')->render(self::$params); | ||
71 | $this->fail('Sandbox throws a SecurityError exception if an unallowed tag is used in the template'); | ||
72 | } catch (Twig_Sandbox_SecurityError $e) { | ||
73 | } | ||
74 | |||
75 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
76 | try { | ||
77 | $twig->loadTemplate('1_basic4')->render(self::$params); | ||
78 | $this->fail('Sandbox throws a SecurityError exception if an unallowed property is called in the template'); | ||
79 | } catch (Twig_Sandbox_SecurityError $e) { | ||
80 | } | ||
81 | |||
82 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
83 | try { | ||
84 | $twig->loadTemplate('1_basic5')->render(self::$params); | ||
85 | $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template'); | ||
86 | } catch (Twig_Sandbox_SecurityError $e) { | ||
87 | } | ||
88 | |||
89 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
90 | try { | ||
91 | $twig->loadTemplate('1_basic6')->render(self::$params); | ||
92 | $this->fail('Sandbox throws a SecurityError exception if an unallowed method (__toString()) is called in the template'); | ||
93 | } catch (Twig_Sandbox_SecurityError $e) { | ||
94 | } | ||
95 | |||
96 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
97 | try { | ||
98 | $twig->loadTemplate('1_basic7')->render(self::$params); | ||
99 | $this->fail('Sandbox throws a SecurityError exception if an unallowed function is called in the template'); | ||
100 | } catch (Twig_Sandbox_SecurityError $e) { | ||
101 | } | ||
102 | |||
103 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => 'foo')); | ||
104 | FooObject::reset(); | ||
105 | $this->assertEquals('foo', $twig->loadTemplate('1_basic1')->render(self::$params), 'Sandbox allow some methods'); | ||
106 | $this->assertEquals(1, FooObject::$called['foo'], 'Sandbox only calls method once'); | ||
107 | |||
108 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => '__toString')); | ||
109 | FooObject::reset(); | ||
110 | $this->assertEquals('foo', $twig->loadTemplate('1_basic5')->render(self::$params), 'Sandbox allow some methods'); | ||
111 | $this->assertEquals(1, FooObject::$called['__toString'], 'Sandbox only calls method once'); | ||
112 | |||
113 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array('upper')); | ||
114 | $this->assertEquals('FABIEN', $twig->loadTemplate('1_basic2')->render(self::$params), 'Sandbox allow some filters'); | ||
115 | |||
116 | $twig = $this->getEnvironment(true, array(), self::$templates, array('if')); | ||
117 | $this->assertEquals('foo', $twig->loadTemplate('1_basic3')->render(self::$params), 'Sandbox allow some tags'); | ||
118 | |||
119 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array('FooObject' => 'bar')); | ||
120 | $this->assertEquals('bar', $twig->loadTemplate('1_basic4')->render(self::$params), 'Sandbox allow some properties'); | ||
121 | |||
122 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('cycle')); | ||
123 | $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions'); | ||
124 | |||
125 | foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) { | ||
126 | $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => $name)); | ||
127 | FooObject::reset(); | ||
128 | $this->assertEquals('foobarfoobar', $twig->loadTemplate('1_basic8')->render(self::$params), 'Sandbox allow methods in a case-insensitive way'); | ||
129 | $this->assertEquals(2, FooObject::$called['getFooBar'], 'Sandbox only calls method once'); | ||
130 | } | ||
131 | } | ||
132 | |||
133 | public function testSandboxLocallySetForAnInclude() | ||
134 | { | ||
135 | self::$templates = array( | ||
136 | '2_basic' => '{{ obj.foo }}{% include "2_included" %}{{ obj.foo }}', | ||
137 | '2_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}', | ||
138 | ); | ||
139 | |||
140 | $twig = $this->getEnvironment(false, array(), self::$templates); | ||
141 | $this->assertEquals('fooFOOfoo', $twig->loadTemplate('2_basic')->render(self::$params), 'Sandbox does nothing if disabled globally and sandboxed not used for the include'); | ||
142 | |||
143 | self::$templates = array( | ||
144 | '3_basic' => '{{ obj.foo }}{% sandbox %}{% include "3_included" %}{% endsandbox %}{{ obj.foo }}', | ||
145 | '3_included' => '{% if obj.foo %}{{ obj.foo|upper }}{% endif %}', | ||
146 | ); | ||
147 | |||
148 | $twig = $this->getEnvironment(true, array(), self::$templates); | ||
149 | try { | ||
150 | $twig->loadTemplate('3_basic')->render(self::$params); | ||
151 | $this->fail('Sandbox throws a SecurityError exception when the included file is sandboxed'); | ||
152 | } catch (Twig_Sandbox_SecurityError $e) { | ||
153 | } | ||
154 | } | ||
155 | |||
156 | public function testMacrosInASandbox() | ||
157 | { | ||
158 | $twig = $this->getEnvironment(true, array('autoescape' => true), array('index' => <<<EOF | ||
159 | {%- import _self as macros %} | ||
160 | |||
161 | {%- macro test(text) %}<p>{{ text }}</p>{% endmacro %} | ||
162 | |||
163 | {{- macros.test('username') }} | ||
164 | EOF | ||
165 | ), array('macro', 'import'), array('escape')); | ||
166 | |||
167 | $this->assertEquals('<p>username</p>', $twig->loadTemplate('index')->render(array())); | ||
168 | } | ||
169 | |||
170 | protected function getEnvironment($sandboxed, $options, $templates, $tags = array(), $filters = array(), $methods = array(), $properties = array(), $functions = array()) | ||
171 | { | ||
172 | $loader = new Twig_Loader_Array($templates); | ||
173 | $twig = new Twig_Environment($loader, array_merge(array('debug' => true, 'cache' => false, 'autoescape' => false), $options)); | ||
174 | $policy = new Twig_Sandbox_SecurityPolicy($tags, $filters, $methods, $properties, $functions); | ||
175 | $twig->addExtension(new Twig_Extension_Sandbox($policy, $sandboxed)); | ||
176 | |||
177 | return $twig; | ||
178 | } | ||
179 | } | ||
180 | |||
181 | class FooObject | ||
182 | { | ||
183 | public static $called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0); | ||
184 | |||
185 | public $bar = 'bar'; | ||
186 | |||
187 | public static function reset() | ||
188 | { | ||
189 | self::$called = array('__toString' => 0, 'foo' => 0, 'getFooBar' => 0); | ||
190 | } | ||
191 | |||
192 | public function __toString() | ||
193 | { | ||
194 | ++self::$called['__toString']; | ||
195 | |||
196 | return 'foo'; | ||
197 | } | ||
198 | |||
199 | public function foo() | ||
200 | { | ||
201 | ++self::$called['foo']; | ||
202 | |||
203 | return 'foo'; | ||
204 | } | ||
205 | |||
206 | public function getFooBar() | ||
207 | { | ||
208 | ++self::$called['getFooBar']; | ||
209 | |||
210 | return 'foobar'; | ||
211 | } | ||
212 | } | ||