From cdb73ec8cd5b072388e2af562ff8d010a1f1d91f Mon Sep 17 00:00:00 2001
From: Preston Timmons <prestontimmons@gmail.com>
Date: Sat, 21 Feb 2015 13:10:21 -0600
Subject: [1.8.x] Moved ssi tests into syntax_tests/test_ssi.py.

Backport of 441a47e1efd46001ca454b80e0d5f8c5ea4e235b from master
---
 tests/template_tests/syntax_tests/test_ssi.py | 32 +++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'tests/template_tests/syntax_tests/test_ssi.py')

diff --git a/tests/template_tests/syntax_tests/test_ssi.py b/tests/template_tests/syntax_tests/test_ssi.py
index e52931d19b..c650889020 100644
--- a/tests/template_tests/syntax_tests/test_ssi.py
+++ b/tests/template_tests/syntax_tests/test_ssi.py
@@ -2,6 +2,7 @@ from __future__ import unicode_literals
 
 import os
 
+from django.template import Context, Engine
 from django.test import SimpleTestCase, ignore_warnings
 from django.utils.deprecation import (
     RemovedInDjango19Warning, RemovedInDjango20Warning,
@@ -82,3 +83,34 @@ class SsiTagTests(SimpleTestCase):
         output = self.engine.render_to_string('ssi09', {'test': 'Look ma! It parsed!'})
         self.assertEqual(output, 'This is for testing an ssi include '
                                  'with spaces in its name. Look ma! It parsed!\n')
+
+
+@ignore_warnings(category=RemovedInDjango20Warning)
+class SSISecurityTests(SimpleTestCase):
+
+    def setUp(self):
+        self.ssi_dir = os.path.join(ROOT, "templates", "first")
+        self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
+
+    def render_ssi(self, path):
+        # the path must exist for the test to be reliable
+        self.assertTrue(os.path.exists(path))
+        return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
+
+    def test_allowed_paths(self):
+        acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
+        self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
+
+    def test_relative_include_exploit(self):
+        """
+        May not bypass allowed_include_roots with relative paths
+
+        e.g. if allowed_include_roots = ("/var/www",), it should not be
+        possible to do {% ssi "/var/www/../../etc/passwd" %}
+        """
+        disallowed_paths = [
+            os.path.join(self.ssi_dir, "..", "ssi_include.html"),
+            os.path.join(self.ssi_dir, "..", "second", "test.html"),
+        ]
+        for disallowed_path in disallowed_paths:
+            self.assertEqual(self.render_ssi(disallowed_path), '')
-- 
cgit v1.3