smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-06 11:24:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

update securitytests

Browse Source
This commit is contained in:
Uwe Tews
2018-04-26 13:33:21 +02:00
parent d59e6804fc
commit 2f87c74cba
1 changed files with 258 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
tests/UnitTests/SecurityTests/SecurityTest.php
View File

@@ -24,13 +24,15 @@ class SecurityTest extends PHPUnit_Smarty
$this->smarty->enableSecurity(); $this->smarty->enableSecurity();
$this->smartyBC->setForceCompile(true); $this->smartyBC->setForceCompile(true);
$this->smartyBC->enableSecurity(); $this->smartyBC->enableSecurity();
$this->cleanDir($this->smarty->getCacheDir()); }
$this->cleanDir($this->smarty->getCompileDir()); public function testInit()
{
$this->cleanDirs();
} }
/** /**
* test that security is loaded * test that security is loaded
*/ ' *'/
public function testSecurityReenable() public function testSecurityReenable()
{ {
$this->smarty->disableSecurity(); $this->smarty->disableSecurity();
@@ -53,24 +55,20 @@ class SecurityTest extends PHPUnit_Smarty
*/ */
public function testTrustedPHPFunction() public function testTrustedPHPFunction()
{ {
$this->assertEquals("5", $this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{count($foo)}')); $this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}'));
} }
/** /**
* test not trusted PHP function * test not trusted PHP function
* @expectedException SmartyException
* @expectedExceptionMessage PHP function 'count' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotTrustedPHPFunction() public function testNotTrustedPHPFunction()
{ {
$this->smarty->security_policy->php_functions = array('null'); $this->smarty->security_policy->php_functions = array('null');
try { $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}');
$this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{count($foo)}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("PHP function 'count' not allowed by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for not trusted modifier has not been raised.');
} }
/** /**
@@ -80,7 +78,7 @@ class SecurityTest extends PHPUnit_Smarty
{ {
$this->smarty->security_policy->php_functions = array('null'); $this->smarty->security_policy->php_functions = array('null');
$this->smarty->disableSecurity(); $this->smarty->disableSecurity();
$this->assertEquals("5", $this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{count($foo)}')); $this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{count($foo)}'));
} }
/** /**
@@ -88,24 +86,20 @@ class SecurityTest extends PHPUnit_Smarty
*/ */
public function testTrustedModifier() public function testTrustedModifier()
{ {
$this->assertEquals("5", $this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}')); $this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}'));
} }
/** /**
* test not trusted modifier * test not trusted modifier
* @expectedException SmartyException
* @expectedExceptionMessage modifier 'count' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotTrustedModifier() public function testNotTrustedModifier()
{ {
$this->smarty->security_policy->php_modifiers = array('null'); $this->smarty->security_policy->php_modifiers = array('null');
try { $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}');
$this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("modifier 'count' not allowed by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for not trusted modifier has not been raised.');
} }
/** /**
@@ -115,7 +109,7 @@ class SecurityTest extends PHPUnit_Smarty
{ {
$this->smarty->security_policy->php_modifiers = array('null'); $this->smarty->security_policy->php_modifiers = array('null');
$this->smarty->disableSecurity(); $this->smarty->disableSecurity();
$this->assertEquals("5", $this->smarty->fetch('eval:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}')); $this->assertEquals("5", $this->smarty->fetch('string:{assign var=foo value=[1,2,3,4,5]}{$foo|@count}'));
} }
/** /**
@@ -124,41 +118,33 @@ class SecurityTest extends PHPUnit_Smarty
public function testAllowedTags1() public function testAllowedTags1()
{ {
$this->smarty->security_policy->allowed_tags = array('counter'); $this->smarty->security_policy->allowed_tags = array('counter');
$this->assertEquals("1", $this->smarty->fetch('eval:{counter start=1}')); $this->assertEquals("1", $this->smarty->fetch('string:{counter start=1}'));
} }
/** /**
* test not allowed tag * test not allowed tag
* @expectedException SmartyException
* @expectedExceptionMessage tag 'cycle' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotAllowedTags2() public function testNotAllowedTags2()
{ {
$this->smarty->security_policy->allowed_tags = array('counter'); $this->smarty->security_policy->allowed_tags = array('counter');
try { $this->smarty->fetch('string:{counter}{cycle values="1,2"}');
$this->smarty->fetch('eval:{counter}{cycle values="1,2"}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("tag 'cycle' not allowed by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for not allowed tag has not been raised.');
} }
/** /**
* test disabled tag * test disabled tag
* @expectedException SmartyException
* @expectedExceptionMessage tag 'cycle' disabled by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testDisabledTags() public function testDisabledTags()
{ {
$this->smarty->security_policy->disabled_tags = array('cycle'); $this->smarty->security_policy->disabled_tags = array('cycle');
try { $this->smarty->fetch('string:{counter}{cycle values="1,2"}');
$this->smarty->fetch('eval:{counter}{cycle values="1,2"}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("tag 'cycle' disabled by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for disabled tag has not been raised.');
} }
/** /**
@@ -168,48 +154,40 @@ class SecurityTest extends PHPUnit_Smarty
{ {
error_reporting(E_ALL & E_STRICT); error_reporting(E_ALL & E_STRICT);
$this->smarty->security_policy->allowed_modifiers = array('capitalize'); $this->smarty->security_policy->allowed_modifiers = array('capitalize');
$this->assertEquals("Hello World", $this->smarty->fetch('eval:{"hello world"|capitalize}')); $this->assertEquals("Hello World", $this->smarty->fetch('string:{"hello world"|capitalize}'));
error_reporting(E_ALL | E_STRICT); error_reporting(E_ALL | E_STRICT);
} }
public function testAllowedModifier2() public function testAllowedModifier2()
{ {
$this->smarty->security_policy->allowed_modifiers = array('upper'); $this->smarty->security_policy->allowed_modifiers = array('upper');
$this->assertEquals("HELLO WORLD", $this->smarty->fetch('eval:{"hello world"|upper}')); $this->assertEquals("HELLO WORLD", $this->smarty->fetch('string:{"hello world"|upper}'));
} }
/** /**
* test not allowed modifier * test not allowed modifier
* @expectedException SmartyException
* @expectedExceptionMessage modifier 'lower' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotAllowedModifier() public function testNotAllowedModifier()
{ {
$this->smarty->security_policy->allowed_modifiers = array('upper'); $this->smarty->security_policy->allowed_modifiers = array('upper');
try { $this->smarty->fetch('string:{"hello"|upper}{"world"|lower}');
$this->smarty->fetch('eval:{"hello"|upper}{"world"|lower}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("modifier 'lower' not allowed by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for not allowed tag has not been raised.');
} }
/** /**
* test disabled modifier * test disabled modifier
* @expectedException SmartyException
* @expectedExceptionMessage modifier 'lower' disabled by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testDisabledModifier() public function testDisabledModifier()
{ {
$this->smarty->security_policy->disabled_modifiers = array('lower'); $this->smarty->security_policy->disabled_modifiers = array('lower');
try { $this->smarty->fetch('string:{"hello"|upper}{"world"|lower}');
$this->smarty->fetch('eval:{"hello"|upper}{"world"|lower}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("modifier 'lower' disabled by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for disabled tag has not been raised.');
} }
/** /**
@@ -218,7 +196,7 @@ class SecurityTest extends PHPUnit_Smarty
public function testSmartyPhpQuote() public function testSmartyPhpQuote()
{ {
$this->smarty->security_policy->php_handling = Smarty::PHP_QUOTE; $this->smarty->security_policy->php_handling = Smarty::PHP_QUOTE;
$this->assertEquals('&lt;?php echo "hello world"; ?&gt;', $this->smarty->fetch('eval:<?php echo "hello world"; ?>')); $this->assertEquals('&lt;?php echo "hello world"; ?&gt;', $this->smarty->fetch('string:<?php echo "hello world"; ?>'));
} }
public function testSmartyPhpQuoteAsp() public function testSmartyPhpQuoteAsp()
@@ -228,7 +206,7 @@ class SecurityTest extends PHPUnit_Smarty
$this->markTestSkipped('asp tags disabled in php.ini'); $this->markTestSkipped('asp tags disabled in php.ini');
} }
$this->smarty->security_policy->php_handling = Smarty::PHP_QUOTE; $this->smarty->security_policy->php_handling = Smarty::PHP_QUOTE;
$this->assertEquals('&lt;% echo "hello world"; %&gt;', $this->smarty->fetch('eval:<% echo "hello world"; %>')); $this->assertEquals('&lt;% echo "hello world"; %&gt;', $this->smarty->fetch('string:<% echo "hello world"; %>'));
} }
/** /**
@@ -237,7 +215,7 @@ class SecurityTest extends PHPUnit_Smarty
public function testSmartyPhpRemove() public function testSmartyPhpRemove()
{ {
$this->smarty->security_policy->php_handling = Smarty::PHP_REMOVE; $this->smarty->security_policy->php_handling = Smarty::PHP_REMOVE;
$this->assertEquals('', $this->smarty->fetch('eval:<?php echo "hello world"; ?>')); $this->assertEquals('', $this->smarty->fetch('string:<?php echo "hello world"; ?>'));
} }
public function testSmartyPhpRemoveAsp() public function testSmartyPhpRemoveAsp()
@@ -247,7 +225,7 @@ class SecurityTest extends PHPUnit_Smarty
$this->markTestSkipped('asp tags disabled in php.ini'); $this->markTestSkipped('asp tags disabled in php.ini');
} }
$this->smarty->security_policy->php_handling = Smarty::PHP_REMOVE; $this->smarty->security_policy->php_handling = Smarty::PHP_REMOVE;
$this->assertEquals('', $this->smarty->fetch('eval:<% echo "hello world"; %>')); $this->assertEquals('', $this->smarty->fetch('string:<% echo "hello world"; %>'));
} }
/** /**
@@ -256,7 +234,7 @@ class SecurityTest extends PHPUnit_Smarty
public function testSmartyPhpAllow() public function testSmartyPhpAllow()
{ {
$this->smartyBC->security_policy->php_handling = Smarty::PHP_ALLOW; $this->smartyBC->security_policy->php_handling = Smarty::PHP_ALLOW;
$this->assertEquals('hello world', $this->smartyBC->fetch('eval:<?php echo "hello world"; ?>')); $this->assertEquals('hello world', $this->smartyBC->fetch('string:<?php echo "hello world"; ?>'));
} }
public function testSmartyPhpAllowAsp() public function testSmartyPhpAllowAsp()
@@ -266,7 +244,7 @@ class SecurityTest extends PHPUnit_Smarty
$this->markTestSkipped('asp tags disabled in php.ini'); $this->markTestSkipped('asp tags disabled in php.ini');
} }
$this->smartyBC->security_policy->php_handling = Smarty::PHP_ALLOW; $this->smartyBC->security_policy->php_handling = Smarty::PHP_ALLOW;
$this->assertEquals('hello world', $this->smartyBC->fetch('eval:<% echo "hello world"; %>')); $this->assertEquals('hello world', $this->smartyBC->fetch('string:<% echo "hello world"; %>'));
} }
/** /**
@@ -274,7 +252,7 @@ class SecurityTest extends PHPUnit_Smarty
*/ */
public function testStandardDirectory() public function testStandardDirectory()
{ {
$content = $this->smarty->fetch('eval:{include file="helloworld.tpl"}'); $content = $this->smarty->fetch('string:{include file="helloworld.tpl"}');
$this->assertEquals("hello world", $content); $this->assertEquals("hello world", $content);
} }
@@ -284,24 +262,21 @@ class SecurityTest extends PHPUnit_Smarty
public function testTrustedDirectory() public function testTrustedDirectory()
{ {
$this->smarty->security_policy->secure_dir = array('.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR); $this->smarty->security_policy->secure_dir = array('.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR);
$this->assertEquals("hello world", $this->smarty->fetch('eval:{include file="templates_2/hello.tpl"}')); $this->assertEquals("hello world", $this->smarty->fetch('string:{include file="templates_2/hello.tpl"}'));
} }
/** /**
* test not trusted directory * test not trusted directory
*
* @expectedException SmartyException
* @expectedExceptionMessage not trusted file path
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotTrustedDirectory() public function testNotTrustedDirectory()
{ {
$this->smarty->security_policy->secure_dir = array(str_replace('\\', '/', dirname(__FILE__) . '/templates_3/')); $this->smarty->security_policy->secure_dir = array(str_replace('\\', '/', dirname(__FILE__) . '/templates_3/'));
try { $this->smarty->fetch('string:{include file="templates_2/hello.tpl"}');
$this->smarty->fetch('eval:{include file="templates_2/hello.tpl"}');
}
catch (Exception $e) {
$this->assertContains(str_replace('\\', '/', dirname(__FILE__) . "/templates_2/hello.tpl' not allowed by security setting"), str_replace('\\', '/', $e->getMessage()));
return;
}
$this->fail('Exception for not trusted directory has not been raised.');
} }
/** /**
@@ -310,7 +285,7 @@ class SecurityTest extends PHPUnit_Smarty
public function testDisabledTrustedDirectory() public function testDisabledTrustedDirectory()
{ {
$this->smarty->disableSecurity(); $this->smarty->disableSecurity();
$this->assertEquals("hello world", $this->smarty->fetch('eval:{include file="templates_2/hello.tpl"}')); $this->assertEquals("hello world", $this->smarty->fetch('string:{include file="templates_2/hello.tpl"}'));
} }
/** /**
@@ -319,25 +294,21 @@ class SecurityTest extends PHPUnit_Smarty
public function testTrustedStaticClass() public function testTrustedStaticClass()
{ {
$this->smarty->security_policy->static_classes = array('mysecuritystaticclass'); $this->smarty->security_policy->static_classes = array('mysecuritystaticclass');
$tpl = $this->smarty->createTemplate('eval:{mysecuritystaticclass::square(5)}'); $tpl = $this->smarty->createTemplate('string:{mysecuritystaticclass::square(5)}');
$this->assertEquals('25', $this->smarty->fetch($tpl)); $this->assertEquals('25', $this->smarty->fetch($tpl));
} }
/** /**
* test not trusted PHP function * test not trusted PHP function
* @expectedException SmartyException
* @expectedExceptionMessage access to static class 'mysecuritystaticclass' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
*/ */
public function testNotTrustedStaticClass() public function testNotTrustedStaticClass()
{ {
$this->smarty->security_policy->static_classes = array('null'); $this->smarty->security_policy->static_classes = array('null');
try { $this->smarty->fetch('string:{mysecuritystaticclass::square(5)}');
$this->smarty->fetch('eval:{mysecuritystaticclass::square(5)}');
}
catch (Exception $e) {
$this->assertContains(htmlentities("access to static class 'mysecuritystaticclass' not allowed by security setting"), $e->getMessage());
return;
}
$this->fail('Exception for not trusted static class has not been raised.');
} }
public function testChangedTrustedDirectory() public function testChangedTrustedDirectory()
@@ -345,43 +316,71 @@ class SecurityTest extends PHPUnit_Smarty
$this->smarty->security_policy->secure_dir = array( $this->smarty->security_policy->secure_dir = array(
'.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR, '.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR,
); );
$this->assertEquals("hello world", $this->smarty->fetch('eval:{include file="templates_2/hello.tpl"}')); $this->assertEquals("hello world", $this->smarty->fetch('string:{include file="templates_2/hello.tpl"}'));
$this->smarty->security_policy->secure_dir = array( $this->smarty->security_policy->secure_dir = array(
'.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR, '.' . DIRECTORY_SEPARATOR . 'templates_2' . DIRECTORY_SEPARATOR,
'.' . DIRECTORY_SEPARATOR . 'templates_3' . DIRECTORY_SEPARATOR, '.' . DIRECTORY_SEPARATOR . 'templates_3' . DIRECTORY_SEPARATOR,
); );
$this->assertEquals("templates_3", $this->smarty->fetch('eval:{include file="templates_3/dirname.tpl"}')); $this->assertEquals("templates_3", $this->smarty->fetch('string:{include file="templates_3/dirname.tpl"}'));
} }
/**
* test template file exits
*
* @runInSeparateProcess
* @preserveGlobalState disabled
*/
public function testTemplateTrustedStream()
{
stream_wrapper_register("global", "ResourceStreamSecurity")
or die("Failed to register protocol");
$fp = fopen("global://mytest", "r+");
fwrite($fp, 'hello world {$foo}');
fclose($fp);
$this->smarty->security_policy->streams= array('global');
$tpl = $this->smarty->createTemplate('global:mytest');
$this->assertTrue($tpl->source->exists);
}
/**
* @expectedException SmartyException
* @expectedExceptionMessage stream 'global' not allowed by security setting
* @runInSeparateProcess
* @preserveGlobalState disabled
* test template file exits
*/
public function testTemplateNotTrustedStream()
{
stream_wrapper_register("global", "ResourceStreamSecurity")
or die("Failed to register protocol");
$fp = fopen("global://mytest", "r+");
fwrite($fp, 'hello world {$foo}');
fclose($fp);
$this->smarty->security_policy->streams= array('notrusted');
$tpl = $this->smarty->createTemplate('global:mytest');
$this->assertTrue($tpl->source->exists);
}
/**
* @runInSeparateProcess
* @preserveGlobalState disabled
*/
public function testTrustedUri() public function testTrustedUri()
{ {
$this->smarty->security_policy->trusted_uri = array( $this->smarty->security_policy->trusted_uri = array(
'#^http://.+smarty\.net$#i' '#https://www.smarty.net$#i'
); );
$this->assertContains('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
try {
$this->smarty->fetch('eval:{fetch file="http://www.smarty.net/foo.bar"}');
}
catch (SmartyException $e) {
$this->assertNotContains(htmlentities("not allowed by security setting"), $e->getMessage());
} }
try { /**
$this->smarty->fetch('eval:{fetch file="https://www.smarty.net/foo.bar"}'); * @expectedException SmartyException
$this->fail("Exception for unknown resource not thrown (protocol)"); * @expectedExceptionMessage URI 'https://www.smarty.net/docs/en/preface.tpl' not allowed by security setting
} * @runInSeparateProcess
catch (SmartyException $e) { * @preserveGlobalState disabled
$this->assertContains(htmlentities("not allowed by security setting"), $e->getMessage()); */
} public function testNotTrustedUri()
{
try { $this->smarty->security_policy->trusted_uri = array();
$this->smarty->fetch('eval:{fetch file="http://www.smarty.com/foo.bar"}'); $this->assertContains('<title>Preface | Smarty</title>', $this->smarty->fetch('string:{fetch file="https://www.smarty.net/docs/en/preface.tpl"}'));
$this->fail("Exception for unknown resource not thrown (domain)");
}
catch (SmartyException $e) {
$this->assertContains(htmlentities("not allowed by security setting"), $e->getMessage());
}
} }
} }
@@ -399,3 +398,74 @@ class Security extends Smarty_Security
{ {
} }
class ResourceStreamSecurity
{
private $position;
private $varname;
public function stream_open($path, $mode, $options, &$opened_path)
{
$url = parse_url($path);
$this->varname = $url["host"];
$this->position = 0;
return true;
}
public function stream_read($count)
{
$p = &$this->position;
$ret = substr($GLOBALS[$this->varname], $p, $count);
$p += strlen($ret);
return $ret;
}
public function stream_write($data)
{
$v = &$GLOBALS[$this->varname];
$l = strlen($data);
$p = &$this->position;
$v = substr($v, 0, $p) . $data . substr($v, $p += $l);
return $l;
}
public function stream_tell()
{
return $this->position;
}
public function stream_eof()
{
if (!isset($GLOBALS[$this->varname])) {
return true;
}
return $this->position >= strlen($GLOBALS[$this->varname]);
}
public function stream_seek($offset, $whence)
{
$l = strlen($GLOBALS[$this->varname]);
$p = &$this->position;
switch ($whence) {
case SEEK_SET:
$newPos = $offset;
break;
case SEEK_CUR:
$newPos = $p + $offset;
break;
case SEEK_END:
$newPos = $l + $offset;
break;
default:
return false;
}
$ret = ($newPos >= 0 && $newPos <= $l);
if ($ret) {
$p = $newPos;
}
return $ret;
}
}