svenfuchs / safemode fork watch download tarball
public
Description: A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.
Homepage: http://www.artweb-design.de
Clone URL: git://github.com/svenfuchs/safemode.git
safemode / test / test_erb_eval.rb
100644 76 lines (62 sloc) 2.312 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

require File.join(File.dirname(__FILE__), 'test_helper')
 
class TestSafemodeEval < Test::Unit::TestCase
  include TestHelper
  
  def setup
    @box = Safemode::Box.new
    @locals = { :article => Article.new }
    @assigns = { :article => Article.new }
    @erb_parse = lambda {|code| ERB.new("<%= #{code} %>").src }
  end
 
  def test_some_stuff_that_should_work
    ['"test".upcase', '10.succ', '10.times{}', '[1,2,3].each{|a| a + 1}', 'true ? 1 : 0', 'a = 1'].each do |code|
      code = ERB.new("<%= #{code} %>").src
      assert_nothing_raised{ @box.eval code }
    end
  end
  
  def test_should_turn_assigns_to_jails
    assert_raise_no_method "@article.system", @assigns, &@erb_parse
  end
  
  def test_should_turn_locals_to_jails
    code = @erb_parse.call "article.system"
    assert_raise(Safemode::NoMethodError){ @box.eval code, {}, @locals }
  end
  
  def test_should_allow_method_access_on_assigns
    code = @erb_parse.call "@article.title"
    assert_nothing_raised{ @box.eval code, @assigns }
  end
  
  def test_should_allow_method_access_on_locals
    code = @erb_parse.call "article.title"
    assert_nothing_raised{ @box.eval code, {}, @locals }
  end
  
  def test_should_not_raise_on_if_using_return_values
    code = @erb_parse.call "if @article.is_article?\n 1\n end"
    assert_nothing_raised{ @box.eval code, @assigns }
  end
  
  def test_should_work_with_if_using_return_values
    code = @erb_parse.call "if @article.is_article? then 1 end"
    assert_equal @box.eval(code, @assigns), "1" # ERB calls to_s on the result of the if block
  end
  
  def test__FILE__should_not_render_filename
    code = @erb_parse.call "__FILE__"
    assert_equal '(string)', @box.eval(code)
  end
  
  def test_interpolated_xstr_should_raise_security
    assert_raise_security '"#{`ls -a`}"'
  end  
        
  TestHelper.no_method_error_raising_calls.each do |call|
    call.gsub!('"', '\\\\"')
    class_eval %Q(
      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
        assert_raise_no_method "#{call}"
      end
    )
  end
  
  TestHelper.security_error_raising_calls.each do |call|
    call.gsub!('"', '\\\\"')
    class_eval %Q(
      def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
        assert_raise_security "#{call}"
      end
    )
  end  
 
end