""" Tests for safe_template_linter.py """ from ddt import ddt, data import mock import re from StringIO import StringIO import textwrap from unittest import TestCase from ..safe_template_linter import ( _process_os_walk, FileResults, MakoTemplateLinter, UnderscoreTemplateLinter, Rules ) class TestSafeTemplateLinter(TestCase): """ Test some top-level linter functions """ def test_process_os_walk_with_includes(self): """ Tests the top-level processing of template files, including Mako includes. """ out = StringIO() options = { 'is_quiet': False, } template_linters = [MakoTemplateLinter(), UnderscoreTemplateLinter()] with mock.patch.object(MakoTemplateLinter, '_is_valid_directory', return_value=True) as mock_is_valid_directory: _process_os_walk('scripts/tests/templates', template_linters, options, out) output = out.getvalue() self.assertIsNotNone(re.search('test\.html.*mako-missing-default', out.getvalue())) @ddt class TestMakoTemplateLinter(TestCase): """ Test MakoTemplateLinter """ @data( {'directory': 'lms/templates', 'expected': True}, {'directory': 'lms/templates/support', 'expected': True}, {'directory': 'lms/templates/support', 'expected': True}, {'directory': 'test_root/staticfiles/templates', 'expected': False}, {'directory': './test_root/staticfiles/templates', 'expected': False}, {'directory': './some/random/path', 'expected': False}, ) def test_is_valid_directory(self, data): """ Test _is_valid_directory correctly determines mako directories """ linter = MakoTemplateLinter() self.assertEqual(linter._is_valid_directory(data['directory']), data['expected']) @data( { 'template': '\n <%page expression_filter="h"/>', 'violations': 0, 'rule': None }, { 'template': '\n <%page args="section_data" expression_filter="h" /> ', 'violations': 0, 'rule': None }, { 'template': '\n <%page expression_filter="h" /> ' '\n <%page args="section_data"/>', 'violations': 1, 'rule': Rules.mako_multiple_page_tags }, { 'template': '\n <%page args="section_data" /> ', 'violations': 1, 'rule': Rules.mako_missing_default }, { 'template': '\n <%page args="section_data"/> ', 'violations': 1, 'rule': Rules.mako_missing_default }, { 'template': '\n', 'violations': 1, 'rule': Rules.mako_missing_default }, ) def test_check_page_default(self, data): """ Test _check_mako_file_is_safe with different page defaults """ linter = MakoTemplateLinter() results = FileResults('') linter._check_mako_file_is_safe(data['template'], results) self.assertEqual(len(results.violations), data['violations']) if data['violations'] > 0: self.assertEqual(results.violations[0].rule, data['rule']) @data( {'expression': '${x}', 'rule': None}, {'expression': '${{unbalanced}', 'rule': Rules.mako_unparseable_expression}, {'expression': '${x | n}', 'rule': Rules.mako_invalid_html_filter}, {'expression': '${x | h}', 'rule': Rules.mako_unwanted_html_filter}, {'expression': '${x | n, dump_js_escaped_json}', 'rule': Rules.mako_invalid_html_filter}, ) def test_check_mako_expressions_in_html(self, data): """ Test _check_mako_file_is_safe in html context provides appropriate violations """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> {expression} """.format(expression=data['expression'])) linter._check_mako_file_is_safe(mako_template, results) self._validate_data_rule(data, results) def test_check_mako_expression_display_name(self): """ Test _check_mako_file_is_safe with display_name_with_default_escaped fails. """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> ${course.display_name_with_default_escaped} """) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), 1) self.assertEqual(results.violations[0].rule, Rules.mako_deprecated_display_name) @data( { 'expression': textwrap.dedent(""" ${"Mixed {span_start}text{span_end}".format( span_start=HTML(""), span_end=HTML(""), )} """), 'rule': Rules.mako_html_requires_text }, { 'expression': textwrap.dedent(""" ${Text("Mixed {span_start}text{span_end}").format( span_start=HTML(""), span_end=HTML(""), )} """), 'rule': None }, { 'expression': textwrap.dedent(""" ${"Mixed {span_start}{text}{span_end}".format( span_start=HTML(""), text=Text("This should still break."), span_end=HTML(""), )} """), 'rule': Rules.mako_html_requires_text }, { 'expression': textwrap.dedent(""" ${Text("Mixed {link_start}text{link_end}".format( link_start=HTML("").format(url), link_end=HTML(""), ))} """), 'rule': Rules.mako_close_before_format }, { 'expression': textwrap.dedent(""" ${Text("Mixed {link_start}text{link_end}").format( link_start=HTML("".format(url)), link_end=HTML(""), )} """), 'rule': Rules.mako_close_before_format }, { 'expression': """${ Text("text") }""", 'rule': Rules.mako_text_redundant }, { 'expression': """${ HTML("") }""", 'rule': None }, { 'expression': """${ HTML("") + "some other text" }""", 'rule': Rules.mako_html_alone }, ) def test_check_mako_with_text_and_html(self, data): """ Test _check_mako_file_is_safe tests for proper use of Text() and Html(). """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> {expression} """.format(expression=data['expression'])) linter._check_mako_file_is_safe(mako_template, results) self._validate_data_rule(data, results) def test_check_mako_expression_default_disabled(self): """ Test _check_mako_file_is_safe with disable pragma for safe-by-default works to designate that this is not a Mako file """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" # This is anything but a Mako file. # pragma can appear anywhere in file # safe-lint: disable=mako-missing-default """) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), 1) self.assertTrue(results.violations[0].is_disabled) def test_check_mako_expression_disabled(self): """ Test _check_mako_file_is_safe with disable pragma results in no violation """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> ## safe-lint: disable=mako-unwanted-html-filter ${x | h} """) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), 1) self.assertTrue(results.violations[0].is_disabled) @data( {'template': '{% extends "wiki/base.html" %}'}, {'template': '{{ message }}'}, ) def test_check_mako_on_django_template(self, data): """ Test _check_mako_file_is_safe with disable pragma results in no violation """ linter = MakoTemplateLinter() results = FileResults('') linter._check_mako_file_is_safe(data['template'], results) self.assertEqual(len(results.violations), 0) def test_check_mako_expressions_in_html_without_default(self): """ Test _check_mako_file_is_safe in html context without the page level default h filter suppresses expression level violation """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" ${x | h} """) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), 1) self.assertEqual(results.violations[0].rule, Rules.mako_missing_default) @data( {'expression': '${x}', 'rule': Rules.mako_invalid_js_filter}, {'expression': '${{unbalanced}', 'rule': Rules.mako_unparseable_expression}, {'expression': '${x | n}', 'rule': Rules.mako_invalid_js_filter}, {'expression': '${x | h}', 'rule': Rules.mako_invalid_js_filter}, {'expression': '${x | n, dump_js_escaped_json}', 'rule': None}, ) def test_check_mako_expressions_in_javascript(self, data): """ Test _check_mako_file_is_safe in JavaScript script context provides appropriate violations """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> """.format(expression=data['expression'])) linter._check_mako_file_is_safe(mako_template, results) self._validate_data_rule(data, results) @data( {'expression': '${x}', 'rule': Rules.mako_invalid_js_filter}, {'expression': '${x | n, js_escaped_string}', 'rule': None}, ) def test_check_mako_expressions_in_require_js(self, data): """ Test _check_mako_file_is_safe in JavaScript require context provides appropriate violations """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> <%static:require_module module_name="${{x}}" class_name="TestFactory"> {expression} """.format(expression=data['expression'])) linter._check_mako_file_is_safe(mako_template, results) self._validate_data_rule(data, results) @data( {'media_type': 'text/javascript', 'expected_violations': 0}, {'media_type': 'text/ecmascript', 'expected_violations': 0}, {'media_type': 'application/ecmascript', 'expected_violations': 0}, {'media_type': 'application/javascript', 'expected_violations': 0}, {'media_type': 'text/template', 'expected_violations': 1}, {'media_type': 'unknown/type', 'expected_violations': 1}, ) def test_check_mako_expressions_in_script_type(self, data): """ Test _check_mako_file_is_safe in script tag with different media types """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> """).format(data['media_type']) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), data['expected_violations']) def test_check_mako_expressions_in_mixed_contexts(self): """ Test _check_mako_file_is_safe in mixed contexts provides appropriate violations """ linter = MakoTemplateLinter() results = FileResults('') mako_template = textwrap.dedent(""" <%page expression_filter="h"/> ${x | h} ${x | h} <%static:require_module module_name="${x}" class_name="TestFactory"> ${x | h} ${x | h} """) linter._check_mako_file_is_safe(mako_template, results) self.assertEqual(len(results.violations), 5) self.assertEqual(results.violations[0].rule, Rules.mako_unwanted_html_filter) self.assertEqual(results.violations[1].rule, Rules.mako_invalid_js_filter) self.assertEqual(results.violations[2].rule, Rules.mako_unwanted_html_filter) self.assertEqual(results.violations[3].rule, Rules.mako_invalid_js_filter) self.assertEqual(results.violations[4].rule, Rules.mako_unwanted_html_filter) @data( {'template': "\n${x | n}", 'parseable': True}, { 'template': textwrap.dedent( """

${( 'tabbed-multi-line-expression' ) | n}

"""), 'parseable': True }, {'template': "${{unparseable}", 'parseable': False}, ) def test_expression_detailed_results(self, data): """ Test _check_mako_file_is_safe provides detailed results, including line numbers, columns, and line """ linter = MakoTemplateLinter() results = FileResults('') linter._check_mako_file_is_safe(data['template'], results) self.assertEqual(len(results.violations), 2) self.assertEqual(results.violations[0].rule, Rules.mako_missing_default) violation = results.violations[1] lines = list(data['template'].splitlines()) self.assertTrue("${" in lines[violation.start_line - 1]) self.assertTrue(lines[violation.start_line - 1].startswith("${", violation.start_column - 1)) if data['parseable']: self.assertTrue("}" in lines[violation.end_line - 1]) self.assertTrue(lines[violation.end_line - 1].startswith("}", violation.end_column - 1)) else: self.assertEqual(violation.start_line, violation.end_line) self.assertEqual(violation.end_column, "?") self.assertEqual(len(violation.lines), violation.end_line - violation.start_line + 1) for line_index in range(0, len(violation.lines)): self.assertEqual(violation.lines[line_index], lines[line_index + violation.start_line - 1]) @data( {'template': "${x}"}, {'template': "\n ${x}"}, {'template': "${x} "}, {'template': "${{test-balanced-delims}} "}, {'template': "${'{unbalanced in string'}"}, {'template': "${'unbalanced in string}'}"}, {'template': "${(\n 'tabbed-multi-line-expression'\n )}"}, ) def test_find_mako_expressions(self, data): """ Test _find_mako_expressions for parseable expressions """ linter = MakoTemplateLinter() expressions = linter._find_mako_expressions(data['template']) self.assertEqual(len(expressions), 1) start_index = expressions[0]['start_index'] end_index = expressions[0]['end_index'] self.assertEqual(data['template'][start_index:end_index + 1], data['template'].strip()) self.assertEqual(expressions[0]['expression'], data['template'].strip()) @data( {'template': " ${{unparseable} ${}", 'start_index': 1}, {'template': " ${'unparseable} ${}", 'start_index': 1}, ) def test_find_mako_expressions(self, data): """ Test _find_mako_expressions for unparseable expressions """ linter = MakoTemplateLinter() expressions = linter._find_mako_expressions(data['template']) self.assertTrue(2 <= len(expressions)) self.assertEqual(expressions[0]['start_index'], data['start_index']) self.assertIsNone(expressions[0]['expression']) @data( {'template': """${""}""", 'start_index': 0, 'end_index': 5, 'expected_index': 2}, {'template': """${''}""", 'start_index': 0, 'end_index': 5, 'expected_index': 2}, {'template': """${"''"}""", 'start_index': 0, 'end_index': 7, 'expected_index': 2}, {'template': """${'""'}""", 'start_index': 0, 'end_index': 7, 'expected_index': 2}, {'template': """${'""'}""", 'start_index': 3, 'end_index': 7, 'expected_index': 3}, {'template': """${'""'}""", 'start_index': 0, 'end_index': 1, 'expected_index': -1}, ) def test_find_string_start(self, data): """ Test _find_string_start helper """ linter = MakoTemplateLinter() string_start_index = linter._find_string_start(data['template'], data['start_index'], data['end_index']) self.assertEqual(string_start_index, data['expected_index']) @data( { 'template': '${""}', 'result': {'start_index': 2, 'end_index': 4, 'quote_length': 1} }, { 'template': "${'Hello'}", 'result': {'start_index': 2, 'end_index': 9, 'quote_length': 1} }, { 'template': '${""" triple """}', 'result': {'start_index': 2, 'end_index': 16, 'quote_length': 3} }, { 'template': r""" ${" \" \\"} """, 'result': {'start_index': 3, 'end_index': 11, 'quote_length': 1} }, ) def test_parse_string(self, data): """ Test _parse_string helper """ linter = MakoTemplateLinter() result = linter._parse_string(data['template'], data['result']['start_index']) self.assertDictEqual(result, data['result']) def _validate_data_rule(self, data, results): if data['rule'] is None: self.assertEqual(len(results.violations), 0) else: self.assertEqual(len(results.violations), 1) self.assertEqual(results.violations[0].rule, data['rule']) @ddt class TestUnderscoreTemplateLinter(TestCase): """ Test UnderscoreTemplateLinter """ def test_check_underscore_file_is_safe(self): """ Test _check_underscore_file_is_safe with safe template """ linter = UnderscoreTemplateLinter() results = FileResults('') template = textwrap.dedent(""" <%- gettext('Single Line') %> <%- gettext('Multiple Lines') %> """) linter._check_underscore_file_is_safe(template, results) self.assertEqual(len(results.violations), 0) def test_check_underscore_file_is_not_safe(self): """ Test _check_underscore_file_is_safe with unsafe template """ linter = UnderscoreTemplateLinter() results = FileResults('') template = textwrap.dedent(""" <%= gettext('Single Line') %> <%= gettext('Multiple Lines') %> """) linter._check_underscore_file_is_safe(template, results) self.assertEqual(len(results.violations), 2) self.assertEqual(results.violations[0].rule, Rules.underscore_not_escaped) self.assertEqual(results.violations[1].rule, Rules.underscore_not_escaped) @data( { 'template': '<% // safe-lint: disable=underscore-not-escaped %>\n' '<%= message %>', 'is_disabled': [True], }, { 'template': '<% // safe-lint: disable=another-rule,underscore-not-escaped %>\n' '<%= message %>', 'is_disabled': [True], }, { 'template': '<% // safe-lint: disable=another-rule %>\n' '<%= message %>', 'is_disabled': [False], }, { 'template': '<% // safe-lint: disable=underscore-not-escaped %>\n' '<%= message %>\n' '<%= message %>', 'is_disabled': [True, False], }, { 'template': '// This test does not use proper Underscore.js Template syntax\n' '// But, it is just testing that a maximum of 5 non-whitespace\n' '// are used to designate start of line for disabling the next line.\n' ' 1 2 3 4 5 safe-lint: disable=underscore-not-escaped %>\n' '<%= message %>\n' ' 1 2 3 4 5 6 safe-lint: disable=underscore-not-escaped %>\n' '<%= message %>', 'is_disabled': [True, False], }, { 'template': '<%= message %><% // safe-lint: disable=underscore-not-escaped %>\n' '<%= message %>', 'is_disabled': [True, False], }, { 'template': '<%= message %>\n' '<% // safe-lint: disable=underscore-not-escaped %>', 'is_disabled': [False], }, ) def test_check_underscore_file_disable_rule(self, data): """ Test _check_underscore_file_is_safe with various disabled pragmas """ linter = UnderscoreTemplateLinter() results = FileResults('') linter._check_underscore_file_is_safe(data['template'], results) violation_count = len(data['is_disabled']) self.assertEqual(len(results.violations), violation_count) for index in range(0, violation_count - 1): self.assertEqual(results.violations[index].is_disabled, data['is_disabled'][index]) def test_check_underscore_file_disables_one_violation(self): """ Test _check_underscore_file_is_safe with disabled before a line only disables for the violation following """ linter = UnderscoreTemplateLinter() results = FileResults('') template = textwrap.dedent(""" <% // safe-lint: disable=underscore-not-escaped %> <%= message %> <%= message %> """) linter._check_underscore_file_is_safe(template, results) self.assertEqual(len(results.violations), 2) self.assertEqual(results.violations[0].is_disabled, True) self.assertEqual(results.violations[1].is_disabled, False) @data( {'template': '<%= HtmlUtils.ensureHtml(message) %>'}, {'template': '<%= _.escape(message) %>'}, ) def test_check_underscore_no_escape_allowed(self, data): """ Test _check_underscore_file_is_safe with expressions that are allowed without escaping because the internal calls properly escape. """ linter = UnderscoreTemplateLinter() results = FileResults('') linter._check_underscore_file_is_safe(data['template'], results) self.assertEqual(len(results.violations), 0)