Correct the wrong usage of AccessControl.ZopeGuards.ContainerAssertions.

wrong: ContainerAssertions(datetime.datetime) = 1 right: ContainerAssertions(type(datetime.datetime)) = 1 ContainerAssertions expects that the given parameter is a type. Furthermore, allow_type(<type>) is the higher function which doing the same thing with asserting the given parameter data type. The conclusion is that we should use allow_type when we want to allow classes inside a built-in module: allow_type(type(datetime.datetime))

Correct the wrong usage of AccessControl.ZopeGuards.ContainerAssertions.
wrong: ContainerAssertions(datetime.datetime) = 1 right: ContainerAssertions(type(datetime.datetime)) = 1 ContainerAssertions expects that the given parameter is a type. Furthermore, allow_type(<type>) is the higher function which doing the same thing with asserting the given parameter data type. The conclusion is that we should use allow_type when we want to allow classes inside a built-in module: allow_type(type(datetime.datetime))
c78b973b · Tatuya Kamada · 13c0f2e1 · c78b973b · c78b973b
Commit c78b973b authored Apr 28, 2017 by Tatuya Kamada
Showing with 79 additions and 5 deletions

product/ERP5Type/patches/Restricted.py product/ERP5Type/patches/Restricted.py +5 -5

product/ERP5Type/tests/testRestrictedPythonSecurity.py product/ERP5Type/tests/testRestrictedPythonSecurity.py +74 -0

No files found.
--- a/product/ERP5Type/patches/Restricted.py
+++ b/product/ERP5Type/patches/Restricted.py
@@ -191,11 +191,11 @@ allow_type(type(f_StringIO))
 ModuleSecurityInfo('cgi').declarePublic('escape', 'parse_header')
 allow_module('datetime')
 import datetime
-ContainerAssertions[datetime.datetime] = 1
-ContainerAssertions[datetime.time] = 1
-ContainerAssertions[datetime.date] = 1
-ContainerAssertions[datetime.timedelta] = 1
-ContainerAssertions[datetime.tzinfo] = 1
+allow_type(type(datetime.datetime))
+allow_type(type(datetime.time))
+allow_type(type(datetime.date))
+allow_type(type(datetime.timedelta))
+allow_type(type(datetime.tzinfo))
 allow_module('difflib')
 allow_module('hashlib')
 import hashlib

--- a/product/ERP5Type/tests/testRestrictedPythonSecurity.py
+++ b/product/ERP5Type/tests/testRestrictedPythonSecurity.py
+##############################################################################
+#
+# Copyright (c) 2017 Nexedi KK and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsability of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# garantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+##############################################################################
+
+import unittest
+
+from Products.ERP5Type.tests.ERP5TypeTestCase import ERP5TypeTestCase
+from Products.ERP5Type.tests.utils import createZODBPythonScript
+from Products.ERP5Type.tests.utils import removeZODBPythonScript
+from AccessControl import Unauthorized
+import uuid
+
+class TestRestrictedPythonSecurity(ERP5TypeTestCase):
+  """
+    Test Restricted Python Security that is monkey patched by ERP5.
+  """
+
+  def getTitle(self):
+    return "Restricted Python Security Test"
+
+  def runScript(self, container, name):
+    func = getattr(self.portal, name)
+    return func()
+
+  def createAndRunScript(self, *args, **kwargs):
+    # we do not care the script name for security test thus use uuid
+    name = str(uuid.uuid1())
+    code = '\n'.join(args)
+    expected = kwargs.get('expected', None)
+    script_container = self.portal.portal_skins.custom
+    try:
+      createZODBPythonScript(script_container, name, '**kw', code)
+      if expected:
+        self.assertEqual(self.runScript(script_container, name), expected)
+      else:
+        self.runScript(script_container, name)
+    finally:
+      removeZODBPythonScript(script_container, name)
+
+  def testDateTimeModuleAllowance(self):
+    self.createAndRunScript('import datetime')
+    self.createAndRunScript('import datetime', 'return datetime.datetime.now()')
+    self.createAndRunScript('import datetime', 'return datetime.time.max')
+    self.createAndRunScript('import datetime', 'return datetime.date.today()')
+    self.createAndRunScript('import datetime', 'return datetime.timedelta.min')
+    self.createAndRunScript('import datetime', 'return datetime.tzinfo')
+
+def test_suite():
+  suite = unittest.TestSuite()
+  suite.addTest(unittest.makeSuite(TestRestrictedPythonSecurity))
+  return suite