odoo/bin/addons/base/test/base_test.yml

-   |
    To check that common dangerous operations are not allowed by the safe_eval mechanism, attempt to 
    evaluate unauthorized expressions, and verify that they trigger an error.
-
    1. Try a few common expressions to verify they work with safe_eval
-
    !python {model: ir.model}: |
        from tools.safe_eval import safe_eval
        expected = (1, {"a": 9 * 2}, (True, False, None))
        actual = safe_eval('(1, {"a": 9 * 2}, (True, False, None))')
        assert actual == expected, "Simple python expressions are not working with safe_eval"
-
    2. Try simple literal definition to verify it works with literal_eval
-
    !python {model: ir.model}: |
        from tools.safe_eval import literal_eval
        expected = (1, {"a": 9}, (True, False, None))
        actual = literal_eval('(1, {"a": 9}, (True, False, None))')
        assert actual == expected, "Simple python expressions are not working with literal_eval"
-
    3. Try arithmetic expression in literal_eval to verify it does not work
-
    !python {model: ir.model}: |
        from tools.safe_eval import literal_eval
        try:
           literal_eval('(1, {"a": 2*9}, (True, False, None))')
           assert False, "literal_eval should not accept arithmetic expressions"
        except ValueError:
           pass
-
    4. Try forbidden expressions in literal_eval to verify they are not allowed
-
    !python {model: ir.model}: |
        from tools.safe_eval import literal_eval
        try:
           literal_eval('{"a": True.__class__}')
           assert False, "literal_eval should accept only literals"
        except ValueError:
           pass
-
    5. Try forbidden expressions in safe_eval to verify they are not allowed (open)
-
    !python {model: ir.model}: |
        from tools.safe_eval import safe_eval
        try:
           safe_eval('open("/etc/passwd","r")')
           assert False, "safe_eval should not allow calling open() builtin"
        except NameError:
           pass
        except:
           # NameError should be raised because open() builtin is not found,
           # but other exceptions probably indicate that open() was executed!
           assert False, "safe_eval should not allow calling open() builtin"
[ADD] safe_eval: added some basic YAML tests bzr revid: odo@openerp.com-20100601083256-sxtg24b585gwfu3h 2010-06-01 08:32:56 +00:00			`- \|`
[FIX] base,yaml: fixed !assert with "count" attribute in yaml tests + enabled more tests in base bzr revid: odo@openerp.com-20101203142035-3h1min1htys5lhop 2010-12-03 14:20:35 +00:00			`To check that common dangerous operations are not allowed by the safe_eval mechanism, attempt to`
			`evaluate unauthorized expressions, and verify that they trigger an error.`
[ADD] safe_eval: added some basic YAML tests bzr revid: odo@openerp.com-20100601083256-sxtg24b585gwfu3h 2010-06-01 08:32:56 +00:00			`-`
			`1. Try a few common expressions to verify they work with safe_eval`
			`-`
			`!python {model: ir.model}: \|`
			`from tools.safe_eval import safe_eval`
			`expected = (1, {"a": 9 * 2}, (True, False, None))`
			`actual = safe_eval('(1, {"a": 9 * 2}, (True, False, None))')`
			`assert actual == expected, "Simple python expressions are not working with safe_eval"`
			`-`
			`2. Try simple literal definition to verify it works with literal_eval`
			`-`
			`!python {model: ir.model}: \|`
			`from tools.safe_eval import literal_eval`
			`expected = (1, {"a": 9}, (True, False, None))`
			`actual = literal_eval('(1, {"a": 9}, (True, False, None))')`
			`assert actual == expected, "Simple python expressions are not working with literal_eval"`
			`-`
			`3. Try arithmetic expression in literal_eval to verify it does not work`
			`-`
			`!python {model: ir.model}: \|`
			`from tools.safe_eval import literal_eval`
			`try:`
			`literal_eval('(1, {"a": 2*9}, (True, False, None))')`
			`assert False, "literal_eval should not accept arithmetic expressions"`
			`except ValueError:`
			`pass`
			`-`
			`4. Try forbidden expressions in literal_eval to verify they are not allowed`
			`-`
			`!python {model: ir.model}: \|`
			`from tools.safe_eval import literal_eval`
			`try:`
			`literal_eval('{"a": True.__class__}')`
			`assert False, "literal_eval should accept only literals"`
			`except ValueError:`
			`pass`
			`-`
			`5. Try forbidden expressions in safe_eval to verify they are not allowed (open)`
			`-`
			`!python {model: ir.model}: \|`
			`from tools.safe_eval import safe_eval`
			`try:`
			`safe_eval('open("/etc/passwd","r")')`
[FIX] base,yaml: fixed !assert with "count" attribute in yaml tests + enabled more tests in base bzr revid: odo@openerp.com-20101203142035-3h1min1htys5lhop 2010-12-03 14:20:35 +00:00			`assert False, "safe_eval should not allow calling open() builtin"`
[ADD] safe_eval: added some basic YAML tests bzr revid: odo@openerp.com-20100601083256-sxtg24b585gwfu3h 2010-06-01 08:32:56 +00:00			`except NameError:`
			`pass`
			`except:`
			`# NameError should be raised because open() builtin is not found,`
			`# but other exceptions probably indicate that open() was executed!`
[FIX] base,yaml: fixed !assert with "count" attribute in yaml tests + enabled more tests in base bzr revid: odo@openerp.com-20101203142035-3h1min1htys5lhop 2010-12-03 14:20:35 +00:00			`assert False, "safe_eval should not allow calling open() builtin"`
[ADD] safe_eval: added some basic YAML tests bzr revid: odo@openerp.com-20100601083256-sxtg24b585gwfu3h 2010-06-01 08:32:56 +00:00