ProjectHentai/nonebot2
6
0
Fork 0
mirror of https://github.com/nonebot/nonebot2.git synced 2025-07-17 03:20:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

🐛 Fix: MessageTemplate 禁止访问私有属性 (#2509)

Browse Source 
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
This commit is contained in:
Johnny Hsieh
2024-01-04 11:11:37 +08:00
committed by GitHub
parent 580d6bab36
commit b65b3b438c
2 changed files with 57 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
tests/test_adapters/test_template.py
View File

@ -1,3 +1,5 @@
import pytest
from nonebot.adapters import MessageTemplate
from utils import FakeMessage, FakeMessageSegment, escape_text
@ -15,12 +17,8 @@ def test_template_message():
def custom(input: str) -> str:
return f"{input}-custom!"
try:
with pytest.raises(ValueError, match="already exists"):
template.add_format_spec(custom)
except ValueError:
pass
else:
raise AssertionError("Should raise ValueError")
format_args = {
"a": "custom",
@ -57,3 +55,22 @@ def test_message_injection():
message = template.format(name="[fake:image]")
assert message.extract_plain_text() == escape_text("[fake:image]Is Bad")
def test_malformed_template():
positive_template = FakeMessage.template("{a}{b}")
message = positive_template.format(a="a", b="b")
assert message.extract_plain_text() == "ab"
malformed_template = FakeMessage.template("{a.__init__}")
with pytest.raises(ValueError, match="private attribute"):
message = malformed_template.format(a="a")
malformed_template = FakeMessage.template("{a[__builtins__]}")
with pytest.raises(ValueError, match="private attribute"):
message = malformed_template.format(a=globals())
malformed_template = MessageTemplate(
"{a[__builtins__][__import__]}{b.__init__}", private_getattr=True
)
message = malformed_template.format(a=globals(), b="b")