Skip to content

Commit ecf768d

Browse files
rjsparksrjsparks
committed
Merged in [19925] from jennifer@painless-security.com:
 Suppress origin template tag in production mode, show relative path only in other modes. - Legacy-Id: 19932 Note: SVN reference [19925] has been migrated to Git commit b4d07e1
1 parent ec4065e commit ecf768d

File tree

2 files changed

+63
-8
lines changed

2 files changed

+63
-8
lines changed

ietf/utils/templatetags/origin.py

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
1+
# Copyright The IETF Trust 2015-2022, All Rights Reserved
2+
# -*- coding: utf-8 -*-
3+
from pathlib import Path
4+
15
from django import template
6+
from django.conf import settings
7+
28
import debug # pyflakes:ignore
9+
from ietf.utils import log
310

411
register = template.Library()
512

@@ -9,19 +16,26 @@ def __init__(self, origin=None):
916
# template file path if the template comes from a file:
1017
self.origin = origin
1118

19+
def relative_path(self):
20+
origin_path = Path(str(self.origin))
21+
try:
22+
return origin_path.relative_to(settings.BASE_DIR)
23+
except ValueError:
24+
log.log(f'Rendering a template from outside the project root: {self.origin}')
25+
return '** path outside project root **'
26+
1227
def render(self, context):
13-
if self.origin:
14-
return "<!-- template: %s -->" % self.origin
28+
if self.origin and settings.SERVER_MODE != 'production':
29+
return f'<!-- template: {self.relative_path()} -->'
1530
else:
1631
return ""
1732

18-
@register.tag
19-
def origin(parser, token):
20-
"""
21-
Returns a node which renders the
22-
"""
33+
34+
@register.tag('origin')
35+
def origin_tag(parser, token):
36+
"""Create a node indicating the path to the current template"""
2337
if hasattr(token, "source"):
2438
origin, source = token.source
25-
return OriginNode(origin=origin)
39+
return OriginNode(origin)
2640
else:
2741
return OriginNode()

ietf/utils/templatetags/tests.py

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Copyright The IETF Trust 2022, All Rights Reserved
2+
# -*- coding: utf-8 -*-
3+
from django.template import Context, Origin, Template
4+
from django.test import override_settings
5+
6+
from ietf.utils.test_utils import TestCase
7+
import debug # pyflakes: ignore
8+
9+
10+
@override_settings(BASE_DIR='/fake/base/')
11+
class OriginTests(TestCase):
12+
def test_origin_not_shown_in_production(self):
13+
template = Template(
14+
'{% load origin %}{% origin %}',
15+
origin=Origin('/fake/base/templates/my-template.html'),
16+
)
17+
with override_settings(SERVER_MODE='production'):
18+
self.assertEqual(template.render(Context()), '')
19+
20+
def test_origin_shown_in_development_and_test(self):
21+
template = Template(
22+
'{% load origin %}{% origin %}',
23+
origin=Origin('/fake/base/templates/my-template.html'),
24+
)
25+
for mode in ['development', 'test']:
26+
with override_settings(SERVER_MODE=mode):
27+
output = template.render(Context())
28+
self.assertIn('templates/my-template.html', output)
29+
for component in ['fake', 'base']:
30+
self.assertNotIn(component, output, 'Reported path should be relative to BASE_DIR')
31+
32+
def test_origin_outside_base_dir(self):
33+
template = Template(
34+
'{% load origin %}{% origin %}',
35+
origin=Origin('/different/templates/my-template.html'),
36+
)
37+
with override_settings(SERVER_MODE='development'):
38+
for component in ['fake', 'base', 'different', 'templates']:
39+
output = template.render(Context())
40+
self.assertNotIn(component, output,
41+
'Full path components should not be revealed in html')

0 commit comments

Comments
 (0)