From 45e47df6919290672a885ed8a27ea2d2ac6ff2c9 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 13:23:33 +0900 Subject: [PATCH 1/5] =?UTF-8?q?fix:=5F=5FtoString=E3=82=92=E8=A8=B1?= =?UTF-8?q?=E5=8F=AF=E3=81=99=E3=82=8B=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 2 + .../Twig/SandBox/SecurityPolicyDecorator.php | 47 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index b9ecee2c3c8..6b713dd5d22 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -23,6 +23,8 @@ services: - '@eccube.twig_sandbox.policy' - false tags: ['twig.extension'] + Eccube\Twig\Sandbox\SecurityPolicyDecorator: + decorates: 'eccube.twig_sandbox.policy' parameters: eccube.twig_sandbox.allowed_tags: - 'apply' diff --git a/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php b/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php new file mode 100644 index 00000000000..8615449624b --- /dev/null +++ b/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php @@ -0,0 +1,47 @@ +securityPolicy = $securityPolicy; + } + + public function checkSecurity($tags, $filters, $functions) + { + $this->securityPolicy->checkSecurity($tags, $filters, $functions); + } + + public function checkMethodAllowed($obj, $method) + { + // __toStringの場合はチェックをスキップする + if ($method === '__toString') { + return; + } + $this->securityPolicy->checkMethodAllowed($obj, $method); + } + + public function checkPropertyAllowed($obj, $method) + { + $this->securityPolicy->checkPropertyAllowed($obj, $method); + } +} \ No newline at end of file From 5171f05e1be69e9bab2a22feb01a621d9e083588 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 13:25:11 +0900 Subject: [PATCH 2/5] =?UTF-8?q?phpStan=E3=81=AE=E3=82=A8=E3=83=A9=E3=83=BC?= =?UTF-8?q?=E3=82=92=E7=84=A1=E8=A6=96=E3=81=99=E3=82=8B=E8=A8=AD=E5=AE=9A?= =?UTF-8?q?=E3=81=AE=E5=8F=96=E3=82=8A=E8=BE=BC=E3=81=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- phpstan.neon.dist | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/phpstan.neon.dist b/phpstan.neon.dist index 213da6dad2a..b44c21c8885 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -1,2 +1,6 @@ parameters: level: 1 + ignoreErrors: + - + message: "#^Function twig_include not found\\.$#" + path: src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php \ No newline at end of file From 6128fc41611501caa46062f89cca862a5775faa9 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 14:28:23 +0900 Subject: [PATCH 3/5] =?UTF-8?q?=E3=83=87=E3=82=A3=E3=83=AC=E3=82=AF?= =?UTF-8?q?=E3=83=88=E3=83=AA=E5=90=8D=E3=81=AE=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Eccube/Twig/{SandBox => Sandbox}/SecurityPolicyDecorator.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/Eccube/Twig/{SandBox => Sandbox}/SecurityPolicyDecorator.php (100%) diff --git a/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php b/src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php similarity index 100% rename from src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php rename to src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php From cd9aed337a4a1ef0462c88ad299fde471ba45f5f Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 14:40:01 +0900 Subject: [PATCH 4/5] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 1a1869b06b1..3973c7c5741 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -74,6 +74,7 @@ public function twigSnippetsProvider() ['{{ dump(9) }}', false], ['{{ constant("RSS", date) }}', false], ['{{ include(template_from_string("Hello")) }}', false], + ['{{ Product.main_list_image|no_image_product }}', true], ]; } From 440a612c77005b2538998950e960fa6262aecf8c Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Fri, 20 Oct 2023 13:04:50 +0900 Subject: [PATCH 5/5] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../IgnoreTwigSandboxErrorExtensionTest.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 3973c7c5741..cac1c1b2fc8 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -48,8 +48,15 @@ public function testMetatags($snippet, $whitelisted) $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl())); $text = $crawler->text(); - // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する - self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + // ホワイトリストに入っている場合__RENDERED__が表示される + if ($whitelisted) { + self::assertStringContainsString('__RENDERED__', $text); + } else { + self::assertStringNotContainsString('__RENDERED__', $text); + } + // 入力可能ではない値の場合は、システムエラーが発生する + self::assertStringNotContainsString('システムエラーが発生しました', $text); + } public function twigSnippetsProvider() @@ -59,7 +66,7 @@ public function twigSnippetsProvider() ['{% set foo = "bar" %}', true], ['{% spaceless %}
test
{% endspaceless %}', true], ['{% flush %}', true], - ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', false], + ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', true], ['{% macro input(name, value, type = "text", size = 20) %}{% endmacro %}', false], ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false], ['{{ "-5"|abs }}', true],