Merge pull request #5 from EC-CUBE/feat_twig_sandbox_4.2

[4.2]twig sandboxの設定を追加

app/config/eccube/packages/twig_extensions.yaml

@@ -23,6 +23,8 @@ services:
             - '@eccube.twig_sandbox.policy'
             - false
         tags: ['twig.extension']
+    Eccube\Twig\Sandbox\SecurityPolicyDecorator:
+        decorates: 'eccube.twig_sandbox.policy'
 parameters:
     eccube.twig_sandbox.allowed_tags:
         - 'apply'

phpstan.neon.dist

@@ -1,2 +1,6 @@
 parameters:
   level: 1
+  ignoreErrors:
+    -
+      message: "#^Function twig_include not found\\.$#"
+      path: src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php

src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php

@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Twig\Sandbox;
+
+use Twig\Sandbox\SecurityPolicy as BasePolicy;
+use Twig\Sandbox\SecurityPolicyInterface;
+
+class SecurityPolicyDecorator implements SecurityPolicyInterface {
+
+    /** @var BasePolicy  */
+    private $securityPolicy;
+
+    public function __construct(BasePolicy $securityPolicy)
+    {
+        $this->securityPolicy = $securityPolicy;
+    }
+
+    public function checkSecurity($tags, $filters, $functions)
+    {
+        $this->securityPolicy->checkSecurity($tags, $filters, $functions);
+    }
+
+    public function checkMethodAllowed($obj, $method)
+    {
+        // __toStringの場合はチェックをスキップする
+        if ($method === '__toString') {
+            return;
+        }
+        $this->securityPolicy->checkMethodAllowed($obj, $method);
+    }
+
+    public function checkPropertyAllowed($obj, $method)
+    {
+        $this->securityPolicy->checkPropertyAllowed($obj, $method);
+    }
+}

tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php

@@ -48,8 +48,15 @@ public function testMetatags($snippet, $whitelisted)
         $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl()));
         $text = $crawler->text();
 
-        // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する
-        self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text);
+        // ホワイトリストに入っている場合__RENDERED__が表示される
+        if ($whitelisted) {
+            self::assertStringContainsString('__RENDERED__', $text);
+        } else {
+            self::assertStringNotContainsString('__RENDERED__', $text);
+        }
+        // 入力可能ではない値の場合は、システムエラーが発生する
+        self::assertStringNotContainsString('システムエラーが発生しました', $text);
+
     }
 
     public function twigSnippetsProvider()
@@ -59,7 +66,7 @@ public function twigSnippetsProvider()
             ['{% set foo = "bar" %}', true],
             ['{% spaceless %}<div> <strong>test</strong> </div>{% endspaceless %}', true],
             ['{% flush %}', true],
-            ['{% apply lower|escape("html") %}<strong>SOME TEXT</strong>{% endapply %}', false],
+            ['{% apply lower|escape("html") %}<strong>SOME TEXT</strong>{% endapply %}', true],
             ['{% macro input(name, value, type = "text", size = 20) %}<input type="{{ type }}" name="{{ name }}" value="{{ value|e }}" size="{{ size }}"/>{% endmacro %}', false],
             ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false],
             ['{{ "-5"|abs }}', true],
@@ -74,6 +81,7 @@ public function twigSnippetsProvider()
             ['{{ dump(9) }}', false],
             ['{{ constant("RSS", date) }}', false],
             ['{{ include(template_from_string("Hello")) }}', false],
+            ['{{ Product.main_list_image|no_image_product }}', true],
         ];
     }