diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 3ab3be512b3..6b713dd5d22 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -8,3 +8,166 @@ services: #Twig\Extensions\DateExtension: ~ # Twig\Extensions\IntlExtension: ~ #Twig\Extensions\TextExtension: ~ + + eccube.twig_sandbox.policy: + class: Twig\Sandbox\SecurityPolicy + arguments: + $allowedTags: "%eccube.twig_sandbox.allowed_tags%" + $allowedFilters: "%eccube.twig_sandbox.allowed_filters%" + $allowedFunctions: "%eccube.twig_sandbox.allowed_functions%" + $allowedMethods: "%eccube.twig_sandbox.allowed_methods%" + $allowedProperties: "%eccube.twig_sandbox.allowed_properties%" + eccube.twig_sandbox.extension: + class: Twig\Extension\SandboxExtension + arguments: + - '@eccube.twig_sandbox.policy' + - false + tags: ['twig.extension'] + Eccube\Twig\Sandbox\SecurityPolicyDecorator: + decorates: 'eccube.twig_sandbox.policy' +parameters: + eccube.twig_sandbox.allowed_tags: + - 'apply' + - 'block' + - 'deprecated' + - 'embed' + - 'extends' + - 'flush' + - 'for' + - 'if' + - 'set' + - 'spaceless' + - 'verbatim' + - 'with' + - 'form_theme' + - 'stopwatch' + - 'trans' + - 'trans_default_domain' + eccube.twig_sandbox.allowed_filters: + - 'abs' + - 'batch' + - 'capitalize' + - 'column' + - 'convert_encoding' + - 'country_name' + - 'currency_name' + - 'currency_symbol' + - 'date' + - 'date_modify' + - 'default' + - 'escape' + - 'first' + - 'format' + - 'format_currency' + - 'format_date' + - 'format_datetime' + - 'format_number' + - 'format_time' + - 'join' + - 'json_encode' + - 'keys' + - 'language_name' + - 'last' + - 'length' + - 'locale_name' + - 'lower' + - 'merge' + - 'nl2br' + - 'number_format' + - 'replace' + - 'reverse' + - 'round' + - 'slice' + - 'spaceless' + - 'split' + - 'striptags' + - 'timezone_name' + - 'title' + - 'trim' + - 'upper' + - 'url_encode' + - 'abbr_class' + - 'abbr_method' + - 'file_link' + - 'file_relative' + - 'format_args' + - 'format_args_as_text' + - 'humanize' + - 'serialize' + - 'trans' + - 'yaml_dump' + - 'yaml_encode' + - 'currency_symbol' + - 'date_day' + - 'date_day_with_weekday' + - 'date_format' + - 'date_min' + - 'date_sec' + - 'doctrine_format_sql' + - 'doctrine_prettify_sql' + - 'doctrine_pretty_query' + - 'doctrine_replace_query_parameters' + - 'e' + - 'ellipsis' + - 'file_ext_icon' + - 'form_encode_currency' + - 'format_*_number' + - 'format_log_message' + - 'no_image_product' + - 'price' + - 'purify' + - 'time_ago' + eccube.twig_sandbox.allowed_functions: + - 'cycle' + - 'date' + - 'max' + - 'min' + - 'random' + - 'range' + - 'country_timezones' + - 'absolute_url' + - 'asset' + - 'asset_version' + - 'csrf_token' + - 'form_parent' + - 'fragment_uri' + - 'impersonation_exit_path' + - 'impersonation_exit_url' + - 'is_granted' + - 'logout_path' + - 'logout_url' + - 'path' + - 'relative_path' + - 't' + - 'url' + - 'active_menus' + - 'class_categories_as_json' + - 'country_names' + - 'csrf_token_for_anchor' + - 'currency_names' + - 'currency_symbol' + - 'field_choices' + - 'field_errors' + - 'field_help' + - 'field_label' + - 'field_name' + - 'field_value' + - 'get_all_carts' + - 'get_cart' + - 'get_carts_total_price' + - 'get_carts_total_quantity' + - 'has_errors' + - 'is_reduced_tax_rate' + - 'language_names' + - 'product' + - 'workflow_can' + - 'workflow_has_marked_place' + - 'workflow_marked_places' + - 'workflow_metadata' + - 'workflow_transition' + - 'workflow_transition_blockers' + - 'workflow_transitions' + eccube.twig_sandbox.allowed_methods: + 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] + 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] + eccube.twig_sandbox.allowed_properties: [] \ No newline at end of file diff --git a/phpstan.neon.dist b/phpstan.neon.dist index 213da6dad2a..b44c21c8885 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -1,2 +1,6 @@ parameters: level: 1 + ignoreErrors: + - + message: "#^Function twig_include not found\\.$#" + path: src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php \ No newline at end of file diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig index 876ebc2233c..543d67beb31 100755 --- a/src/Eccube/Resource/template/default/Product/detail.twig +++ b/src/Eccube/Resource/template/default/Product/detail.twig @@ -439,7 +439,7 @@ file that was distributed with this source code. {% if Product.freearea %}
test
" |raw }}', false], + ['{{ url("homepage") }}', true], + ['{{ random(1, 100) }}', true], + ['{% for i in range(3, 0) %} {{ i }}, {% endfor %}', true], + ['{{ dump(9) }}', false], + ['{{ constant("RSS", date) }}', false], + ['{{ include(template_from_string("Hello")) }}', false], + ['{{ Product.main_list_image|no_image_product }}', true], + ]; + } + + public function twigVarFreeAreaProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.user }}', false], + ['{{ Product.name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; + } + + public function twigVarMetaTagsProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.debug }}', false], + ['{{ BaseInfo.shop_name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; + } +}