From f8a9ad9eee8958bea94b628aeef9ac601c6f5595 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Fri, 18 Aug 2023 16:59:09 +0900 Subject: [PATCH 01/21] =?UTF-8?q?feat:twig=20sandbox=E3=82=92=E8=BF=BD?= =?UTF-8?q?=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 18 ++++++++++++++++++ .../template/default/Product/detail.twig | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 3ab3be512b3..ed5648ec4c0 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -8,3 +8,21 @@ services: #Twig\Extensions\DateExtension: ~ # Twig\Extensions\IntlExtension: ~ #Twig\Extensions\TextExtension: ~ + + eccube.twig_sandbox.policy: + class: Twig\Sandbox\SecurityPolicy + arguments: + $allowedTags: "%eccube.twig_sandbox.policy_tags%" + $allowedFilters: "%eccube.twig_sandbox.policy_filters%" + $allowedFunctions: "%eccube.twig_sandbox.policy_functions%" + eccube.twig_sandbox.extension: + class: Twig\Extension\SandboxExtension + arguments: + - '@eccube.twig_sandbox.policy' + - false + tags: ['twig.extension'] +parameters: + eccube.twig_sandbox.policy_tags: ['try', 'catch', 'endcatch'] + eccube.twig_sandbox.policy_filters: + - 'escape' + eccube.twig_sandbox.policy_functions: [] diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig index 876ebc2233c..543d67beb31 100755 --- a/src/Eccube/Resource/template/default/Product/detail.twig +++ b/src/Eccube/Resource/template/default/Product/detail.twig @@ -439,7 +439,7 @@ file that was distributed with this source code. {% if Product.freearea %}
- {{ include(template_from_string(Product.freearea)) }} + {{ include(template_from_string(Product.freearea), sandboxed = true) }}
{% endif %} From bf54e21ad9591a06b853659148545969b0ff586c Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Tue, 22 Aug 2023 12:05:43 +0900 Subject: [PATCH 02/21] =?UTF-8?q?=E4=B8=8D=E8=A6=81=E3=81=AApolicy?= =?UTF-8?q?=E3=82=92=E5=89=8A=E9=99=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/config/eccube/packages/twig_extensions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index ed5648ec4c0..4fdab528155 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -22,7 +22,7 @@ services: - false tags: ['twig.extension'] parameters: - eccube.twig_sandbox.policy_tags: ['try', 'catch', 'endcatch'] + eccube.twig_sandbox.policy_tags: [] eccube.twig_sandbox.policy_filters: - 'escape' eccube.twig_sandbox.policy_functions: [] From 9005ec681fb3c70a4a85d5050e789c5ad463058f Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 24 Aug 2023 10:14:18 +0900 Subject: [PATCH 03/21] =?UTF-8?q?=E5=A4=89=E6=95=B0=E5=90=8D=E3=82=92?= =?UTF-8?q?=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/config/eccube/packages/twig_extensions.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 4fdab528155..7790c781991 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -12,9 +12,9 @@ services: eccube.twig_sandbox.policy: class: Twig\Sandbox\SecurityPolicy arguments: - $allowedTags: "%eccube.twig_sandbox.policy_tags%" - $allowedFilters: "%eccube.twig_sandbox.policy_filters%" - $allowedFunctions: "%eccube.twig_sandbox.policy_functions%" + $allowedTags: "%eccube.twig_sandbox.allowed_tags%" + $allowedFilters: "%eccube.twig_sandbox.allowed_filters%" + $allowedFunctions: "%eccube.twig_sandbox.allowed_functions%" eccube.twig_sandbox.extension: class: Twig\Extension\SandboxExtension arguments: @@ -22,7 +22,7 @@ services: - false tags: ['twig.extension'] parameters: - eccube.twig_sandbox.policy_tags: [] - eccube.twig_sandbox.policy_filters: + eccube.twig_sandbox.allowed_tags: [] + eccube.twig_sandbox.allowed_filters: - 'escape' - eccube.twig_sandbox.policy_functions: [] + eccube.twig_sandbox.allowed_functions: [] From 04e17804e9602f76410e7b8ecdc47c6d3fc1feb9 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Fri, 25 Aug 2023 13:33:44 +0900 Subject: [PATCH 04/21] =?UTF-8?q?=E8=A8=B1=E5=8F=AF=E3=83=AA=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=82=92=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 52 ++++++++++++++++++- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 7790c781991..7d855937967 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -22,7 +22,55 @@ services: - false tags: ['twig.extension'] parameters: - eccube.twig_sandbox.allowed_tags: [] + eccube.twig_sandbox.allowed_tags: + - 'autoescape' + - 'filter' + - 'do' + - 'flush' + - 'for' + - 'set' + - 'verbatium' + - 'if' + - 'spaceless' eccube.twig_sandbox.allowed_filters: + - 'abs' + - 'batch' + - 'capitalize' + - 'convert_encoding' + - 'date' + - 'date_modify' + - 'default' - 'escape' - eccube.twig_sandbox.allowed_functions: [] + - 'first' + - 'format' + - 'join' + - 'json_encode' + - 'keys' + - 'last' + - 'length' + - 'lower' + - 'merge' + - 'nl2br' + - 'number_format' + - 'raw' + - 'replace' + - 'reverse' + - 'slice' + - 'sort' + - 'split' + - 'striptags' + - 'title' + - 'trim' + - 'upper' + - 'url_encode' + - 'trans' + eccube.twig_sandbox.allowed_functions: + - 'attribute' + - 'constant' + - 'cycle' + - 'date' + - 'random' + - 'range' + - 'url' + - 'asset' + - 'path' From dc5293c6524bbefd9d6460035914e43955f4515a Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 31 Aug 2023 09:59:33 +0900 Subject: [PATCH 05/21] =?UTF-8?q?=E8=AA=A4=E5=AD=97=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/config/eccube/packages/twig_extensions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 7d855937967..280577a3615 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -29,7 +29,7 @@ parameters: - 'flush' - 'for' - 'set' - - 'verbatium' + - 'verbatim' - 'if' - 'spaceless' eccube.twig_sandbox.allowed_filters: From 638b0f2c15f3b6e97fdc4e4cdf0ba29bb9f3679d Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 31 Aug 2023 15:31:11 +0900 Subject: [PATCH 06/21] =?UTF-8?q?=E8=A8=B1=E5=8F=AF=E3=83=AA=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/config/eccube/packages/twig_extensions.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 280577a3615..27a274b645d 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -52,7 +52,6 @@ parameters: - 'merge' - 'nl2br' - 'number_format' - - 'raw' - 'replace' - 'reverse' - 'slice' @@ -64,6 +63,17 @@ parameters: - 'upper' - 'url_encode' - 'trans' + - 'date_day' + - 'date_day_with_weekday' + - 'date_format' + - 'date_min' + - 'date_sec' + - 'price' + - 'ellipsis' + - 'time_ago' + - 'file_ext_icon' + - 'no_image_product' + - 'purify' eccube.twig_sandbox.allowed_functions: - 'attribute' - 'constant' @@ -74,3 +84,4 @@ parameters: - 'url' - 'asset' - 'path' + - 'is_granted' From 2024dc86a62e65ca5a627e6ab29ce51e31708a46 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 31 Aug 2023 16:48:15 +0900 Subject: [PATCH 07/21] =?UTF-8?q?sandbox=E3=81=AE=E3=82=A8=E3=83=A9?= =?UTF-8?q?=E3=83=BC=E8=A1=A8=E7=A4=BA=E3=82=92=E5=88=B6=E5=BE=A1=E3=81=99?= =?UTF-8?q?=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ignoreTwigSandboxErrorExtension.php | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php diff --git a/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php b/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php new file mode 100644 index 00000000000..4d0ad904588 --- /dev/null +++ b/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php @@ -0,0 +1,74 @@ + true, 'needs_context' => true, 'is_safe' => ['all']]), + ]; + } + + /** + * twig sandboxの例外を操作します + * app_env = devの場合、エラーを表示する + * app_env = prodの場合、エラーを表示しない + * + * @param Environment $env + * @param $context + * @param $template + * @param $variables + * @param $withContext + * @param $ignoreMissing + * @param $sandboxed + * @return string|void + * @throws LoaderError + * @throws SecurityError + */ + function twig_include(Environment $env, $context, $template, $variables = [], $withContext = true, $ignoreMissing = false, $sandboxed = false) + { + try { + return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed); + } catch (SecurityError $error) { + + $appEnv = $_SERVER['APP_ENV']; + // devではエラーが表示されるようにする + if ($appEnv == 'dev') { + throw $error; + } else { + $sandbox = $env->getExtension(SandboxExtension::class); + + if (!$sandbox->isSandboxedGlobally()) { + $sandbox->disableSandbox(); + } + } + } + } + +} From 52e0cc26a39281bfafa9360b855efcabf40b0e43 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Mon, 4 Sep 2023 16:35:38 +0900 Subject: [PATCH 08/21] =?UTF-8?q?meta=20tag=E3=81=AB=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Eccube/Resource/template/default/default_frame.twig | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Eccube/Resource/template/default/default_frame.twig b/src/Eccube/Resource/template/default/default_frame.twig index e1278a0a695..a3768a5343b 100644 --- a/src/Eccube/Resource/template/default/default_frame.twig +++ b/src/Eccube/Resource/template/default/default_frame.twig @@ -16,7 +16,7 @@ file that was distributed with this source code. {{ BaseInfo.shop_name }}{% if subtitle is defined and subtitle is not empty %} / {{ subtitle }}{% elseif title is defined and title is not empty %} / {{ title }}{% endif %} {% if Page.meta_tags is not empty %} - {{ include(template_from_string(Page.meta_tags)) }} + {{ include(template_from_string(Page.meta_tags), sandboxed = true) }} {% if Page.description is not empty %} {% endif %} @@ -51,7 +51,9 @@ file that was distributed with this source code. {{ include('block.twig', {'Blocks': Layout.Head}) }} {% endif %} {# プラグイン用styleseetやmetatagなど #} - {% if plugin_assets is defined %}{{ include('@admin/snippet.twig', { snippets: plugin_assets }) }}{% endif %} + {% if plugin_assets is defined %} + {{ include('@admin/snippet.twig', { snippets: plugin_assets },sandboxed = true) }} + {% endif %} From cefaadf82c401fec95b98c0f2f94fc8f3a96610f Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 7 Sep 2023 11:51:26 +0900 Subject: [PATCH 09/21] =?UTF-8?q?=E3=82=A8=E3=83=A9=E3=83=BC=E3=83=AD?= =?UTF-8?q?=E3=82=B0=E3=82=92=E8=A1=A8=E7=A4=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Twig/Extension/ignoreTwigSandboxErrorExtension.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php b/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php index 4d0ad904588..5086c5317e8 100644 --- a/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php +++ b/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php @@ -55,13 +55,13 @@ function twig_include(Environment $env, $context, $template, $variables = [], $w { try { return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed); - } catch (SecurityError $error) { - + } catch (SecurityError $e) { $appEnv = $_SERVER['APP_ENV']; // devではエラーが表示されるようにする if ($appEnv == 'dev') { - throw $error; + throw $e; } else { + log_warning($e->getMessage(), ['exception' => $e]); $sandbox = $env->getExtension(SandboxExtension::class); if (!$sandbox->isSandboxedGlobally()) { From 9a7d2474895eaa81aa43d69c7272f972f4f8e32e Mon Sep 17 00:00:00 2001 From: shinya Date: Fri, 8 Sep 2023 17:49:00 +0900 Subject: [PATCH 10/21] =?UTF-8?q?UnitTest=E3=82=92=E8=BF=BD=E5=8A=A0?= =?UTF-8?q?=EF=BC=88=E5=AE=9F=E8=A3=85=E9=80=94=E4=B8=AD=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../IgnoreTwigSandboxErrorExtensionTest.php | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php new file mode 100644 index 00000000000..bda23a231e7 --- /dev/null +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -0,0 +1,107 @@ +get(EccubeConfig::class); + + // Twigを使用するテンプレートの読込み + $root = vfsStream::setup(); + $this->templateDir = $root->url(); + + foreach ($this->template as $twig_file) { + // Preventing undefined errors + file_put_contents($this->templateDir.'/'.$twig_file, ''); + } + + $loader = new \Twig\Loader\FilesystemLoader([ + $this->templateDir, + ]); + + $tags = ['if', 'for', 'set', 'do']; + $filters = ['escape', 'join', 'length', 'escape', 'date']; + $functions = ['range']; + + $policy = new \Twig\Sandbox\SecurityPolicy($tags, $filters, [], [], $functions); + $sandbox = new \Twig\Extension\SandboxExtension($policy, true); + + $this->twig = new \Twig\Environment($loader); + $this->twig->addExtension(new \Twig\Extension\StringLoaderExtension()); + $this->twig->addExtension($sandbox); + } + + public function twigKeyWords() + { + // 第1要素:入力値 + // 第2要素:成功か否か + return [ + // Tag + ['{{ random(1, 100) }}', true], + ['{ "hello world"|upper }', true], + ['{dump(app)}', false], + ['{% do 1 + 2 %}', false], + ]; + } + + /** + * @dataProvider twigKeyWords + */ + public function testIgnoreSandboxFreeArea($context, $expected) + { + $file = $this->templateDir.'/'.$this->template[0]; + $source = "
{{ include(template_from_string(" . $context . ")) }}
"; + + file_put_contents($file, $source); + + $actual = true; + try { + ignoreTwigSandboxErrorExtension::twig_include($this->twig, [], $this->template[0], [], true, false, true); + } catch (SecurityError $e) { + $actual = false; + } + + $this->assertSame($expected, $actual); + } +} \ No newline at end of file From 1d1ce0ad4bda6eecb4a7490de3aed0b16bb935c6 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Tue, 12 Sep 2023 10:36:29 +0900 Subject: [PATCH 11/21] =?UTF-8?q?fix:=E3=83=AC=E3=83=93=E3=83=A5=E3=83=BC?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../template/default/default_frame.twig | 4 +-- ...hp => IgnoreTwigSandboxErrorExtension.php} | 36 ++++++++++--------- 2 files changed, 21 insertions(+), 19 deletions(-) rename src/Eccube/Twig/Extension/{ignoreTwigSandboxErrorExtension.php => IgnoreTwigSandboxErrorExtension.php} (57%) diff --git a/src/Eccube/Resource/template/default/default_frame.twig b/src/Eccube/Resource/template/default/default_frame.twig index a3768a5343b..51d3fa35ed1 100644 --- a/src/Eccube/Resource/template/default/default_frame.twig +++ b/src/Eccube/Resource/template/default/default_frame.twig @@ -51,9 +51,7 @@ file that was distributed with this source code. {{ include('block.twig', {'Blocks': Layout.Head}) }} {% endif %} {# プラグイン用styleseetやmetatagなど #} - {% if plugin_assets is defined %} - {{ include('@admin/snippet.twig', { snippets: plugin_assets },sandboxed = true) }} - {% endif %} + {% if plugin_assets is defined %}{{ include('@admin/snippet.twig', { snippets: plugin_assets }) }}{% endif %} diff --git a/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php b/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php similarity index 57% rename from src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php rename to src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php index 5086c5317e8..32b928c5857 100644 --- a/src/Eccube/Twig/Extension/ignoreTwigSandboxErrorExtension.php +++ b/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php @@ -23,7 +23,7 @@ /** * \vendor\twig\twig\src\Extension\CoreExtension の拡張 */ -class ignoreTwigSandboxErrorExtension extends AbstractExtension +class IgnoreTwigSandboxErrorExtension extends AbstractExtension { /** * {@inheritdoc} @@ -47,28 +47,32 @@ public function getFunctions(): array * @param $withContext * @param $ignoreMissing * @param $sandboxed + * * @return string|void + * * @throws LoaderError * @throws SecurityError */ - function twig_include(Environment $env, $context, $template, $variables = [], $withContext = true, $ignoreMissing = false, $sandboxed = false) + public function twig_include(Environment $env, $context, $template, $variables = [], $withContext = true, $ignoreMissing = false, $sandboxed = false) { - try { - return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed); - } catch (SecurityError $e) { - $appEnv = $_SERVER['APP_ENV']; - // devではエラーが表示されるようにする - if ($appEnv == 'dev') { - throw $e; - } else { - log_warning($e->getMessage(), ['exception' => $e]); - $sandbox = $env->getExtension(SandboxExtension::class); + try { + return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed); + } catch (SecurityError $e) { + + // devではエラー画面が表示されるようにする + $appEnv = env('APP_ENV'); + if ($appEnv === 'dev') { + throw $e; + } else { + // ログ出力 + log_warning($e->getMessage(), ['exception' => $e]); - if (!$sandbox->isSandboxedGlobally()) { - $sandbox->disableSandbox(); - } + // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加 + $sandbox = $env->getExtension(SandboxExtension::class); + if (!$sandbox->isSandboxedGlobally()) { + $sandbox->disableSandbox(); } } } - + } } From a9a4e1ca2e494ec7de1e2d30a8f100e256212e44 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 13 Sep 2023 10:54:04 +0900 Subject: [PATCH 12/21] =?UTF-8?q?=E5=A4=89=E6=95=B0=E3=81=AE=E3=83=9B?= =?UTF-8?q?=E3=83=AF=E3=82=A4=E3=83=88=E3=83=AA=E3=82=B9=E3=83=88=E8=BF=BD?= =?UTF-8?q?=E5=8A=A0=E3=83=BBservice.yaml=E3=81=AB=E5=AE=9A=E7=BE=A9?= =?UTF-8?q?=E3=82=92=E7=A7=BB=E5=8B=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/Customize/Resource/config/services.yaml | 68 +++++++++++++++++++ .../eccube/packages/twig_extensions.yaml | 66 +----------------- 2 files changed, 70 insertions(+), 64 deletions(-) create mode 100644 app/Customize/Resource/config/services.yaml diff --git a/app/Customize/Resource/config/services.yaml b/app/Customize/Resource/config/services.yaml new file mode 100644 index 00000000000..45316ca33a2 --- /dev/null +++ b/app/Customize/Resource/config/services.yaml @@ -0,0 +1,68 @@ +parameters: + eccube.twig_sandbox.allowed_tags: + - 'autoescape' + - 'filter' + - 'do' + - 'flush' + - 'for' + - 'set' + - 'verbatim' + - 'if' + - 'spaceless' + eccube.twig_sandbox.allowed_filters: + - 'abs' + - 'batch' + - 'capitalize' + - 'convert_encoding' + - 'date' + - 'date_modify' + - 'default' + - 'escape' + - 'first' + - 'format' + - 'join' + - 'json_encode' + - 'keys' + - 'last' + - 'length' + - 'lower' + - 'merge' + - 'nl2br' + - 'number_format' + - 'replace' + - 'reverse' + - 'slice' + - 'sort' + - 'split' + - 'striptags' + - 'title' + - 'trim' + - 'upper' + - 'url_encode' + - 'trans' + - 'date_day' + - 'date_day_with_weekday' + - 'date_format' + - 'date_min' + - 'date_sec' + - 'price' + - 'ellipsis' + - 'time_ago' + - 'file_ext_icon' + - 'no_image_product' + - 'purify' + eccube.twig_sandbox.allowed_functions: + - 'attribute' + - 'constant' + - 'cycle' + - 'date' + - 'random' + - 'range' + - 'url' + - 'asset' + - 'path' + - 'is_granted' + eccube.twig_sandbox.allowed_methods: + 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] + 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] + eccube.twig_sandbox.allowed_properties: [] \ No newline at end of file diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 27a274b645d..019e0401517 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -15,73 +15,11 @@ services: $allowedTags: "%eccube.twig_sandbox.allowed_tags%" $allowedFilters: "%eccube.twig_sandbox.allowed_filters%" $allowedFunctions: "%eccube.twig_sandbox.allowed_functions%" + $allowedMethods: "%eccube.twig_sandbox.allowed_methods%" + $allowedProperties: "%eccube.twig_sandbox.allowed_properties%" eccube.twig_sandbox.extension: class: Twig\Extension\SandboxExtension arguments: - '@eccube.twig_sandbox.policy' - false tags: ['twig.extension'] -parameters: - eccube.twig_sandbox.allowed_tags: - - 'autoescape' - - 'filter' - - 'do' - - 'flush' - - 'for' - - 'set' - - 'verbatim' - - 'if' - - 'spaceless' - eccube.twig_sandbox.allowed_filters: - - 'abs' - - 'batch' - - 'capitalize' - - 'convert_encoding' - - 'date' - - 'date_modify' - - 'default' - - 'escape' - - 'first' - - 'format' - - 'join' - - 'json_encode' - - 'keys' - - 'last' - - 'length' - - 'lower' - - 'merge' - - 'nl2br' - - 'number_format' - - 'replace' - - 'reverse' - - 'slice' - - 'sort' - - 'split' - - 'striptags' - - 'title' - - 'trim' - - 'upper' - - 'url_encode' - - 'trans' - - 'date_day' - - 'date_day_with_weekday' - - 'date_format' - - 'date_min' - - 'date_sec' - - 'price' - - 'ellipsis' - - 'time_ago' - - 'file_ext_icon' - - 'no_image_product' - - 'purify' - eccube.twig_sandbox.allowed_functions: - - 'attribute' - - 'constant' - - 'cycle' - - 'date' - - 'random' - - 'range' - - 'url' - - 'asset' - - 'path' - - 'is_granted' From 593732e159f9ef3368622020ae252f5c885d03b5 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 13 Sep 2023 11:02:51 +0900 Subject: [PATCH 13/21] =?UTF-8?q?=E5=AF=BE=E5=BF=9C=E4=B8=8D=E8=A6=81?= =?UTF-8?q?=E9=83=A8=E5=88=86=E3=81=AE=E3=83=AD=E3=83=BC=E3=83=AB=E3=83=90?= =?UTF-8?q?=E3=83=83=E3=82=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/Customize/Resource/config/services.yaml | 68 ------------------- .../eccube/packages/twig_extensions.yaml | 68 +++++++++++++++++++ 2 files changed, 68 insertions(+), 68 deletions(-) delete mode 100644 app/Customize/Resource/config/services.yaml diff --git a/app/Customize/Resource/config/services.yaml b/app/Customize/Resource/config/services.yaml deleted file mode 100644 index 45316ca33a2..00000000000 --- a/app/Customize/Resource/config/services.yaml +++ /dev/null @@ -1,68 +0,0 @@ -parameters: - eccube.twig_sandbox.allowed_tags: - - 'autoescape' - - 'filter' - - 'do' - - 'flush' - - 'for' - - 'set' - - 'verbatim' - - 'if' - - 'spaceless' - eccube.twig_sandbox.allowed_filters: - - 'abs' - - 'batch' - - 'capitalize' - - 'convert_encoding' - - 'date' - - 'date_modify' - - 'default' - - 'escape' - - 'first' - - 'format' - - 'join' - - 'json_encode' - - 'keys' - - 'last' - - 'length' - - 'lower' - - 'merge' - - 'nl2br' - - 'number_format' - - 'replace' - - 'reverse' - - 'slice' - - 'sort' - - 'split' - - 'striptags' - - 'title' - - 'trim' - - 'upper' - - 'url_encode' - - 'trans' - - 'date_day' - - 'date_day_with_weekday' - - 'date_format' - - 'date_min' - - 'date_sec' - - 'price' - - 'ellipsis' - - 'time_ago' - - 'file_ext_icon' - - 'no_image_product' - - 'purify' - eccube.twig_sandbox.allowed_functions: - - 'attribute' - - 'constant' - - 'cycle' - - 'date' - - 'random' - - 'range' - - 'url' - - 'asset' - - 'path' - - 'is_granted' - eccube.twig_sandbox.allowed_methods: - 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] - 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] - eccube.twig_sandbox.allowed_properties: [] \ No newline at end of file diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 019e0401517..bd265cafb25 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -23,3 +23,71 @@ services: - '@eccube.twig_sandbox.policy' - false tags: ['twig.extension'] +parameters: + eccube.twig_sandbox.allowed_tags: + - 'autoescape' + - 'filter' + - 'do' + - 'flush' + - 'for' + - 'set' + - 'verbatim' + - 'if' + - 'spaceless' + eccube.twig_sandbox.allowed_filters: + - 'abs' + - 'batch' + - 'capitalize' + - 'convert_encoding' + - 'date' + - 'date_modify' + - 'default' + - 'escape' + - 'first' + - 'format' + - 'join' + - 'json_encode' + - 'keys' + - 'last' + - 'length' + - 'lower' + - 'merge' + - 'nl2br' + - 'number_format' + - 'replace' + - 'reverse' + - 'slice' + - 'sort' + - 'split' + - 'striptags' + - 'title' + - 'trim' + - 'upper' + - 'url_encode' + - 'trans' + - 'date_day' + - 'date_day_with_weekday' + - 'date_format' + - 'date_min' + - 'date_sec' + - 'price' + - 'ellipsis' + - 'time_ago' + - 'file_ext_icon' + - 'no_image_product' + - 'purify' + eccube.twig_sandbox.allowed_functions: + - 'attribute' + - 'constant' + - 'cycle' + - 'date' + - 'random' + - 'range' + - 'url' + - 'asset' + - 'path' + - 'is_granted' + eccube.twig_sandbox.allowed_methods: + 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] + 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] + eccube.twig_sandbox.allowed_properties: [] \ No newline at end of file From d454074d23ed34229ba378d59648d538a126287f Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 13 Sep 2023 16:24:02 +0900 Subject: [PATCH 14/21] =?UTF-8?q?=E3=83=9B=E3=83=AF=E3=82=A4=E3=83=88?= =?UTF-8?q?=E3=83=AA=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0=E3=83=BB?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 102 +++++++++++++++--- 1 file changed, 90 insertions(+), 12 deletions(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index bd265cafb25..b9ecee2c3c8 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -25,68 +25,146 @@ services: tags: ['twig.extension'] parameters: eccube.twig_sandbox.allowed_tags: - - 'autoescape' - - 'filter' - - 'do' + - 'apply' + - 'block' + - 'deprecated' + - 'embed' + - 'extends' - 'flush' - 'for' - - 'set' - - 'verbatim' - 'if' + - 'set' - 'spaceless' + - 'verbatim' + - 'with' + - 'form_theme' + - 'stopwatch' + - 'trans' + - 'trans_default_domain' eccube.twig_sandbox.allowed_filters: - 'abs' - 'batch' - 'capitalize' + - 'column' - 'convert_encoding' + - 'country_name' + - 'currency_name' + - 'currency_symbol' - 'date' - 'date_modify' - 'default' - 'escape' - 'first' - 'format' + - 'format_currency' + - 'format_date' + - 'format_datetime' + - 'format_number' + - 'format_time' - 'join' - 'json_encode' - 'keys' + - 'language_name' - 'last' - 'length' + - 'locale_name' - 'lower' - 'merge' - 'nl2br' - 'number_format' - 'replace' - 'reverse' + - 'round' - 'slice' - - 'sort' + - 'spaceless' - 'split' - 'striptags' + - 'timezone_name' - 'title' - 'trim' - 'upper' - 'url_encode' + - 'abbr_class' + - 'abbr_method' + - 'file_link' + - 'file_relative' + - 'format_args' + - 'format_args_as_text' + - 'humanize' + - 'serialize' - 'trans' + - 'yaml_dump' + - 'yaml_encode' + - 'currency_symbol' - 'date_day' - 'date_day_with_weekday' - 'date_format' - 'date_min' - 'date_sec' - - 'price' + - 'doctrine_format_sql' + - 'doctrine_prettify_sql' + - 'doctrine_pretty_query' + - 'doctrine_replace_query_parameters' + - 'e' - 'ellipsis' - - 'time_ago' - 'file_ext_icon' + - 'form_encode_currency' + - 'format_*_number' + - 'format_log_message' - 'no_image_product' + - 'price' - 'purify' + - 'time_ago' eccube.twig_sandbox.allowed_functions: - - 'attribute' - - 'constant' - 'cycle' - 'date' + - 'max' + - 'min' - 'random' - 'range' - - 'url' + - 'country_timezones' + - 'absolute_url' - 'asset' - - 'path' + - 'asset_version' + - 'csrf_token' + - 'form_parent' + - 'fragment_uri' + - 'impersonation_exit_path' + - 'impersonation_exit_url' - 'is_granted' + - 'logout_path' + - 'logout_url' + - 'path' + - 'relative_path' + - 't' + - 'url' + - 'active_menus' + - 'class_categories_as_json' + - 'country_names' + - 'csrf_token_for_anchor' + - 'currency_names' + - 'currency_symbol' + - 'field_choices' + - 'field_errors' + - 'field_help' + - 'field_label' + - 'field_name' + - 'field_value' + - 'get_all_carts' + - 'get_cart' + - 'get_carts_total_price' + - 'get_carts_total_quantity' + - 'has_errors' + - 'is_reduced_tax_rate' + - 'language_names' + - 'product' + - 'workflow_can' + - 'workflow_has_marked_place' + - 'workflow_marked_places' + - 'workflow_metadata' + - 'workflow_transition' + - 'workflow_transition_blockers' + - 'workflow_transitions' eccube.twig_sandbox.allowed_methods: 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] From 090e97e8cf9422a1cf604bbbf9ae76cb65768a52 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 14 Sep 2023 10:09:38 +0900 Subject: [PATCH 15/21] =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=82=B1?= =?UTF-8?q?=E3=83=BC=E3=82=B9=E3=81=AE=E3=83=9E=E3=83=BC=E3=82=B8=E3=83=BB?= =?UTF-8?q?date=E7=B3=BB=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E4=B8=80?= =?UTF-8?q?=E9=83=A8=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../IgnoreTwigSandboxErrorExtensionTest.php | 130 +++++++++--------- 1 file changed, 62 insertions(+), 68 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index bda23a231e7..e0aa9db5f37 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -13,95 +13,89 @@ namespace Eccube\Tests\Twig\Extension; -use Eccube\Common\EccubeConfig; -//use Eccube\Tests\EccubeTestCase; use Eccube\Tests\Web\AbstractWebTestCase; -use Eccube\Twig\Extension\ignoreTwigSandboxErrorExtension; -use Twig\Sandbox\SecurityError; -use org\bovigo\vfs\vfsStream; -use Twig\Extension\StringLoaderExtension; +use Eccube\Entity\Page; class IgnoreTwigSandboxErrorExtensionTest extends AbstractWebTestCase { - /** - * @var ignoreTwigSandboxErrorExtension - */ - protected $sandbox; - - /** - * @var Twig\Environment - */ - protected $twig; - - protected $templateDir; /** - * @var String + * @dataProvider twigSnippetsProvider + * @dataProvider twigVarFreeAreaProvider */ - protected $template = [ - 'test_freearea.twig', - 'test_metatag.twig', - ]; - - protected function setUp(): void + public function testFreeArea($snippet, $whitelisted) { - parent::setUp(); - $EccubeConfig = static::getContainer()->get(EccubeConfig::class); + $Product = $this->createProduct(); + $Product->setFreeArea('__RENDERED__'.$snippet); + $this->entityManager->flush(); - // Twigを使用するテンプレートの読込み - $root = vfsStream::setup(); - $this->templateDir = $root->url(); + $crawler = $this->client->request('GET', $this->generateUrl('product_detail', ['id' => $Product->getId()])); + $text = $crawler->text(); - foreach ($this->template as $twig_file) { - // Preventing undefined errors - file_put_contents($this->templateDir.'/'.$twig_file, ''); - } - - $loader = new \Twig\Loader\FilesystemLoader([ - $this->templateDir, - ]); + // $snippetがsandboxで制限された場合はフリーエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する + self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + } - $tags = ['if', 'for', 'set', 'do']; - $filters = ['escape', 'join', 'length', 'escape', 'date']; - $functions = ['range']; + /** + * @dataProvider twigSnippetsProvider + * @dataProvider twigVarMetaTagsProvider + */ + public function testMetatags($snippet, $whitelisted) + { + $Page = $this->entityManager->getRepository(Page::class)->find(1); + $Page->setMetaTags('__RENDERED__'.$snippet); + $this->entityManager->flush(); - $policy = new \Twig\Sandbox\SecurityPolicy($tags, $filters, [], [], $functions); - $sandbox = new \Twig\Extension\SandboxExtension($policy, true); + $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl())); + $text = $crawler->text(); - $this->twig = new \Twig\Environment($loader); - $this->twig->addExtension(new \Twig\Extension\StringLoaderExtension()); - $this->twig->addExtension($sandbox); + // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する + self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); } - public function twigKeyWords() + public function twigSnippetsProvider() { - // 第1要素:入力値 - // 第2要素:成功か否か + // 0: twigスニペット, 1: ホワイトリスト対象かどうか return [ - // Tag + ['{% set foo = "bar" %}', true], + ['{% spaceless %}
test
{% endspaceless %}', true], + ['{% flush %}', true], + ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', false], + ['{% macro input(name, value, type = "text", size = 20) %}{% endmacro %}', false], + ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false], + ['{{ "-5"|abs }}', true], + ['{{ "2020/02/01"|date_modify("+1 day")|date("m/d/Y") }}', true], + ['{{ [1, 2, 3, 4]|first }}', true], + ['{{ file|format_file(line, text = null) }}', false], + ['{{ [1, 2, 3]|reduce((carry, v) => carry + v) }}', false], + ['{{ "

test

" |raw }}', false], + ['{{ url("homepage") }}', true], ['{{ random(1, 100) }}', true], - ['{ "hello world"|upper }', true], - ['{dump(app)}', false], - ['{% do 1 + 2 %}', false], + ['{% for i in range(3, 0) %} {{ i }}, {% endfor %}', true], + ['{{ dump(9) }}', false], + ['{{ constant("RSS", date) }}', false], + ['{{ include(template_from_string("Hello")) }}', false], ]; } - /** - * @dataProvider twigKeyWords - */ - public function testIgnoreSandboxFreeArea($context, $expected) + public function twigVarFreeAreaProvider() { - $file = $this->templateDir.'/'.$this->template[0]; - $source = "
{{ include(template_from_string(" . $context . ")) }}
"; - - file_put_contents($file, $source); - - $actual = true; - try { - ignoreTwigSandboxErrorExtension::twig_include($this->twig, [], $this->template[0], [], true, false, true); - } catch (SecurityError $e) { - $actual = false; - } + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.user }}', false], + ['{{ Product.name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; + } - $this->assertSame($expected, $actual); + public function twigVarMetaTagsProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.debug }}', false], + ['{{ BaseInfo.shop_name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; } } \ No newline at end of file From 34a3a5d06148f874a5e4001c9c472053c2ad90d3 Mon Sep 17 00:00:00 2001 From: Chihiro Adachi <8196725+chihiro-adachi@users.noreply.github.com> Date: Thu, 14 Sep 2023 10:23:47 +0900 Subject: [PATCH 16/21] fix cs --- .../Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index e0aa9db5f37..1a1869b06b1 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -13,8 +13,8 @@ namespace Eccube\Tests\Twig\Extension; -use Eccube\Tests\Web\AbstractWebTestCase; use Eccube\Entity\Page; +use Eccube\Tests\Web\AbstractWebTestCase; class IgnoreTwigSandboxErrorExtensionTest extends AbstractWebTestCase { @@ -98,4 +98,4 @@ public function twigVarMetaTagsProvider() ['{{ app.request.getUri }}', true], ]; } -} \ No newline at end of file +} From 45e47df6919290672a885ed8a27ea2d2ac6ff2c9 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 13:23:33 +0900 Subject: [PATCH 17/21] =?UTF-8?q?fix:=5F=5FtoString=E3=82=92=E8=A8=B1?= =?UTF-8?q?=E5=8F=AF=E3=81=99=E3=82=8B=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 2 + .../Twig/SandBox/SecurityPolicyDecorator.php | 47 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index b9ecee2c3c8..6b713dd5d22 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -23,6 +23,8 @@ services: - '@eccube.twig_sandbox.policy' - false tags: ['twig.extension'] + Eccube\Twig\Sandbox\SecurityPolicyDecorator: + decorates: 'eccube.twig_sandbox.policy' parameters: eccube.twig_sandbox.allowed_tags: - 'apply' diff --git a/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php b/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php new file mode 100644 index 00000000000..8615449624b --- /dev/null +++ b/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php @@ -0,0 +1,47 @@ +securityPolicy = $securityPolicy; + } + + public function checkSecurity($tags, $filters, $functions) + { + $this->securityPolicy->checkSecurity($tags, $filters, $functions); + } + + public function checkMethodAllowed($obj, $method) + { + // __toStringの場合はチェックをスキップする + if ($method === '__toString') { + return; + } + $this->securityPolicy->checkMethodAllowed($obj, $method); + } + + public function checkPropertyAllowed($obj, $method) + { + $this->securityPolicy->checkPropertyAllowed($obj, $method); + } +} \ No newline at end of file From 5171f05e1be69e9bab2a22feb01a621d9e083588 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 13:25:11 +0900 Subject: [PATCH 18/21] =?UTF-8?q?phpStan=E3=81=AE=E3=82=A8=E3=83=A9?= =?UTF-8?q?=E3=83=BC=E3=82=92=E7=84=A1=E8=A6=96=E3=81=99=E3=82=8B=E8=A8=AD?= =?UTF-8?q?=E5=AE=9A=E3=81=AE=E5=8F=96=E3=82=8A=E8=BE=BC=E3=81=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- phpstan.neon.dist | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/phpstan.neon.dist b/phpstan.neon.dist index 213da6dad2a..b44c21c8885 100644 --- a/phpstan.neon.dist +++ b/phpstan.neon.dist @@ -1,2 +1,6 @@ parameters: level: 1 + ignoreErrors: + - + message: "#^Function twig_include not found\\.$#" + path: src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php \ No newline at end of file From 6128fc41611501caa46062f89cca862a5775faa9 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 14:28:23 +0900 Subject: [PATCH 19/21] =?UTF-8?q?=E3=83=87=E3=82=A3=E3=83=AC=E3=82=AF?= =?UTF-8?q?=E3=83=88=E3=83=AA=E5=90=8D=E3=81=AE=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Eccube/Twig/{SandBox => Sandbox}/SecurityPolicyDecorator.php | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/Eccube/Twig/{SandBox => Sandbox}/SecurityPolicyDecorator.php (100%) diff --git a/src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php b/src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php similarity index 100% rename from src/Eccube/Twig/SandBox/SecurityPolicyDecorator.php rename to src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php From cd9aed337a4a1ef0462c88ad299fde471ba45f5f Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 14:40:01 +0900 Subject: [PATCH 20/21] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 1a1869b06b1..3973c7c5741 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -74,6 +74,7 @@ public function twigSnippetsProvider() ['{{ dump(9) }}', false], ['{{ constant("RSS", date) }}', false], ['{{ include(template_from_string("Hello")) }}', false], + ['{{ Product.main_list_image|no_image_product }}', true], ]; } From 440a612c77005b2538998950e960fa6262aecf8c Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Fri, 20 Oct 2023 13:04:50 +0900 Subject: [PATCH 21/21] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../IgnoreTwigSandboxErrorExtensionTest.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 3973c7c5741..cac1c1b2fc8 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -48,8 +48,15 @@ public function testMetatags($snippet, $whitelisted) $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl())); $text = $crawler->text(); - // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する - self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + // ホワイトリストに入っている場合__RENDERED__が表示される + if ($whitelisted) { + self::assertStringContainsString('__RENDERED__', $text); + } else { + self::assertStringNotContainsString('__RENDERED__', $text); + } + // 入力可能ではない値の場合は、システムエラーが発生する + self::assertStringNotContainsString('システムエラーが発生しました', $text); + } public function twigSnippetsProvider() @@ -59,7 +66,7 @@ public function twigSnippetsProvider() ['{% set foo = "bar" %}', true], ['{% spaceless %}
test
{% endspaceless %}', true], ['{% flush %}', true], - ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', false], + ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', true], ['{% macro input(name, value, type = "text", size = 20) %}{% endmacro %}', false], ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false], ['{{ "-5"|abs }}', true],