Merge pull request #6061 from EC-CUBE/pick-for-4.0

脆弱性対応（4.0）
EC-CUBE · Nov 6, 2023 · f0df36d · f0df36d
2 parents 1b2e41f + a9645a7
commit f0df36d
Show file tree

Hide file tree

Showing 13 changed files with 414 additions and 18 deletions.
diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml
@@ -8,3 +8,146 @@ services:
     #Twig\Extensions\DateExtension: ~
     Twig\Extensions\IntlExtension: ~
     #Twig\Extensions\TextExtension: ~
+
+    eccube.twig_sandbox.policy:
+        class: Twig\Sandbox\SecurityPolicy
+        arguments:
+            $allowedTags: "%eccube.twig_sandbox.allowed_tags%"
+            $allowedFilters: "%eccube.twig_sandbox.allowed_filters%"
+            $allowedFunctions: "%eccube.twig_sandbox.allowed_functions%"
+            $allowedMethods: "%eccube.twig_sandbox.allowed_methods%"
+            $allowedProperties: "%eccube.twig_sandbox.allowed_properties%"
+    eccube.twig_sandbox.extension:
+        class: Twig\Extension\SandboxExtension
+        arguments:
+            - '@eccube.twig_sandbox.policy'
+            - false
+        tags: ['twig.extension']
+    Eccube\Twig\Sandbox\SecurityPolicyDecorator:
+        decorates: 'eccube.twig_sandbox.policy'
+parameters:
+    eccube.twig_sandbox.allowed_tags:
+        - 'apply'
+        - 'block'
+        - 'deprecated'
+        - 'embed'
+        - 'extends'
+        - 'flush'
+        - 'for'
+        - 'if'
+        - 'set'
+        - 'spaceless'
+        - 'verbatim'
+        - 'with'
+        - 'form_theme'
+        - 'stopwatch'
+        - 'trans'
+        - 'trans_default_domain'
+    eccube.twig_sandbox.allowed_filters:
+        - 'abs'
+        - 'batch'
+        - 'capitalize'
+        - 'column'
+        - 'convert_encoding'
+        - 'date'
+        - 'date_modify'
+        - 'default'
+        - 'escape'
+        - 'first'
+        - 'format'
+        - 'join'
+        - 'json_encode'
+        - 'keys'
+        - 'last'
+        - 'length'
+        - 'lower'
+        - 'merge'
+        - 'nl2br'
+        - 'number_format'
+        - 'replace'
+        - 'reverse'
+        - 'round'
+        - 'slice'
+        - 'spaceless'
+        - 'split'
+        - 'striptags'
+        - 'title'
+        - 'trim'
+        - 'upper'
+        - 'url_encode'
+        - 'abbr_class'
+        - 'abbr_method'
+        - 'file_link'
+        - 'format_args'
+        - 'format_args_as_text'
+        - 'humanize'
+        - 'trans'
+        - 'yaml_dump'
+        - 'yaml_encode'
+        - 'date_day'
+        - 'date_day_with_weekday'
+        - 'date_format'
+        - 'date_min'
+        - 'date_sec'
+        - 'doctrine_pretty_query'
+        - 'doctrine_replace_query_parameters'
+        - 'e'
+        - 'ellipsis'
+        - 'file_ext_icon'
+        - 'form_encode_currency'
+        - 'format_log_message'
+        - 'no_image_product'
+        - 'price'
+        - 'time_ago'
+        - 'doctrine_minify_query'
+        - 'localizedcurrency'
+        - 'localizeddate'
+        - 'localizednumber'
+        - 'transchoice'
+    eccube.twig_sandbox.allowed_functions:
+        - 'cycle'
+        - 'date'
+        - 'max'
+        - 'min'
+        - 'random'
+        - 'range'
+        - 'absolute_url'
+        - 'asset'
+        - 'asset_version'
+        - 'csrf_token'
+        - 'is_granted'
+        - 'logout_path'
+        - 'logout_url'
+        - 'path'
+        - 'relative_path'
+        - 'url'
+        - 'active_menus'
+        - 'class_categories_as_json'
+        - 'csrf_token_for_anchor'
+        - 'currency_symbol'
+        - 'get_all_carts'
+        - 'get_cart'
+        - 'get_carts_total_price'
+        - 'get_carts_total_quantity'
+        - 'has_errors'
+        - 'is_reduced_tax_rate'
+        - 'product'
+        - 'workflow_can'
+        - 'workflow_has_marked_place'
+        - 'workflow_marked_places'
+        - 'workflow_transitions'
+        - 'device_version'
+        - 'full_view_url'
+        - 'is_android_os'
+        - 'is_device'
+        - 'is_full_view'
+        - 'is_ios'
+        - 'is_mobile'
+        - 'is_mobile_view'
+        - 'is_not_mobile_view'
+        - 'is_tablet'
+        - 'is_tablet_view'
+    eccube.twig_sandbox.allowed_methods:
+        'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ]
+        'Symfony\Component\HttpFoundation\Request': [ 'geturi' ]
+    eccube.twig_sandbox.allowed_properties: []
diff --git a/codeception/_support/AcceptanceTester.php b/codeception/_support/AcceptanceTester.php
@@ -100,6 +100,7 @@ public function logoutAsMember()
     {
         $I = $this;
         $I->amOnPage('/');
+        $I->wait(1);
         $isLogin = $I->grabTextFrom('.ec-headerNaviRole .ec-headerNav .ec-headerNav__item:nth-child(3) a');
         if ($isLogin == 'ログアウト') {
             $I->wait(1);

diff --git a/codeception/acceptance/EA06ContentsManagementCest.php b/codeception/acceptance/EA06ContentsManagementCest.php
@@ -240,7 +240,7 @@ public function contentsmanagement_レイアウト管理(\AcceptanceTester $I)
         LayoutEditPage::at($I)
             ->レイアウト名('あたらしいレイアウト')
             ->登録();
-
+        $I->wait(1);
         $I->see('保存しました');
     }
 

diff --git a/codeception/acceptance/EF02ProductCest.php b/codeception/acceptance/EF02ProductCest.php
@@ -109,6 +109,7 @@ public function product_商品一覧表示件数(\AcceptanceTester $I)
 
         // 表示件数の選択リストを変更する
         $listPage->表示件数設定(40);
+        $I->wait(1);
 
         // 変更された表示件数分が1画面に表示される
         $expected = ($productNum >= 40) ? 40 : $productNum;

diff --git a/composer.lock b/composer.lock
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "eccube",
-  "version": "4.0.6-p3",
+  "version": "4.0.6-p4",
   "description": "EC-CUBE EC open platform.",
   "main": "index.js",
   "directories": {

diff --git a/src/Eccube/Common/Constant.php b/src/Eccube/Common/Constant.php
@@ -18,7 +18,7 @@ class Constant
     /**
      * EC-CUBE VERSION.
      */
-    const VERSION = '4.0.6-p3';
+    const VERSION = '4.0.6-p4';
 
     /**
      * Enable value.

diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig
@@ -375,7 +375,7 @@ file that was distributed with this source code.
         </div>
         {% if Product.freearea %}
              <div class="ec-productRole__description">
-                 {{ include(template_from_string(Product.freearea)) }}
+                 {{ include(template_from_string(Product.freearea), sandboxed = true) }}
             </div>
         {% endif %}
     </div>

diff --git a/src/Eccube/Resource/template/default/default_frame.twig b/src/Eccube/Resource/template/default/default_frame.twig
@@ -28,7 +28,7 @@ file that was distributed with this source code.
         <meta name="robots" content="{{ Page.meta_robots }}">
     {% endif %}
     {% if Page.meta_tags is not empty %}
-        {{ include(template_from_string(Page.meta_tags)) }}
+        {{ include(template_from_string(Page.meta_tags), sandboxed = true) }}
     {% endif %}
     <link rel="icon" href="{{ asset('assets/img/common/favicon.ico', 'user_data') }}">
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">