From ca46f00e8237185e1ca926e10fc7d9147c814454 Mon Sep 17 00:00:00 2001 From: shinya Date: Mon, 25 Sep 2023 13:58:47 +0900 Subject: [PATCH 01/13] =?UTF-8?q?4.0=E3=81=AB=E3=82=82=E5=A4=89=E6=9B=B4?= =?UTF-8?q?=E5=86=85=E5=AE=B9=E3=82=92=E9=81=A9=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../template/default/Product/detail.twig | 2 +- .../template/default/default_frame.twig | 2 +- .../IgnoreTwigSandboxErrorExtension.php | 78 ++++++++++++++ .../IgnoreTwigSandboxErrorExtensionTest.php | 101 ++++++++++++++++++ 4 files changed, 181 insertions(+), 2 deletions(-) create mode 100644 src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php create mode 100644 tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig index b0eb9c5c538..16d0cb0efbf 100755 --- a/src/Eccube/Resource/template/default/Product/detail.twig +++ b/src/Eccube/Resource/template/default/Product/detail.twig @@ -375,7 +375,7 @@ file that was distributed with this source code. {% if Product.freearea %}
- {{ include(template_from_string(Product.freearea)) }} + {{ include(template_from_string(Product.freearea), sandboxed = true) }}
{% endif %} diff --git a/src/Eccube/Resource/template/default/default_frame.twig b/src/Eccube/Resource/template/default/default_frame.twig index 1c83277beab..c97109c3efc 100644 --- a/src/Eccube/Resource/template/default/default_frame.twig +++ b/src/Eccube/Resource/template/default/default_frame.twig @@ -28,7 +28,7 @@ file that was distributed with this source code. {% endif %} {% if Page.meta_tags is not empty %} - {{ include(template_from_string(Page.meta_tags)) }} + {{ include(template_from_string(Page.meta_tags), sandboxed = true) }} {% endif %} diff --git a/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php b/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php new file mode 100644 index 00000000000..210b8ff1fe5 --- /dev/null +++ b/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php @@ -0,0 +1,78 @@ + true, 'needs_context' => true, 'is_safe' => ['all']]), + ]; + } + + /** + * twig sandboxの例外を操作します + * app_env = devの場合、エラーを表示する + * app_env = prodの場合、エラーを表示しない + * + * @param Environment $env + * @param $context + * @param $template + * @param $variables + * @param $withContext + * @param $ignoreMissing + * @param $sandboxed + * + * @return string|void + * + * @throws LoaderError + * @throws SecurityError + */ + public function twig_include(Environment $env, $context, $template, $variables = [], $withContext = true, $ignoreMissing = false, $sandboxed = false) + { + try { + return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed); + } catch (SecurityError $e) { + + // devではエラー画面が表示されるようにする + $appEnv = env('APP_ENV'); + if ($appEnv === 'dev') { + throw $e; + } else { + // ログ出力 + log_warning($e->getMessage(), ['exception' => $e]); + + // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加 + $sandbox = $env->getExtension(SandboxExtension::class); + if (!$sandbox->isSandboxedGlobally()) { + $sandbox->disableSandbox(); + } + } + } + } +} \ No newline at end of file diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php new file mode 100644 index 00000000000..859eec30450 --- /dev/null +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -0,0 +1,101 @@ +createProduct(); + $Product->setFreeArea('__RENDERED__'.$snippet); + $this->entityManager->flush(); + + $crawler = $this->client->request('GET', $this->generateUrl('product_detail', ['id' => $Product->getId()])); + $text = $crawler->text(); + + // $snippetがsandboxで制限された場合はフリーエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する + self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + } + + /** + * @dataProvider twigSnippetsProvider + * @dataProvider twigVarMetaTagsProvider + */ + public function testMetatags($snippet, $whitelisted) + { + $Page = $this->entityManager->getRepository(Page::class)->find(1); + $Page->setMetaTags('__RENDERED__'.$snippet); + $this->entityManager->flush(); + + $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl())); + $text = $crawler->text(); + + // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する + self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + } + + public function twigSnippetsProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{% set foo = "bar" %}', true], + ['{% spaceless %}
test
{% endspaceless %}', true], + ['{% flush %}', true], + ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', false], + ['{% macro input(name, value, type = "text", size = 20) %}{% endmacro %}', false], + ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false], + ['{{ "-5"|abs }}', true], + ['{{ "2020/02/01"|date_modify("+1 day")|date("m/d/Y") }}', true], + ['{{ [1, 2, 3, 4]|first }}', true], + ['{{ file|format_file(line, text = null) }}', false], + ['{{ [1, 2, 3]|reduce((carry, v) => carry + v) }}', false], + ['{{ "

test

" |raw }}', false], + ['{{ url("homepage") }}', true], + ['{{ random(1, 100) }}', true], + ['{% for i in range(3, 0) %} {{ i }}, {% endfor %}', true], + ['{{ dump(9) }}', false], + ['{{ constant("RSS", date) }}', false], + ['{{ include(template_from_string("Hello")) }}', false], + ]; + } + + public function twigVarFreeAreaProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.user }}', false], + ['{{ Product.name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; + } + + public function twigVarMetaTagsProvider() + { + // 0: twigスニペット, 1: ホワイトリスト対象かどうか + return [ + ['{{ app.debug }}', false], + ['{{ BaseInfo.shop_name }}', true], + ['{{ app.request.uri }}', true], + ['{{ app.request.getUri }}', true], + ]; + } +} \ No newline at end of file From 0f4d68516f29c92db4ece4ab3e6f0302e1ce3f66 Mon Sep 17 00:00:00 2001 From: shinya Date: Mon, 25 Sep 2023 16:38:09 +0900 Subject: [PATCH 02/13] =?UTF-8?q?yaml=E3=81=AE=E5=8F=8D=E6=98=A0=E6=BC=8F?= =?UTF-8?q?=E3=82=8C=E3=82=92=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 161 ++++++++++++++++++ 1 file changed, 161 insertions(+) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 50840691d51..3907b4544fb 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -8,3 +8,164 @@ services: #Twig\Extensions\DateExtension: ~ Twig\Extensions\IntlExtension: ~ #Twig\Extensions\TextExtension: ~ + + eccube.twig_sandbox.policy: + class: Twig\Sandbox\SecurityPolicy + arguments: + $allowedTags: "%eccube.twig_sandbox.allowed_tags%" + $allowedFilters: "%eccube.twig_sandbox.allowed_filters%" + $allowedFunctions: "%eccube.twig_sandbox.allowed_functions%" + $allowedMethods: "%eccube.twig_sandbox.allowed_methods%" + $allowedProperties: "%eccube.twig_sandbox.allowed_properties%" + eccube.twig_sandbox.extension: + class: Twig\Extension\SandboxExtension + arguments: + - '@eccube.twig_sandbox.policy' + - false + tags: ['twig.extension'] +parameters: + eccube.twig_sandbox.allowed_tags: + - 'apply' + - 'block' + - 'deprecated' + - 'embed' + - 'extends' + - 'flush' + - 'for' + - 'if' + - 'set' + - 'spaceless' + - 'verbatim' + - 'with' + - 'form_theme' + - 'stopwatch' + - 'trans' + - 'trans_default_domain' + eccube.twig_sandbox.allowed_filters: + - 'abs' + - 'batch' + - 'capitalize' + - 'column' + - 'convert_encoding' + - 'country_name' + - 'currency_name' + - 'currency_symbol' + - 'date' + - 'date_modify' + - 'default' + - 'escape' + - 'first' + - 'format' + - 'format_currency' + - 'format_date' + - 'format_datetime' + - 'format_number' + - 'format_time' + - 'join' + - 'json_encode' + - 'keys' + - 'language_name' + - 'last' + - 'length' + - 'locale_name' + - 'lower' + - 'merge' + - 'nl2br' + - 'number_format' + - 'replace' + - 'reverse' + - 'round' + - 'slice' + - 'spaceless' + - 'split' + - 'striptags' + - 'timezone_name' + - 'title' + - 'trim' + - 'upper' + - 'url_encode' + - 'abbr_class' + - 'abbr_method' + - 'file_link' + - 'file_relative' + - 'format_args' + - 'format_args_as_text' + - 'humanize' + - 'serialize' + - 'trans' + - 'yaml_dump' + - 'yaml_encode' + - 'currency_symbol' + - 'date_day' + - 'date_day_with_weekday' + - 'date_format' + - 'date_min' + - 'date_sec' + - 'doctrine_format_sql' + - 'doctrine_prettify_sql' + - 'doctrine_pretty_query' + - 'doctrine_replace_query_parameters' + - 'e' + - 'ellipsis' + - 'file_ext_icon' + - 'form_encode_currency' + - 'format_*_number' + - 'format_log_message' + - 'no_image_product' + - 'price' + - 'purify' + - 'time_ago' + eccube.twig_sandbox.allowed_functions: + - 'cycle' + - 'date' + - 'max' + - 'min' + - 'random' + - 'range' + - 'country_timezones' + - 'absolute_url' + - 'asset' + - 'asset_version' + - 'csrf_token' + - 'form_parent' + - 'fragment_uri' + - 'impersonation_exit_path' + - 'impersonation_exit_url' + - 'is_granted' + - 'logout_path' + - 'logout_url' + - 'path' + - 'relative_path' + - 't' + - 'url' + - 'active_menus' + - 'class_categories_as_json' + - 'country_names' + - 'csrf_token_for_anchor' + - 'currency_names' + - 'currency_symbol' + - 'field_choices' + - 'field_errors' + - 'field_help' + - 'field_label' + - 'field_name' + - 'field_value' + - 'get_all_carts' + - 'get_cart' + - 'get_carts_total_price' + - 'get_carts_total_quantity' + - 'has_errors' + - 'is_reduced_tax_rate' + - 'language_names' + - 'product' + - 'workflow_can' + - 'workflow_has_marked_place' + - 'workflow_marked_places' + - 'workflow_metadata' + - 'workflow_transition' + - 'workflow_transition_blockers' + - 'workflow_transitions' + eccube.twig_sandbox.allowed_methods: + 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] + 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] + eccube.twig_sandbox.allowed_properties: [] From bd43509d6378cb237117e1ebcec1ce84ffae6a57 Mon Sep 17 00:00:00 2001 From: shinya Date: Thu, 28 Sep 2023 18:44:06 +0900 Subject: [PATCH 03/13] =?UTF-8?q?=E5=BD=93=E6=99=82=E5=AD=98=E5=9C=A8?= =?UTF-8?q?=E3=81=97=E3=81=A6=E3=81=84=E3=81=AA=E3=81=8B=E3=81=A3=E3=81=9F?= =?UTF-8?q?function=E3=82=92=E6=9B=B8=E3=81=8D=E6=8F=9B=E3=81=88=EF=BC=88?= =?UTF-8?q?=E7=8F=BE=E5=9C=A8=E3=81=AF=E9=9D=9E=E6=8E=A8=E5=A5=A8=E3=81=A0?= =?UTF-8?q?=E3=81=8C=E5=BD=93=E6=99=82=E3=81=AF=E7=8F=BE=E5=BD=B9=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 859eec30450..814b74ce0ec 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -32,7 +32,7 @@ public function testFreeArea($snippet, $whitelisted) $text = $crawler->text(); // $snippetがsandboxで制限された場合はフリーエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する - self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + self::assertContains($whitelisted ? '__RENDERED__' : '', $text); } /** @@ -49,7 +49,7 @@ public function testMetatags($snippet, $whitelisted) $text = $crawler->text(); // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する - self::assertStringContainsString($whitelisted ? '__RENDERED__' : '', $text); + self::assertContains($whitelisted ? '__RENDERED__' : '', $text); } public function twigSnippetsProvider() From 9de66d35b0f48c491b912b7ab8ba59ed6c8bb333 Mon Sep 17 00:00:00 2001 From: shinya Date: Fri, 29 Sep 2023 15:59:29 +0900 Subject: [PATCH 04/13] =?UTF-8?q?=E3=83=9B=E3=83=AF=E3=82=A4=E3=83=88?= =?UTF-8?q?=E3=83=AA=E3=82=B9=E3=83=88=E6=A3=9A=E5=8D=B8=E3=81=97=E3=81=AE?= =?UTF-8?q?=E7=B5=90=E6=9E=9C=E3=82=92=E5=8F=8D=E6=98=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 52 ++++++------------- 1 file changed, 16 insertions(+), 36 deletions(-) diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 3907b4544fb..020c248f4e8 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -47,27 +47,17 @@ parameters: - 'capitalize' - 'column' - 'convert_encoding' - - 'country_name' - - 'currency_name' - - 'currency_symbol' - 'date' - 'date_modify' - 'default' - 'escape' - 'first' - 'format' - - 'format_currency' - - 'format_date' - - 'format_datetime' - - 'format_number' - - 'format_time' - 'join' - 'json_encode' - 'keys' - - 'language_name' - 'last' - 'length' - - 'locale_name' - 'lower' - 'merge' - 'nl2br' @@ -79,7 +69,6 @@ parameters: - 'spaceless' - 'split' - 'striptags' - - 'timezone_name' - 'title' - 'trim' - 'upper' @@ -87,34 +76,32 @@ parameters: - 'abbr_class' - 'abbr_method' - 'file_link' - - 'file_relative' - 'format_args' - 'format_args_as_text' - 'humanize' - - 'serialize' - 'trans' - 'yaml_dump' - 'yaml_encode' - - 'currency_symbol' - 'date_day' - 'date_day_with_weekday' - 'date_format' - 'date_min' - 'date_sec' - - 'doctrine_format_sql' - - 'doctrine_prettify_sql' - 'doctrine_pretty_query' - 'doctrine_replace_query_parameters' - 'e' - 'ellipsis' - 'file_ext_icon' - 'form_encode_currency' - - 'format_*_number' - 'format_log_message' - 'no_image_product' - 'price' - - 'purify' - 'time_ago' + - 'doctrine_minify_query' + - 'localizedcurrency' + - 'localizeddate' + - 'localizednumber' + - 'transchoice' eccube.twig_sandbox.allowed_functions: - 'cycle' - 'date' @@ -122,49 +109,42 @@ parameters: - 'min' - 'random' - 'range' - - 'country_timezones' - 'absolute_url' - 'asset' - 'asset_version' - 'csrf_token' - - 'form_parent' - - 'fragment_uri' - - 'impersonation_exit_path' - - 'impersonation_exit_url' - 'is_granted' - 'logout_path' - 'logout_url' - 'path' - 'relative_path' - - 't' - 'url' - 'active_menus' - 'class_categories_as_json' - - 'country_names' - 'csrf_token_for_anchor' - - 'currency_names' - 'currency_symbol' - - 'field_choices' - - 'field_errors' - - 'field_help' - - 'field_label' - - 'field_name' - - 'field_value' - 'get_all_carts' - 'get_cart' - 'get_carts_total_price' - 'get_carts_total_quantity' - 'has_errors' - 'is_reduced_tax_rate' - - 'language_names' - 'product' - 'workflow_can' - 'workflow_has_marked_place' - 'workflow_marked_places' - - 'workflow_metadata' - - 'workflow_transition' - - 'workflow_transition_blockers' - 'workflow_transitions' + - 'device_version' + - 'full_view_url' + - 'is_android_os' + - 'is_device' + - 'is_full_view' + - 'is_ios' + - 'is_mobile' + - 'is_mobile_view' + - 'is_not_mobile_view' + - 'is_tablet' + - 'is_tablet_view' eccube.twig_sandbox.allowed_methods: 'Symfony\Bridge\Twig\AppVariable': [ 'getrequest' ] 'Symfony\Component\HttpFoundation\Request': [ 'geturi' ] From 6d09adfc89f1e5c798249f3be27b07cd6c0110a9 Mon Sep 17 00:00:00 2001 From: shinya Date: Wed, 4 Oct 2023 18:03:54 +0900 Subject: [PATCH 05/13] =?UTF-8?q?GithubActions=E3=81=A7=E3=83=86=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=81=8C=E8=90=BD=E3=81=A1=E3=82=8B=E3=81=9F=E3=82=81?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- codeception/_support/AcceptanceTester.php | 1 + 1 file changed, 1 insertion(+) diff --git a/codeception/_support/AcceptanceTester.php b/codeception/_support/AcceptanceTester.php index e13b11a4a88..f11b6655b23 100644 --- a/codeception/_support/AcceptanceTester.php +++ b/codeception/_support/AcceptanceTester.php @@ -100,6 +100,7 @@ public function logoutAsMember() { $I = $this; $I->amOnPage('/'); + $I->wait(1); $isLogin = $I->grabTextFrom('.ec-headerNaviRole .ec-headerNav .ec-headerNav__item:nth-child(3) a'); if ($isLogin == 'ログアウト') { $I->wait(1); From 218f4f8b0576c95cdf7605790fa79fcb6bafe00d Mon Sep 17 00:00:00 2001 From: shinya Date: Wed, 4 Oct 2023 19:06:10 +0900 Subject: [PATCH 06/13] =?UTF-8?q?GithubActions=E3=81=A7=E3=83=86=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=81=8C=E8=90=BD=E3=81=A1=E3=82=8B=E3=81=9F=E3=82=81?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- codeception/acceptance/EF02ProductCest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/codeception/acceptance/EF02ProductCest.php b/codeception/acceptance/EF02ProductCest.php index 2109ec75ae4..24630532375 100644 --- a/codeception/acceptance/EF02ProductCest.php +++ b/codeception/acceptance/EF02ProductCest.php @@ -109,6 +109,7 @@ public function product_商品一覧表示件数(\AcceptanceTester $I) // 表示件数の選択リストを変更する $listPage->表示件数設定(40); + $I->wait(1); // 変更された表示件数分が1画面に表示される $expected = ($productNum >= 40) ? 40 : $productNum; From 4cb2fa872cbc4f9f39a2f682a6cbb0b7e7076e2a Mon Sep 17 00:00:00 2001 From: shinya Date: Wed, 4 Oct 2023 23:29:40 +0900 Subject: [PATCH 07/13] =?UTF-8?q?GithubActions=E3=81=A7=E3=83=86=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=81=8C=E8=90=BD=E3=81=A1=E3=82=8B=E3=81=9F=E3=82=81?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- codeception/acceptance/EA06ContentsManagementCest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/codeception/acceptance/EA06ContentsManagementCest.php b/codeception/acceptance/EA06ContentsManagementCest.php index 42d8179cb57..8a548e4fc93 100644 --- a/codeception/acceptance/EA06ContentsManagementCest.php +++ b/codeception/acceptance/EA06ContentsManagementCest.php @@ -240,7 +240,7 @@ public function contentsmanagement_レイアウト管理(\AcceptanceTester $I) LayoutEditPage::at($I) ->レイアウト名('あたらしいレイアウト') ->登録(); - + $I->wait(1); $I->see('保存しました'); } From b870074b74bd4ee23c4fa9b39619afcf395b2fd0 Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Tue, 17 Oct 2023 17:30:43 +0900 Subject: [PATCH 08/13] =?UTF-8?q?fix:=5F=5FtoString=E3=82=92=E8=A8=B1?= =?UTF-8?q?=E5=8F=AF=E3=81=99=E3=82=8B=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../eccube/packages/twig_extensions.yaml | 2 + .../Twig/Sandbox/SecurityPolicyDecorator.php | 47 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php diff --git a/app/config/eccube/packages/twig_extensions.yaml b/app/config/eccube/packages/twig_extensions.yaml index 020c248f4e8..eec807cedf8 100644 --- a/app/config/eccube/packages/twig_extensions.yaml +++ b/app/config/eccube/packages/twig_extensions.yaml @@ -23,6 +23,8 @@ services: - '@eccube.twig_sandbox.policy' - false tags: ['twig.extension'] + Eccube\Twig\Sandbox\SecurityPolicyDecorator: + decorates: 'eccube.twig_sandbox.policy' parameters: eccube.twig_sandbox.allowed_tags: - 'apply' diff --git a/src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php b/src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php new file mode 100644 index 00000000000..017fc1c6d7f --- /dev/null +++ b/src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php @@ -0,0 +1,47 @@ +securityPolicy = $securityPolicy; + } + + public function checkSecurity($tags, $filters, $functions) + { + $this->securityPolicy->checkSecurity($tags, $filters, $functions); + } + + public function checkMethodAllowed($obj, $method) + { + // __toStringの場合はチェックをスキップする + if ($method === '__toString') { + return; + } + $this->securityPolicy->checkMethodAllowed($obj, $method); + } + + public function checkPropertyAllowed($obj, $method) + { + $this->securityPolicy->checkPropertyAllowed($obj, $method); + } +} From aed6542953b61995b3076da62a264ae1edb248ec Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Wed, 18 Oct 2023 15:12:32 +0900 Subject: [PATCH 09/13] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 814b74ce0ec..0a8fe1e075b 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -85,6 +85,7 @@ public function twigVarFreeAreaProvider() ['{{ Product.name }}', true], ['{{ app.request.uri }}', true], ['{{ app.request.getUri }}', true], + ['{{ Product.main_list_image|no_image_product }}', true], ]; } From cb82ea937efd49bf8e70275eb365e41c84d5f3e2 Mon Sep 17 00:00:00 2001 From: shinya Date: Thu, 19 Oct 2023 17:05:56 +0900 Subject: [PATCH 10/13] =?UTF-8?q?Twig=E3=81=AE=E3=82=A2=E3=83=83=E3=83=97?= =?UTF-8?q?=E3=83=87=E3=83=BC=E3=83=88=E3=82=92=E5=AE=9F=E6=96=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- composer.lock | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/composer.lock b/composer.lock index 2a5e407506e..cb6b09d8a62 100644 --- a/composer.lock +++ b/composer.lock @@ -2774,6 +2774,7 @@ "keywords": [ "diff" ], + "abandoned": true, "time": "2018-02-15T16:58:55+00:00" }, { @@ -3266,6 +3267,7 @@ "annotations", "controllers" ], + "abandoned": "Symfony", "time": "2019-07-08T08:31:25+00:00" }, { @@ -3589,6 +3591,7 @@ "mail", "mailer" ], + "abandoned": "symfony/mailer", "time": "2019-11-12T09:31:26+00:00" }, { @@ -3871,6 +3874,7 @@ "type": "tidelift" } ], + "abandoned": true, "time": "2020-10-24T10:57:07+00:00" }, { @@ -4153,6 +4157,7 @@ "type": "tidelift" } ], + "abandoned": "symfony/error-handler", "time": "2020-10-24T10:57:07+00:00" }, { @@ -5319,7 +5324,7 @@ "type": "tidelift" } ], - "abandoned": "use `EnglishInflector` from the String component instead", + "abandoned": "EnglishInflector from the String component", "time": "2020-10-24T10:57:07+00:00" }, { @@ -6904,6 +6909,7 @@ "type": "tidelift" } ], + "abandoned": true, "time": "2021-05-19T12:03:21+00:00" }, { @@ -7210,6 +7216,7 @@ ], "description": "Symfony SwiftmailerBundle", "homepage": "http://symfony.com", + "abandoned": "symfony/mailer", "time": "2019-11-07T21:01:35+00:00" }, { @@ -7933,6 +7940,7 @@ "type": "tidelift" } ], + "abandoned": true, "time": "2020-10-24T10:57:07+00:00" }, { @@ -8123,32 +8131,32 @@ }, { "name": "twig/twig", - "version": "v2.12.2", + "version": "v2.15.5", "source": { "type": "git", "url": "https://github.com/twigphp/Twig.git", - "reference": "d761fd1f1c6b867ae09a7d8119a6d95d06dc44ed" + "reference": "fc02a6af3eeb97c4bf5650debc76c2eda85ac22e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/twigphp/Twig/zipball/d761fd1f1c6b867ae09a7d8119a6d95d06dc44ed", - "reference": "d761fd1f1c6b867ae09a7d8119a6d95d06dc44ed", + "url": "https://api.github.com/repos/twigphp/Twig/zipball/fc02a6af3eeb97c4bf5650debc76c2eda85ac22e", + "reference": "fc02a6af3eeb97c4bf5650debc76c2eda85ac22e", "shasum": "" }, "require": { - "php": "^7.0", + "php": ">=7.1.3", "symfony/polyfill-ctype": "^1.8", - "symfony/polyfill-mbstring": "^1.3" + "symfony/polyfill-mbstring": "^1.3", + "symfony/polyfill-php72": "^1.8" }, "require-dev": { "psr/container": "^1.0", - "symfony/debug": "^3.4|^4.2", - "symfony/phpunit-bridge": "^4.4@dev|^5.0" + "symfony/phpunit-bridge": "^4.4.9|^5.0.9|^6.0" }, "type": "library", "extra": { "branch-alias": { - "dev-master": "2.12-dev" + "dev-master": "2.15-dev" } }, "autoload": { @@ -8172,7 +8180,6 @@ }, { "name": "Twig Team", - "homepage": "https://twig.symfony.com/contributors", "role": "Contributors" }, { @@ -8186,7 +8193,17 @@ "keywords": [ "templating" ], - "time": "2019-11-11T16:52:09+00:00" + "funding": [ + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/twig/twig", + "type": "tidelift" + } + ], + "time": "2023-05-03T17:49:41+00:00" }, { "name": "vlucas/phpdotenv", From 8739ec39a46d9d9f3afcf7dc510bd75d9c9de0ef Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Fri, 20 Oct 2023 17:41:51 +0900 Subject: [PATCH 11/13] =?UTF-8?q?=E3=83=A6=E3=83=8B=E3=83=83=E3=83=88?= =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=81=AE=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../IgnoreTwigSandboxErrorExtensionTest.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php index 0a8fe1e075b..12acecb275f 100644 --- a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php +++ b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php @@ -48,8 +48,15 @@ public function testMetatags($snippet, $whitelisted) $crawler = $this->client->request('GET', $this->generateUrl($Page->getUrl())); $text = $crawler->text(); - // $snippetがsandboxで制限された場合はメタタグエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する - self::assertContains($whitelisted ? '__RENDERED__' : '', $text); + // ホワイトリストに入っている場合__RENDERED__が表示される + if ($whitelisted) { + self::assertContains('__RENDERED__', $text); + } else { + self::assertNotContains('__RENDERED__', $text); + } + // 入力可能ではない値の場合は、システムエラーが発生する + self::assertNotContains('システムエラーが発生しました', $text); + } public function twigSnippetsProvider() @@ -59,7 +66,7 @@ public function twigSnippetsProvider() ['{% set foo = "bar" %}', true], ['{% spaceless %}
test
{% endspaceless %}', true], ['{% flush %}', true], - ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', false], + ['{% apply lower|escape("html") %}SOME TEXT{% endapply %}', true], ['{% macro input(name, value, type = "text", size = 20) %}{% endmacro %}', false], ['{% sandbox %}{% include "user.html" %}{% endsandbox %}', false], ['{{ "-5"|abs }}', true], From e418e223631cbfab42b05a728be57e3e780de0e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B1=A0=20=E6=81=A9=E6=A8=B9?= Date: Mon, 6 Nov 2023 14:57:32 +0900 Subject: [PATCH 12/13] =?UTF-8?q?=E3=83=90=E3=83=BC=E3=82=B8=E3=83=A7?= =?UTF-8?q?=E3=83=B3=E8=A1=A8=E8=A8=98=E3=82=92p4=E3=81=AB=E5=A4=89?= =?UTF-8?q?=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- package.json | 2 +- src/Eccube/Common/Constant.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index d04fd3ec707..1af3bf261a8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "eccube", - "version": "4.0.6-p3", + "version": "4.0.6-p4", "description": "EC-CUBE EC open platform.", "main": "index.js", "directories": { diff --git a/src/Eccube/Common/Constant.php b/src/Eccube/Common/Constant.php index 5f3d3575c4c..c8cd428abf3 100644 --- a/src/Eccube/Common/Constant.php +++ b/src/Eccube/Common/Constant.php @@ -18,7 +18,7 @@ class Constant /** * EC-CUBE VERSION. */ - const VERSION = '4.0.6-p3'; + const VERSION = '4.0.6-p4'; /** * Enable value. From a9645a7881456f11a99be1969d395c41cc51b5e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B1=A0=20=E6=81=A9=E6=A8=B9?= Date: Mon, 6 Nov 2023 15:00:06 +0900 Subject: [PATCH 13/13] =?UTF-8?q?=E3=83=90=E3=83=BC=E3=82=B8=E3=83=A7?= =?UTF-8?q?=E3=83=B3=E8=A1=A8=E8=A8=98=E3=82=92p4=E3=81=AB=E5=A4=89?= =?UTF-8?q?=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- package-lock.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package-lock.json b/package-lock.json index 2b04dcb814f..a585b51a048 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "eccube", - "version": "4.0.6-p3", + "version": "4.0.6-p4", "lockfileVersion": 1, "requires": true, "dependencies": {