Skip to content
Permalink
Browse files Browse the repository at this point in the history
Restrict filter options in Request in Twig context
  • Loading branch information
xiaohutai committed Oct 16, 2020
1 parent c1f4e53 commit c0cd530
Show file tree
Hide file tree
Showing 5 changed files with 160 additions and 0 deletions.
13 changes: 13 additions & 0 deletions src/Twig/ArrayAccessSecurityProxy.php
Expand Up @@ -72,6 +72,19 @@ public function offsetGet($offset)
{
$this->sandbox->checkPropertyAllowed($this, $offset);

if ($offset === 'request') {
$request = $this->object[$offset];

$request->request = new Request\ParameterBag($request->request->all());
$request->query = new Request\ParameterBag($request->query->all());
$request->attributes = new Request\ParameterBag($request->attributes->all());
$request->cookies = new Request\ParameterBag($request->cookies->all());
$request->files = new Request\FileBag($request->files->all());
$request->server = new Request\ServerBag($request->server->all());

return $request;
}

return $this->object[$offset];
}

Expand Down
15 changes: 15 additions & 0 deletions src/Twig/Request/FileBag.php
@@ -0,0 +1,15 @@
<?php

namespace Bolt\Twig\Request;

/**
* ParameterBag is a container for key/value pairs.
* Overridden in order to disable certain filters.
*
* @author Xiao-Hu Tai <xiao@twokings.nl>
* @author Fabien Potencier <fabien@symfony.com>
*/
class FileBag extends \Symfony\Component\HttpFoundation\FileBag implements \IteratorAggregate, \Countable
{
use RestrictedFilterTrait;
}
15 changes: 15 additions & 0 deletions src/Twig/Request/ParameterBag.php
@@ -0,0 +1,15 @@
<?php

namespace Bolt\Twig\Request;

/**
* ParameterBag is a container for key/value pairs.
* Overridden in order to disable certain filters.
*
* @author Xiao-Hu Tai <xiao@twokings.nl>
* @author Fabien Potencier <fabien@symfony.com>
*/
class ParameterBag extends \Symfony\Component\HttpFoundation\ParameterBag implements \IteratorAggregate, \Countable
{
use RestrictedFilterTrait;
}
102 changes: 102 additions & 0 deletions src/Twig/Request/RestrictedFilterTrait.php
@@ -0,0 +1,102 @@
<?php

namespace Bolt\Twig\Request;

/**
* Override filter function in order to restrict certain options in Twig context.
* The list of restricted options are taken from "How to Harden Your PHP for
* Better Security" [1].
*
* [1] https://howtogetonline.com/how-to-harden-your-php-for-better-security.php
*
* @author Xiao-Hu Tai <xiao@twokings.nl>
*/
trait RestrictedFilterTrait
{
/** @var array */
private $restrictedOptions = [
'_getppid',
'allow_url_fopen',
'allow_url_include',
'chgrp',
'chmod',
'chown',
'curl_exec',
'curl_multi_exec',
'diskfreespace',
'dl',
'exec',
'fpaththru',
'getmypid',
'getmyuid',
'highlight_file',
'ignore_user_abord',
'ini_set',
'lchgrp',
'lchown',
'leak',
'link',
'listen',
'parse_ini_file',
'passthru',
'pcntl_exec',
'php_uname',
'phpinfo',
'popen',
'posix_ctermid',
'posix_getcwd',
'posix_getegid',
'posix_geteuid',
'posix_getgid',
'posix_getgrgid',
'posix_getgrnam',
'posix_getgroups',
'posix_getlogin',
'posix_getpgid',
'posix_getpgrp',
'posix_getpid',
'posix_getpwnam',
'posix_getpwuid',
'posix_getrlimit',
'posix_getsid',
'posix_getuid',
'posix_isatty',
'posix_kill',
'posix_mkfifo',
'posix_setegid',
'posix_seteuid',
'posix_setgid',
'posix_setpgid',
'posix_setsid',
'posix_setuid',
'posix_times',
'posix_ttyname',
'posix_uname',
'posix',
'proc_close',
'proc_get_status',
'proc_nice',
'proc_open',
'proc_terminate',
'putenv',
'set_time_limit',
'shell_exec',
'show_source',
'source',
'system',
'tmpfile',
'virtual',
];

/**
* {@inheritdoc}
*/
public function filter($key, $default = null, $filter = FILTER_DEFAULT, $options = array(), $deep = false)
{
if (isset($options['options']) && in_array($options['options'], $this->restrictedOptions)) {
unset($options['options']);
}

return parent::filter($key, $default, $filter, $options, $deep);
}
}
15 changes: 15 additions & 0 deletions src/Twig/Request/ServerBag.php
@@ -0,0 +1,15 @@
<?php

namespace Bolt\Twig\Request;

/**
* ParameterBag is a container for key/value pairs.
* Overridden in order to disable certain filters.
*
* @author Xiao-Hu Tai <xiao@twokings.nl>
* @author Fabien Potencier <fabien@symfony.com>
*/
class ServerBag extends \Symfony\Component\HttpFoundation\ServerBag implements \IteratorAggregate, \Countable
{
use RestrictedFilterTrait;
}

0 comments on commit c0cd530

Please sign in to comment.