New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Mail] Renderer email content twig templates in a sandbox #13347
Conversation
Review Checklist
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I would suggest to extract the allowed
tags,filtersandfunctionsto a Symfony config ... with quite restrictive default config values - Also consider other places like text layout component in data objects
Co-authored-by: Sebastian Blank <blank@data-factory.net>
Co-authored-by: Jacob Dreesen <j.dreesen@neusta.de>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…o mail_twig_rendering_sandbox
@fashxp done by rethrowing a message with context in mailer and setting the error message to the text layout html. |
doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
Outdated
Show resolved
Hide resolved
doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
Outdated
Show resolved
Hide resolved
doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md
Outdated
Show resolved
Hide resolved
…tom security policy to whitelist object properties and methods execution by default #13347
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me now.
don't forget to create a security advisory as stated here...
|
|
||
| $policy = new SecurityPolicy($tags, $filters, $functions); | ||
| $sandbox = new SandboxExtension($policy); | ||
| $this->twig->addExtension($sandbox); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this dynamic approach could cause some issues in case the Twig environment was already initialized previously, then addExtension() will throw an exception.
I'd propose to register SandboxExtension as a service here:
| Pimcore\Twig\Extension\DocumentHelperExtensions: ~ |
It will the get automatically registered as a Twig extension and here, we can just use enableSandbox() and disableSandbox() depending on how the Twig env was requested. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, that's a good catch. I registered it as a service now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* [Web2Print] Render twig templates in a sandbox - follow up to #13347 * Update doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md Co-authored-by: Jacob Dreesen <j.dreesen@neusta.de> * Update doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md * Update doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md * Update doc/Development_Documentation/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md Co-authored-by: Sebastian Blank <blank@data-factory.net> Co-authored-by: Jacob Dreesen <j.dreesen@neusta.de> Co-authored-by: Sebastian Blank <blank@data-factory.net>


Changes in this pull request
Mail twig templates should be rendered in a sandbox with restricted Twig security policy.
Resolves https://github.com/pimcore/planning/issues/102
Additional info
please see https://twig.symfony.com/doc/2.x/api.html#sandbox-extension