Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone:...

Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone: twig/twig has a possible sandbox bypass <v3.14.0

Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone:...
83a80f66 · catch · 4653a5ab · 83a80f66 · 83a80f66 · 83a80f66
Commit 83a80f66 authored 9 months ago by catch
--- a/composer.lock
+++ b/composer.lock
@@ -495,7 +495,7 @@
            "dist": {
                "type": "path",
                "url": "core",
-                "reference": "b8ae3e330a6035450fa1578a5d2d30388cb98314"
+                "reference": "a8c2361f7740cf546b481c01e6503ea083ad469c"
            },
            "require": {
                "asm89/stack-cors": "^2.1",
@@ -540,7 +540,7 @@
                "symfony/serializer": "^6.4",
                "symfony/validator": "^6.4",
                "symfony/yaml": "^6.4",
-                "twig/twig": "^3.9.3"
+                "twig/twig": "^3.14.0"
            },
            "conflict": {
                "drush/drush": "<12.4.3"
@@ -4347,24 +4347,24 @@
        },
        {
            "name": "twig/twig",
-            "version": "v3.10.2",
+            "version": "v3.14.0",
            "source": {
                "type": "git",
                "url": "https://github.com/twigphp/Twig.git",
-                "reference": "7aaed0b8311a557cc8c4047a71fd03153a00e755"
+                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/7aaed0b8311a557cc8c4047a71fd03153a00e755",
-                "reference": "7aaed0b8311a557cc8c4047a71fd03153a00e755",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
+                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
                "shasum": ""
            },
            "require": {
-                "php": ">=7.2.5",
+                "php": ">=8.0.2",
                "symfony/deprecation-contracts": "^2.5|^3",
                "symfony/polyfill-ctype": "^1.8",
                "symfony/polyfill-mbstring": "^1.3",
-                "symfony/polyfill-php80": "^1.22"
+                "symfony/polyfill-php81": "^1.29"
            },
            "require-dev": {
                "psr/container": "^1.0|^2.0",
@@ -4410,7 +4410,7 @@
            ],
            "support": {
                "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.10.2"
+                "source": "https://github.com/twigphp/Twig/tree/v3.14.0"
            },
            "funding": [
                {
@@ -4422,7 +4422,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-05-14T06:04:16+00:00"
+            "time": "2024-09-09T17:55:12+00:00"
        }
    ],
    "packages-dev": [

--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -61,6 +61,6 @@
        "symfony/var-dumper": "~v6.4.7",
        "symfony/var-exporter": "~v6.4.7",
        "symfony/yaml": "~v6.4.7",
-        "twig/twig": "~v3.10.2"
+        "twig/twig": "~v3.14.0"
    }
 }
--- a/core/.deprecation-ignore.txt
+++ b/core/.deprecation-ignore.txt
@@ -62,3 +62,15 @@
 %The "Drupal\\Tests\\Core\\Controller\\MockContainerAware" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
 %The "Drupal\\Tests\\Core\\DependencyInjection\\DependencySerializationTestDummy" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
 %The "Drupal\\Tests\\Core\\Utility\\MockContainerAware" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
+
+# Twig 3.
+%Since twig/twig 3.11: Changing the value of a "filter" node in a NodeVisitor class is not supported anymore.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "attach_library" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "add_component_context" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "render_var" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "validate_component_props" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\FilterExpression" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\DefaultFilter" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\RawFilter" class is deprecated.%
+%Since twig/twig 3.12: The "tag" constructor argument of the "Drupal\\Core\\Template\\TwigNodeTrans" class is deprecated and ignored%
+%Since twig/twig 3.12: Twig Filter "spaceless" is deprecated%
--- a/core/composer.json
+++ b/core/composer.json
@@ -33,7 +33,7 @@
        "symfony/process": "^6.4",
        "symfony/polyfill-iconv": "^1.26",
        "symfony/yaml": "^6.4",
-        "twig/twig": "^3.9.3",
+        "twig/twig": "^3.14.0",
        "doctrine/annotations": "^1.14",
        "guzzlehttp/guzzle": "^7.5",
        "guzzlehttp/psr7": "^2.4.5",

--- a/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
+++ b/core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php
@@ -47,7 +47,7 @@ public function testTemplateInclusion(): void {
    $element = [];
    $element['test'] = [
      '#type' => 'inline_template',
-      '#template' => "{% include '@__main__\/core/tests/fixtures/files/sql-2.sql' %}",
+      '#template' => "{% include '@__main__/core/tests/fixtures/files/sql-2.sql' %}",
    ];
    try {
      $renderer->renderRoot($element);

--- a/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php
@@ -12,7 +12,6 @@
 use Drupal\Core\Template\TwigPhpStorageCache;
 use Drupal\KernelTests\KernelTestBase;
 use Symfony\Component\DependencyInjection\Definition;
-use Twig\Environment;
 use Twig\Error\LoaderError;

 /**
@@ -216,17 +215,6 @@ public function testTemplateInvalidation(): void {
    file_put_contents($template_file, $template_after);
    $output = $environment->load(basename($template_file))->render();
    $this->assertEquals($template_before, $output);
-
-    $environment->invalidate();
-    // Manually change $templateClassPrefix to force a different template
-    // classname, as the other class is still loaded. This wouldn't be a problem
-    // on a real site where you reload the page.
-    $reflection = new \ReflectionClass(Environment::class);
-    $property_reflection = $reflection->getProperty('templateClassPrefix');
-    $property_reflection->setValue($environment, 'otherPrefix');
-
-    $output = $environment->load(basename($template_file))->render();
-    $this->assertEquals($template_after, $output);
  }

  /**