Resolve #3239105 "Harden twigsandbox methods"
Closes #3239105
Merge request reports
Activity
added 2 commits
added 59 commits
-
6015a282...77b8e596 - 58 commits from branch
project:11.x - 48c7baf5 - Harden TwigSandbox methods
-
6015a282...77b8e596 - 58 commits from branch
added 448 commits
-
2054ed96...62ace6aa - 446 commits from branch
project:11.x - 4eb8d361 - Harden TwigSandbox methods
- c671c4f2 - Fix test
-
2054ed96...62ace6aa - 446 commits from branch
added 173 commits
-
406a97cd...38c850c4 - 169 commits from branch
project:11.x - e48e3c3f - Harden TwigSandbox methods
- e8a310fd - Fix test
- 43df598c - Fix new PHPCS failure.
- c461cef0 - Fix new static analysis failures
Toggle commit list-
406a97cd...38c850c4 - 169 commits from branch
added 1 commit
- 1497b132 - Better support new performance hack for twig.
added 1 commit
111 118 * The list of allowed methods on all objects. 112 119 */ 113 120 public static function getMethodsAllowedOnAllObjects(): array { - Comment on lines 107 to 113
Possible can of worms, maybe with BC implications, but this method no longer does what this comment or its name says.
getAllowedMethods()or something, and some of the methods are "allowed on all objects" but many are not...Do we keep this method name and comment as-is, leave it to only return the truly global methods (
::get,::__toStringand::toString), and then refactor to have another static method for the interface-specific additions? Or do we rename this method, update the docs, and let it handle both sets?
119 'get', 120 '__toString', 121 'toString', 122 ]); 121 $allowed_methods = []; 122 // Align the array, so we can check using isset() during checks. 123 foreach ( 124 Settings::get('twig_sandbox_allowed_methods', [ 125 // Only allow idempotent methods. 126 EntityInterface::class . '::id', 127 EntityInterface::class . '::label', 128 EntityInterface::class . '::bundle', 129 LayoutDefinition::class . '::id', 130 '::get', 131 '::__toString', 132 '::toString', - Comment on lines +130 to +132
Why do we have to add :: to the front here? Just for the explode later? This doesn't seem necessary and results in unnecessary return value and setting value changing. I think the setting could be:
Settings::get('twig_sandbox_allowed_methods', [ // Only allow idempotent methods. EntityInterface::class . '::id', EntityInterface::class . '::label', EntityInterface::class . '::bundle', LayoutDefinition::class . '::id', 'get', '__toString', 'toString', ]i.e we add support for class::method naming but we leave the all object methods alone. Also all the preprocessing of the array here could move to the TwigSandboxPolicy constructor or another method so we don't change the intention / return value of this method.
-
I'm a little confused by this pair of comments. If we have a single setting that contains both fully-qualified
class::methodpairs, and generic/global method names, how can we leavegetMethodsAllowedOnAllObjects()alone? Will it start filtering out anything from the setting that contains::and we do all that processing directly in another method called by the constructor?Maybe it's cleaner all around to add a new method and a new setting, something like
Settings::get('twig_sandbox_allowed_class_methods')? Then this class maintains 4 lists (allowed_classes,allowed_methods,allowed_prefixes,allowed_class_methods), not just the 1st 3 of those, and when we're checking if something is allowed, we do the obvious thing? This MR will moveid,labelandbundlefromallowed_methodstoallowed_class_methods. New MRs (e.g. for [#2907810]) will add toallowed_class_methodsby default, unless we come up with other method names that should truly be allowed on all classes.
added 850 commits
-
1c89d132...084ce88e - 844 commits from branch
project:11.x - 6f873271 - Harden TwigSandbox methods
- ec64644e - Fix test
- 969650f4 - Fix new PHPCS failure.
- 3183ef60 - Fix new static analysis failures
- ee50b8bc - Better support new performance hack for twig.
- 7880d2f0 - [#3239105] Update version number in deprecation to use 11.2.0
Toggle commit list-
1c89d132...084ce88e - 844 commits from branch
