Chris@0
|
1 <?php
|
Chris@0
|
2
|
Chris@0
|
3 namespace Drupal\Core\Template;
|
Chris@0
|
4
|
Chris@0
|
5 use Drupal\Core\Site\Settings;
|
Chris@0
|
6
|
Chris@0
|
7 /**
|
Chris@0
|
8 * Default sandbox policy for Twig templates.
|
Chris@0
|
9 *
|
Chris@0
|
10 * Twig's sandbox extension is usually used to evaluate untrusted code by
|
Chris@0
|
11 * limiting access to potentially unsafe properties or methods. Since we do not
|
Chris@0
|
12 * use ViewModels when passing objects to Twig templates, we limit what those
|
Chris@0
|
13 * objects can do by whitelisting certain classes, method names, and method
|
Chris@0
|
14 * names with an allowed prefix. All object properties may be accessed.
|
Chris@0
|
15 */
|
Chris@0
|
16 class TwigSandboxPolicy implements \Twig_Sandbox_SecurityPolicyInterface {
|
Chris@0
|
17
|
Chris@0
|
18 /**
|
Chris@0
|
19 * An array of whitelisted methods in the form of methodName => TRUE.
|
Chris@16
|
20 *
|
Chris@16
|
21 * @var array
|
Chris@0
|
22 */
|
Chris@16
|
23 protected $whitelisted_methods;
|
Chris@0
|
24
|
Chris@0
|
25 /**
|
Chris@0
|
26 * An array of whitelisted method prefixes -- any method starting with one of
|
Chris@0
|
27 * these prefixes will be allowed.
|
Chris@16
|
28 *
|
Chris@16
|
29 * @var array
|
Chris@0
|
30 */
|
Chris@16
|
31 protected $whitelisted_prefixes;
|
Chris@0
|
32
|
Chris@0
|
33 /**
|
Chris@0
|
34 * An array of class names for which any method calls are allowed.
|
Chris@16
|
35 *
|
Chris@16
|
36 * @var array
|
Chris@0
|
37 */
|
Chris@16
|
38 protected $whitelisted_classes;
|
Chris@0
|
39
|
Chris@0
|
40 /**
|
Chris@0
|
41 * Constructs a new TwigSandboxPolicy object.
|
Chris@0
|
42 */
|
Chris@0
|
43 public function __construct() {
|
Chris@0
|
44 // Allow settings.php to override our default whitelisted classes, methods,
|
Chris@0
|
45 // and prefixes.
|
Chris@0
|
46 $whitelisted_classes = Settings::get('twig_sandbox_whitelisted_classes', [
|
Chris@0
|
47 // Allow any operations on the Attribute object as it is intended to be
|
Chris@0
|
48 // changed from a Twig template, for example calling addClass().
|
Chris@0
|
49 'Drupal\Core\Template\Attribute',
|
Chris@0
|
50 ]);
|
Chris@0
|
51 // Flip the arrays so we can check using isset().
|
Chris@0
|
52 $this->whitelisted_classes = array_flip($whitelisted_classes);
|
Chris@0
|
53
|
Chris@0
|
54 $whitelisted_methods = Settings::get('twig_sandbox_whitelisted_methods', [
|
Chris@0
|
55 // Only allow idempotent methods.
|
Chris@0
|
56 'id',
|
Chris@0
|
57 'label',
|
Chris@0
|
58 'bundle',
|
Chris@0
|
59 'get',
|
Chris@0
|
60 '__toString',
|
Chris@0
|
61 'toString',
|
Chris@0
|
62 ]);
|
Chris@0
|
63 $this->whitelisted_methods = array_flip($whitelisted_methods);
|
Chris@0
|
64
|
Chris@0
|
65 $this->whitelisted_prefixes = Settings::get('twig_sandbox_whitelisted_prefixes', [
|
Chris@0
|
66 'get',
|
Chris@0
|
67 'has',
|
Chris@0
|
68 'is',
|
Chris@0
|
69 ]);
|
Chris@0
|
70 }
|
Chris@0
|
71
|
Chris@0
|
72 /**
|
Chris@0
|
73 * {@inheritdoc}
|
Chris@0
|
74 */
|
Chris@0
|
75 public function checkSecurity($tags, $filters, $functions) {}
|
Chris@0
|
76
|
Chris@0
|
77 /**
|
Chris@0
|
78 * {@inheritdoc}
|
Chris@0
|
79 */
|
Chris@0
|
80 public function checkPropertyAllowed($obj, $property) {}
|
Chris@0
|
81
|
Chris@0
|
82 /**
|
Chris@0
|
83 * {@inheritdoc}
|
Chris@0
|
84 */
|
Chris@0
|
85 public function checkMethodAllowed($obj, $method) {
|
Chris@0
|
86 foreach ($this->whitelisted_classes as $class => $key) {
|
Chris@0
|
87 if ($obj instanceof $class) {
|
Chris@0
|
88 return TRUE;
|
Chris@0
|
89 }
|
Chris@0
|
90 }
|
Chris@0
|
91
|
Chris@0
|
92 // Return quickly for an exact match of the method name.
|
Chris@0
|
93 if (isset($this->whitelisted_methods[$method])) {
|
Chris@0
|
94 return TRUE;
|
Chris@0
|
95 }
|
Chris@0
|
96
|
Chris@0
|
97 // If the method name starts with a whitelisted prefix, allow it.
|
Chris@0
|
98 // Note: strpos() is between 3x and 7x faster than preg_match in this case.
|
Chris@0
|
99 foreach ($this->whitelisted_prefixes as $prefix) {
|
Chris@0
|
100 if (strpos($method, $prefix) === 0) {
|
Chris@0
|
101 return TRUE;
|
Chris@0
|
102 }
|
Chris@0
|
103 }
|
Chris@0
|
104
|
Chris@0
|
105 throw new \Twig_Sandbox_SecurityError(sprintf('Calling "%s" method on a "%s" object is not allowed.', $method, get_class($obj)));
|
Chris@0
|
106 }
|
Chris@0
|
107
|
Chris@0
|
108 }
|