Skip to content

Commit

Permalink
refactor: Whitelist & Blacklist security policies
Browse files Browse the repository at this point in the history
  • Loading branch information
@khalwat
khalwat committed Jun 30, 2024
1 parent 4b7d8cf commit d31a773
Show file tree
Hide file tree
Showing 3 changed files with 241 additions and 6 deletions.
235 changes: 235 additions & 0 deletions src/twig/BlacklistSecurityPolicy.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
<?php

namespace nystudio107\crafttwigsandbox\twig;

use Twig\Sandbox\SecurityNotAllowedFilterError;
use Twig\Sandbox\SecurityNotAllowedFunctionError;
use Twig\Sandbox\SecurityNotAllowedTagError;

class BlacklistSecurityPolicy extends BaseSecurityPolicy
{
// Public Methods
// =========================================================================

/**
* @inheritDoc
*/
public function __construct($config = [])
{
// Blacklisted tags
$this->setTwigTags([
'apply',
'autoescape',
'block',
'deprecated',
'do',
'embed',
'extends',
'flush',
'from',
'import',
'include',
'macro',
'sandbox',
'use',
'verbatim',
'with',
'cache',
'css',
'dd',
'dump',
'exit',
'header',
'hook',
'html',
'js',
'namespace',
'nav',
'paginate',
'redirect',
'requireAdmin',
'requireEdition',
'requireGuest',
'requireLogin',
'requirePermission',
'script',
'switch',
'tag',
]);
// Blacklisted filters
$this->setTwigFilters([
'abs',
'batch',
'column',
'convert_encoding',
'country_name',
'country_timezones',
'currency_name',
'currency_symbol',
'data_uri',
'date_modify',
'default',
'filter',
'format',
'format_currency',
'format_date',
'format_datetime',
'format_number',
'format_time',
'inky',
'inline_css',
'json_encode',
'language_name',
'locale_name',
'map',
'merge',
'reduce',
'reverse',
'round',
'slice',
'spaceless',
'timezone_name',
'url_encode',
'address',
'append',
'ascii',
'atom',
'attr',
'base64_decode',
'base64_encode',
'boolean',
'column',
'diff',
'duration',
'encenc',
'explodeClass',
'explodeStyle',
'filesize',
'filter',
'float',
'group',
'hash',
'httpdate',
'integer',
'intersect',
'json_encode',
'json_decode',
'literal',
'multisort',
'namespace',
'ns',
'namespaceAttributes',
'namespaceInputId',
'namespaceInputName',
'number',
'parseAttr',
'parseRefs',
'prepend',
'push',
'removeClass',
'rss',
'string',
'truncate',
'unique',
'unshift',
'values',
'where',
'widont',
'without',
'withoutKey',
]);
// Blacklisted functions
$this->setTwigFunctions([
'attribute',
'block',
'constant',
'cycle',
'dump',
'html_classes',
'parent',
'source',
'template_from_string',
'actionInput',
'alias',
'beginBody',
'block',
'canCreateDrafts',
'canDelete',
'canDeleteForSite',
'canDuplicate',
'canSave',
'canView',
'ceil',
'className',
'clone',
'combine',
'configure',
'constant',
'create',
'csrfInput',
'dump',
'endBody',
'expression',
'failMessageInput',
'floor',
'getenv',
'gql',
'head',
'hiddenInput',
'input',
'ol',
'parseBooleanEnv',
'parseEnv',
'plugin',
'redirectInput',
'renderObjectTemplate',
'seq',
'shuffle',
'source',
'successMessageInput',
'ul',
]);

parent::__construct($config);
}

/**
* @inheritDoc
*/
public function checkSecurity($tags, $filters, $functions): void
{
foreach ($tags as $tag) {
if (in_array($tag, $this->getTwigTags(), true)) {
throw new SecurityNotAllowedTagError(sprintf('Tag "%s" is not allowed.', $tag), $tag);
}
}

foreach ($filters as $filter) {
if (in_array($filter, $this->getTwigFilters(), true)) {
throw new SecurityNotAllowedFilterError(sprintf('Filter "%s" is not allowed.', $filter), $filter);
}
}

foreach ($functions as $function) {
if (in_array($function, $this->getTwigFunctions(), true)) {
throw new SecurityNotAllowedFunctionError(sprintf('Function "%s" is not allowed.', $function), $function);
}
}
}

/**
* @inheritDoc
*/
public function checkMethodAllowed($obj, $method): void
{
// Allow all methods
}

/**
* @inheritDoc
*/
public function checkPropertyAllowed($obj, $property): void
{
// Allow all properties
}
}
8 changes: 4 additions & 4 deletions src/twig/AllowedSecurityPolicy.php → src/twig/WhitelistSecurityPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
use Twig\Sandbox\SecurityNotAllowedFunctionError;
use Twig\Sandbox\SecurityNotAllowedTagError;

class AllowedSecurityPolicy extends BaseSecurityPolicy
class WhitelistSecurityPolicy extends BaseSecurityPolicy
{
// Public Methods
// =========================================================================
Expand All @@ -16,13 +16,13 @@ class AllowedSecurityPolicy extends BaseSecurityPolicy
*/
public function __construct($config = [])
{
// Allowed tags
// Whitelisted tags
$this->setTwigTags([
'for',
'if',
'set',
]);
// Allowed filters
// Whitelisted filters
$this->setTwigFilters([
'capitalize',
'date',
Expand Down Expand Up @@ -70,7 +70,7 @@ public function __construct($config = [])
'ucfirst',
'ucwords',
]);
// Allowed functions
// Whitelisted functions
$this->setTwigFunctions([
'date',
'max',
Expand Down
4 changes: 2 additions & 2 deletions src/web/SandboxView.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

use craft\web\twig\Environment;
use craft\web\View;
use nystudio107\crafttwigsandbox\twig\AllowedSecurityPolicy;
use nystudio107\crafttwigsandbox\twig\WhitelistSecurityPolicy;
use Twig\Extension\SandboxExtension;
use Twig\Sandbox\SecurityPolicyInterface;

Expand Down Expand Up @@ -38,7 +38,7 @@ public function init(): void
// Use the passed in ErrorHandler, or create a default error handler
$this->sandboxErrorHandler = $this->sandboxErrorHandler ?? new SandboxErrorHandler();
// Use the passed in SecurityPolicy, or create a default security policy
$this->securityPolicy = $this->securityPolicy ?? new AllowedSecurityPolicy();
$this->securityPolicy = $this->securityPolicy ?? new WhitelistSecurityPolicy();
}

/**
Expand Down

0 comments on commit d31a773

Please sign in to comment.