Merge pull request #102 from EC-CUBE/dev/feat_twig_sandbox3

shinya · web-flow · commit f9bb1fc79078 · 2023-11-06T15:32:51.000+09:00
脆弱性対応（Twig Sandbox)
diff --git a/src/Eccube/Application.php b/src/Eccube/Application.php
@@ -105,7 +105,8 @@ public function initConfig()
                 ->parseConfig('nav', $configAll, true)
                 ->parseConfig('doctrine_cache', $configAll)
                 ->parseConfig('http_cache', $configAll)
-                ->parseConfig('session_handler', $configAll);
+                ->parseConfig('session_handler', $configAll)
+                ->parseConfig('twig_sandbox', $configAll);
 
             return $configAll;
         });
@@ -285,6 +286,7 @@ public function initRendering()
         $this->register(new \Silex\Provider\TwigServiceProvider(), array(
             'twig.form.templates' => array('Form/form_layout.twig'),
         ));
+        $this->register(new \Eccube\ServiceProvider\SandboxServiceProvider());
         $this['twig'] = $this->share($this->extend('twig', function (\Twig_Environment $twig, \Silex\Application $app) {
             $twig->addExtension(new \Eccube\Twig\Extension\EccubeExtension($app));
             $twig->addExtension(new \Twig_Extension_StringLoader());
diff --git a/src/Eccube/Common/Constant.php b/src/Eccube/Common/Constant.php
@@ -28,7 +28,7 @@ class Constant {
     /**
      * EC-CUBE VERSION.
      */
-    const VERSION = '3.0.18-p6';
+    const VERSION = '3.0.18-p7';
 
     /**
      * Enable value.
diff --git a/src/Eccube/Resource/config/twig_sandbox.yml.dist b/src/Eccube/Resource/config/twig_sandbox.yml.dist
@@ -0,0 +1,91 @@
+twig_sandbox:
+    allowed_tags:
+        - 'block'
+        - 'extends'
+        - 'for'
+        - 'if'
+        - 'set'
+        - 'spaceless'
+        - 'verbatim'
+        - 'with'
+        - 'form_theme'
+        - 'stopwatch'
+        - 'trans'
+        - 'trans_default_domain'
+    allowed_filters:
+        - 'abs'
+        - 'batch'
+        - 'capitalize'
+        - 'date'
+        - 'escape'
+        - 'default'
+        - 'doctrine_format_sql'
+        - 'doctrine_prettify_sql'
+        - 'doctrine_pretty_query'
+        - 'doctrine_replace_query_parameters'
+        - 'first'
+        - 'format'
+        - 'abbr_class'
+        - 'abbr_method'
+        - 'file_link'
+        - 'file_relative'
+        - 'format_args'
+        - 'format_args_as_text'
+        - 'humanize'
+        - 'json_encode'
+        - 'keys'
+        - 'last'
+        - 'length'
+        - 'lower'
+        - 'merge'
+        - 'replace'
+        - 'round'
+        - 'split'
+        - 'striptags'
+        - 'title'
+        - 'trim'
+        - 'no_image_product'
+        - 'date_format'
+        - 'price'
+        - 'ellipsis'
+        - 'time_ago'
+        - 'upper'
+        - 'date_modify'
+        - 'escape'
+        - 'nl2br'
+        - 'number_format'
+        - 'slice'
+        - 'split'
+        - 'striptags'
+    allowed_functions:
+        - 'cycle'
+        - 'max'
+        - 'min'
+        - 'random'
+        - 'range'
+        - 'template_from_string'
+        - 'absolute_url'
+        - 'asset'
+        - 'asset_version'
+        - 'csrf_token'
+        - 'form_parent'
+        - 'fragment_uri'
+        - 'impersonation_exit_path'
+        - 'impersonation_exit_url'
+        - 'is_granted'
+        - 'logout_path'
+        - 'logout_url'
+        - 'path'
+        - 'relative_path'
+        - 't'
+        - 'url'
+        - 'calc_inc_tax'
+        - 'active_menus'
+        - 'csrf_token_for_anchor'
+        - 'url'
+        - 'path'
+        - 'is_object'
+        - 'get_product'
+        - 'date'
+    allowed_methods: []
+    allowed_properties: []
diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig
@@ -278,7 +278,7 @@ $(function(){
         {% if Product.freearea %}
         <div id="sub_area" class="row">
             <div class="col-sm-10 col-sm-offset-1">
-                <div id="detail_free_box__freearea" class="freearea">{{ include(template_from_string(Product.freearea)) }}</div>
+                <div id="detail_free_box__freearea" class="freearea">{{ include(template_from_string(Product.freearea), sandboxed = true) }}</div>
             </div>
         </div>
         {% endif %}
diff --git a/src/Eccube/ServiceProvider/SandboxServiceProvider.php b/src/Eccube/ServiceProvider/SandboxServiceProvider.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Eccube\ServiceProvider;
+
+use Eccube\EventListener\LogListener;
+use Eccube\Log\Logger;
+use Eccube\Log\Monolog\Helper\LogHelper;
+use Eccube\Twig\Extension\IgnoreTwigSandboxErrorExtension;
+use Silex\Application;
+use Silex\ServiceProviderInterface;
+use Symfony\Bridge\Twig\Extension\DumpExtension;
+
+/**
+ * Class LogServiceProvider
+ *
+ * @package Eccube\ServiceProvider
+ */
+class SandboxServiceProvider implements ServiceProviderInterface
+{
+    public function register(Application $app)
+    {
+        $app['twig'] = $app->share($app->extend('twig', function ($twig, $app) {
+
+            // ホワイトリストの設定
+            $twig_sandbox_list = $app['config']['twig_sandbox'];
+
+            $tags = $twig_sandbox_list['allowed_tags'];
+            $filters = $twig_sandbox_list['allowed_filters'];
+            $methods = $twig_sandbox_list['allowed_methods'];
+            $properties =  $twig_sandbox_list['allowed_properties'];
+            $functions = $twig_sandbox_list['allowed_functions'];
+
+            $policy = new \Twig\Sandbox\SecurityPolicy($tags, $filters, $methods, $properties, $functions);
+            $sandbox = new \Twig\Extension\SandboxExtension($policy);
+
+            $twig->addExtension($sandbox);
+            $twig->addExtension(new IgnoreTwigSandboxErrorExtension());
+
+            return $twig;
+        }));
+    }
+
+    public function boot(Application $app)
+    {
+    }
+}
diff --git a/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php b/src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Twig\Extension;
+
+use Twig\Environment;
+use Twig\Error\LoaderError;
+use Twig\Extension\AbstractExtension;
+use Twig\Extension\SandboxExtension;
+use Twig\Sandbox\SecurityError;
+use Twig\TwigFunction;
+
+/**
+ * \vendor\twig\twig\src\Extension\CoreExtension の拡張
+ */
+class IgnoreTwigSandboxErrorExtension extends AbstractExtension
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getFunctions()
+    {
+        return array(
+            new \Twig_SimpleFunction('include', array($this, 'twig_include'), array('needs_environment' => true, 'needs_context' => true, 'is_safe' => array('all'))),
+        );
+    }
+
+    /**
+     * twig sandboxの例外を操作します
+     * app_env = devの場合、エラーを表示する
+     * app_env = prodの場合、エラーを表示しない
+     *
+     * @param Environment $env
+     * @param $context
+     * @param $template
+     * @param $variables
+     * @param $withContext
+     * @param $ignoreMissing
+     * @param $sandboxed
+     *
+     * @return string|void
+     *
+     * @throws LoaderError
+     * @throws SecurityError
+     */
+    public function twig_include(Environment $env, $context, $template, $variables = array(), $withContext = true, $ignoreMissing = false, $sandboxed = false)
+    {
+        try {
+            return \twig_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed);
+        } catch (SecurityError $e) {
+
+            // devではエラー画面が表示されるようにする
+            $app = \Eccube\Application::getInstance(array('output_config_php' => false));
+            if ($app['debug']) {
+                throw $e;
+            } else {
+                // ログ出力
+                log_warning($e->getMessage(), array('exception' => $e));
+
+                // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加
+                $sandbox = $env->getExtension( '\Twig\Extension\SandboxExtension');
+                if (!$sandbox->isSandboxedGlobally()) {
+                    $sandbox->disableSandbox();
+                }
+            }
+        }
+    }
+}
diff --git a/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php b/tests/Eccube/Tests/Twig/Extension/IgnoreTwigSandboxErrorExtensionTest.php
@@ -0,0 +1,86 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\Tests\Twig\Extension;
+
+use Eccube\Tests\Web\AbstractWebTestCase;
+
+class IgnoreTwigSandboxErrorExtensionTest extends AbstractWebTestCase
+{
+    protected $app;
+
+
+    public function setUp()
+    {
+        parent::setUp();
+        $this->app = \Eccube\Application::getInstance();
+        $this->app['debug'] = false;
+    }
+
+
+    public function tearDown()
+    {
+        $this->app['debug'] = true;
+        parent::tearDown();
+    }
+
+    /**
+     * @dataProvider twigSnippetsProvider
+     */
+    public function testFreeArea($snippet, $whitelisted)
+    {
+        $Product = $this->createProduct();
+        $Product->setFreeArea('__RENDERED__'.$snippet);
+        $this->app['orm.em']->flush();
+        
+        $crawler = $this->client->request('GET', $this->app['url_generator']->generate('product_detail', array('id' => $Product->getId())));
+        $text = $crawler->text();
+
+        // $snippetがsandboxで制限された場合はフリーエリアは空で出力されるため、__RENDERED__の出力有無で結果を確認する
+        if ($whitelisted) {
+            self::assertContains('__RENDERED__', $text);
+        } else {
+            self::assertNotContains('__RENDERED__', $text);
+        }
+    }
+
+    public function twigSnippetsProvider()
+    {
+        // 0: twigスニペット, 1: ホワイトリスト対象かどうか
+        return array(
+            // タグ・フィルター・関数
+            array('{% set foo = "bar" %}', true),
+            array('{% with %} test {% endwith %}', true),
+            array('{% if true %} <p>test</p> {% endif %}', true),
+            array('{% autoescape %} test {% endautoescape %}', false),
+            array('{% macro input(name, value, type = "text", size = 20) %}<input type="{{ type }}" name="{{ name }}" value="{{ value|e }}" size="{{ size }}"/>{% endmacro %}', false),
+            array('{% include "index.twig" %}', false),
+            array('{{ "-5"|abs }}', true),
+            array('{{ "2020/02/01"|date }}', true),
+            array('{{ [1, 2, 3, 4]|first }}', true),
+            array('{{ [1, 2, 3]|sort }}', false),
+            array('{{ "<p> <strong>test</strong> </p>" |raw }}', false),
+            array('{{ url("homepage") }}', true),
+            array('{{ random(1, 100) }}', true),
+            array('{% for i in range(3, 0) %} {{ i }}, {% endfor %}', true),
+            array('{{ source("index.twig") }}', false),
+            array('{{ form_start(form) }} <div>test </div> {{ form_end(form) }}', false),
+            array('{{ include(template_from_string("Hello")) }}', false),
+            // 変数
+            array('{{ Product.name }}', true),
+            array('{{ app.session }}', false),
+            array('{{ app.security }}', false),
+            array('{{ app.request.cookies }}', false),
+        );
+    }
+}
