Added Twig Sandbox Extension

humhub · Jan 6, 2024 · 42c421a · 42c421a
1 parent e9da3d5
commit 42c421a
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 8 deletions.
diff --git a/Module.php b/Module.php
@@ -20,14 +20,35 @@ class Module extends ContentContainerModule
 
     public $resourcesPath = 'resources';
 
+
+    /**
+     * @see https://twig.symfony.com/doc/3.x/api.html#sandbox-extension
+     * @var bool
+     */
+    public $enableTwiqSandboxExtension = true;
+
+    /**
+     * @see https://twig.symfony.com/doc/3.x/api.html#sandbox-extension
+     * @var array
+     */
+    public $enableTwiqSandboxExtensionConfig = [
+        'allowedTags' => ['autoescape', 'apply', 'block', 'if', 'with', 'for', 'set'],
+        'allowedFilters' => ['capitalize', 'date', 'first', 'upper', 'escape', 'nl2br', 'url_encode', 'round'],
+        'allowedFunctions' => ['range', 'max', 'min'],
+        'allowedMethods' => [
+            'humhub\modules\custom_pages\modules\template\models\OwnerContentVariable' => '__toString',
+        ],
+        'allowedProperties' => ['sidebar_container', 'content', 'sidebar_container'],
+    ];
+
     public function checkOldGlobalContent()
     {
 
-        if(!Yii::$app->user->isAdmin()) {
+        if (!Yii::$app->user->isAdmin()) {
             return;
         }
 
-        if(!$this->settings->get(static::SETTING_MIGRATION_KEY, 0)) {
+        if (!$this->settings->get(static::SETTING_MIGRATION_KEY, 0)) {
             foreach (Page::find()->all() as $page) {
                 $page->content->visibility = $page->admin_only ? Content::VISIBILITY_PRIVATE : Content::VISIBILITY_PUBLIC;
                 $page->content->save();

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -1,8 +1,10 @@
 Changelog
 =========
-TBA
----
+
+1.10.0 (January 6, 2024)
+------------------------
 - Fix: Highlight admin menu entry when "Template" page is active
+- Enh: Added Twig Sandbox Extension and restricted Twig templating features by default 
 
 1.9.6 (December 12, 2023)
 -------------------------

diff --git a/docs/MANUAL.md b/docs/MANUAL.md
@@ -25,12 +25,14 @@ Most content types provide the following setting which may vary between differen
 
 ## Templates
 
-The custom pages module provides a simple template mechanism based on [twig](https://twig.symfony.com/).
+The custom pages module provides a simple template mechanism based on [Twig](https://twig.symfony.com/).
 Templates can be maintained under `Administration -> Templates`.
 
-> Note: In order to use template based pages or snippets on space level, you'll have to allow the layout for spaces within the general settings
+> Note: In order to use template based pages or snippets on Space level, you'll have to allow the layout for spaces within the general settings
 of the template.
 
+> Note: As of module version 1.10.0, the Twig Sandbox Extension is activated by default and restricts some Twig features. This behavior can be switched off or changed via the configuration. See: https://github.com/humhub/custom-pages/blob/master/Module.php#L24-L43
+
 ### Layouts
 
 When creating a new template based page or snippet, you have to select a layout template which is used as the base layout of your page.

diff --git a/lib/templates/twig/TwigEngine.php b/lib/templates/twig/TwigEngine.php
@@ -8,7 +8,11 @@
 namespace humhub\modules\custom_pages\lib\templates\twig;
 
 use humhub\modules\custom_pages\lib\templates\TemplateEngine;
+use humhub\modules\custom_pages\Module;
 use Twig\Environment;
+use Twig\Extension\SandboxExtension;
+use Twig\Sandbox\SecurityPolicy;
+use Yii;
 
 /**
  * The TwigEngine is the default template eninge of this module and is used to
@@ -20,7 +24,7 @@ class TwigEngine implements TemplateEngine
 {
     /**
      * @inheritdoc
-     * 
+     *
      * @param string $template template name
      * @param array $content array input [elementName => content]
      * @return string
@@ -30,7 +34,29 @@ public function render($template, $content)
         $loader = new DatabaseTwigLoader();
         $twig = new Environment($loader, ['autoescape' => false, 'debug' => true]);
 
+        $securityPolicy = $this->getSecurityPolicy();
+        if ($securityPolicy !== null) {
+            $twig->addExtension(new SandboxExtension($securityPolicy, true));
+        }
         return $twig->render($template, $content);
     }
 
+    private function getSecurityPolicy(): ?SecurityPolicy
+    {
+        /** @var Module $module */
+        $module = Yii::$app->getModule('custom_pages');
+
+        if (!$module->enableTwiqSandboxExtension) {
+            return null;
+        }
+
+        $policy = new SecurityPolicy();
+        $policy->setAllowedTags($module->enableTwiqSandboxExtensionConfig['allowedTags']);
+        $policy->setAllowedMethods($module->enableTwiqSandboxExtensionConfig['allowedMethods']);
+        $policy->setAllowedFilters($module->enableTwiqSandboxExtensionConfig['allowedFilters']);
+        $policy->setAllowedProperties($module->enableTwiqSandboxExtensionConfig['allowedProperties']);
+
+        return $policy;
+    }
+
 }
diff --git a/module.json b/module.json
@@ -3,7 +3,7 @@
     "name": "Custom Pages",
     "description": "Create custom pages and widgets and share them with your users. Take advantage of a wide range of editing options, including HTML and Markdown.",
     "keywords": ["pages", "custom", "iframe", "markdown", "link", "navigation", "spaces"],
-    "version": "1.9.6",
+    "version": "1.10.0",
     "homepage": "https://github.com/humhub/custom-pages",
     "humhub": {
         "minVersion": "1.14"