From 42c421ac78b09aa396b4f33288bee2e51a7b853e Mon Sep 17 00:00:00 2001 From: Lucas Bartholemy Date: Sat, 6 Jan 2024 20:02:35 +0100 Subject: [PATCH] Added Twig Sandbox Extension --- Module.php | 25 +++++++++++++++++++++++-- docs/CHANGELOG.md | 6 ++++-- docs/MANUAL.md | 6 ++++-- lib/templates/twig/TwigEngine.php | 28 +++++++++++++++++++++++++++- module.json | 2 +- 5 files changed, 59 insertions(+), 8 deletions(-) diff --git a/Module.php b/Module.php index ed1357eb..56b95578 100644 --- a/Module.php +++ b/Module.php @@ -20,14 +20,35 @@ class Module extends ContentContainerModule public $resourcesPath = 'resources'; + + /** + * @see https://twig.symfony.com/doc/3.x/api.html#sandbox-extension + * @var bool + */ + public $enableTwiqSandboxExtension = true; + + /** + * @see https://twig.symfony.com/doc/3.x/api.html#sandbox-extension + * @var array + */ + public $enableTwiqSandboxExtensionConfig = [ + 'allowedTags' => ['autoescape', 'apply', 'block', 'if', 'with', 'for', 'set'], + 'allowedFilters' => ['capitalize', 'date', 'first', 'upper', 'escape', 'nl2br', 'url_encode', 'round'], + 'allowedFunctions' => ['range', 'max', 'min'], + 'allowedMethods' => [ + 'humhub\modules\custom_pages\modules\template\models\OwnerContentVariable' => '__toString', + ], + 'allowedProperties' => ['sidebar_container', 'content', 'sidebar_container'], + ]; + public function checkOldGlobalContent() { - if(!Yii::$app->user->isAdmin()) { + if (!Yii::$app->user->isAdmin()) { return; } - if(!$this->settings->get(static::SETTING_MIGRATION_KEY, 0)) { + if (!$this->settings->get(static::SETTING_MIGRATION_KEY, 0)) { foreach (Page::find()->all() as $page) { $page->content->visibility = $page->admin_only ? Content::VISIBILITY_PRIVATE : Content::VISIBILITY_PUBLIC; $page->content->save(); diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 25936100..f65c4f0f 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,8 +1,10 @@ Changelog ========= -TBA ---- + +1.10.0 (January 6, 2024) +------------------------ - Fix: Highlight admin menu entry when "Template" page is active +- Enh: Added Twig Sandbox Extension and restricted Twig templating features by default 1.9.6 (December 12, 2023) ------------------------- diff --git a/docs/MANUAL.md b/docs/MANUAL.md index 0476f56b..4974e8b4 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -25,12 +25,14 @@ Most content types provide the following setting which may vary between differen ## Templates -The custom pages module provides a simple template mechanism based on [twig](https://twig.symfony.com/). +The custom pages module provides a simple template mechanism based on [Twig](https://twig.symfony.com/). Templates can be maintained under `Administration -> Templates`. -> Note: In order to use template based pages or snippets on space level, you'll have to allow the layout for spaces within the general settings +> Note: In order to use template based pages or snippets on Space level, you'll have to allow the layout for spaces within the general settings of the template. +> Note: As of module version 1.10.0, the Twig Sandbox Extension is activated by default and restricts some Twig features. This behavior can be switched off or changed via the configuration. See: https://github.com/humhub/custom-pages/blob/master/Module.php#L24-L43 + ### Layouts When creating a new template based page or snippet, you have to select a layout template which is used as the base layout of your page. diff --git a/lib/templates/twig/TwigEngine.php b/lib/templates/twig/TwigEngine.php index 7db73e5a..f778bc15 100644 --- a/lib/templates/twig/TwigEngine.php +++ b/lib/templates/twig/TwigEngine.php @@ -8,7 +8,11 @@ namespace humhub\modules\custom_pages\lib\templates\twig; use humhub\modules\custom_pages\lib\templates\TemplateEngine; +use humhub\modules\custom_pages\Module; use Twig\Environment; +use Twig\Extension\SandboxExtension; +use Twig\Sandbox\SecurityPolicy; +use Yii; /** * The TwigEngine is the default template eninge of this module and is used to @@ -20,7 +24,7 @@ class TwigEngine implements TemplateEngine { /** * @inheritdoc - * + * * @param string $template template name * @param array $content array input [elementName => content] * @return string @@ -30,7 +34,29 @@ public function render($template, $content) $loader = new DatabaseTwigLoader(); $twig = new Environment($loader, ['autoescape' => false, 'debug' => true]); + $securityPolicy = $this->getSecurityPolicy(); + if ($securityPolicy !== null) { + $twig->addExtension(new SandboxExtension($securityPolicy, true)); + } return $twig->render($template, $content); } + private function getSecurityPolicy(): ?SecurityPolicy + { + /** @var Module $module */ + $module = Yii::$app->getModule('custom_pages'); + + if (!$module->enableTwiqSandboxExtension) { + return null; + } + + $policy = new SecurityPolicy(); + $policy->setAllowedTags($module->enableTwiqSandboxExtensionConfig['allowedTags']); + $policy->setAllowedMethods($module->enableTwiqSandboxExtensionConfig['allowedMethods']); + $policy->setAllowedFilters($module->enableTwiqSandboxExtensionConfig['allowedFilters']); + $policy->setAllowedProperties($module->enableTwiqSandboxExtensionConfig['allowedProperties']); + + return $policy; + } + } diff --git a/module.json b/module.json index ffccd093..b9430853 100644 --- a/module.json +++ b/module.json @@ -3,7 +3,7 @@ "name": "Custom Pages", "description": "Create custom pages and widgets and share them with your users. Take advantage of a wide range of editing options, including HTML and Markdown.", "keywords": ["pages", "custom", "iframe", "markdown", "link", "navigation", "spaces"], - "version": "1.9.6", + "version": "1.10.0", "homepage": "https://github.com/humhub/custom-pages", "humhub": { "minVersion": "1.14"