intaro / twig-sandbox-bundle
Annotation configuration of the allowed methods and properties for Twig_Sandbox extension
Installs: 440 721
Dependents: 0
Suggesters: 0
Security: 0
Stars: 6
Watchers: 6
Forks: 7
Open Issues: 1
Type:symfony-bundle
Requires
- php: ^8.1
- doctrine/annotations: ^1.13|^2.0
- psr/cache: ~1.0|~2.0
- symfony/framework-bundle: ^6.0
- symfony/validator: ^6.0
- twig/twig: ^2.14 | ^3.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3
- nyholm/symfony-bundle-test: ^3.0
- phpstan/phpstan: ^1.0
- phpstan/phpstan-symfony: ^1.0
- phpunit/phpunit: ^8.5|^9.5
- psr/log: ~1.0
- symfony/config: ^6.0
- symfony/dependency-injection: ^6.0
- symfony/deprecation-contracts: ^1.1|^2.0
- symfony/error-handler: ^6.0
- symfony/event-dispatcher: ^6.0
- symfony/event-dispatcher-contracts: ^1.1|^2.0
- symfony/filesystem: ^6.0
- symfony/finder: ^6.0
- symfony/http-foundation: ^6.0
- symfony/http-kernel: ^6.0
- symfony/phpunit-bridge: ^6.0
- symfony/routing: ^6.0
- symfony/translation-contracts: ^1.1|^2.0
- symfony/var-dumper: ^6.0
- symfony/var-exporter: ^6.0
- symfony/yaml: ^6.0
README
There is Twig-extension Sandbox which can be used to evaluate untrusted code and where access to unsafe properties and methods is prohibited. This bundle allows to configure security policy for sandbox.
Installation
TwigSandboxBundle requires Symfony 6.0 or higher.
Install the bundle:
$ composer require intaro/twig-sandbox-bundle
Register the bundle in config/bundles.php
:
return [ // ... Intaro\TwigSandboxBundle\IntaroTwigSandboxBundle::class => ['all' => true], ];
Usage
Define allowed properties and methods for your entities using attribute #[Sandbox]
.
Optionally you can add type
option for attribute (for example #[Sandbox(type: 'int')]
).
This option defines type of value that property stores or method returns.
In your application you can use annotation reader to extract value of type
option and use this value
to perform additional checks or any other actions, for example, use twig filters according to value of the option.
<?php // Acme/DemoBundle/Entity/Product.php namespace Acme\DemoBundle\Entity; use Doctrine\ORM\Mapping as ORM; use Intaro\TwigSandboxBundle\Annotation\Sandbox; #[ORM\Table] #[ORM\Entity] class Product { #[ORM\Column(name: 'id', type: 'integer')] #[ORM\Id] #[ORM\GeneratedValue(strategy: "AUTO")] private ?int $id = null; #[ORM\Column(name: 'name', type: 'string', length: 255)] #[Sandbox(type: 'string')] private string $name = ''; #[ORM\Column(name: 'quantity', type: 'integer', nullable: true)] private ?int $quantity = null; #[Sandbox(type: 'int')] public function getId(): ?int { return $this->id; } public function setName(string $name): self { $this->name = $name; return $this; } #[Sandbox] public function getName(): string { return $this->name; } public function setQuantity(?int $quantity): self { $this->quantity = $quantity; return $this; } public function getQuantity(): ?int { return $this->quantity; } }
And use sandbox environment.
use Acme\DemoBundle\Entity\Product; use Intaro\TwigSandboxBundle\Builder\EnvironmentBuilder; class Example { private EnvironmentBuilder $environmentBuilder; public function __construct(EnvironmentBuilder $environmentBuilder) { $this->environmentBuilder = $environmentBuilder; } $twig = $this->environmentBuilder->getSandboxEnvironment(); $product = new Product(); $product->setName('Product 1'); $product->setQuantity(5); // successful render $html1 = $twig->render( 'Product {{ product.name }}', ['product' => $product] ); // render with the exception on access to the quantity method $html2 = $twig->render( 'Product {{ product.name }} in the quantity {{ product.quantity }}', ['product' => $product] ); }
Validation
You can validate entity fields which contain twig templates with TwigSandbox validator.
// in Entity/Page.php use Intaro\TwigSandboxBundle\Validator\Constraints\TwigSandbox; class Page { //... public static function loadValidatorMetadata(ClassMetadata $metadata) { $metadata->addPropertyConstraint('template', new TwigSandbox()); } //... }
Configure
Methods and properties
You can define allowed methods and properties of entities with attribute Intaro\TwigSandboxBundle\Attribute\Sandbox
. Example above.
Tags
Default list of the allowed tags:
- 'autoescape' - 'filter' - 'do' - 'flush' - 'for' - 'set' - 'verbatium' - 'if' - 'spaceless'
You can override list in the parameter intaro.twig_sandbox.policy_tags
:
# app/config/config.yml parameters: intaro.twig_sandbox.policy_tags: - 'do' - 'for' - 'if' - 'spaceless'
Filters
Default list of the allowed filters:
- 'abs' - 'batch' - 'capitalize' - 'convert_encoding' - 'date' - 'date_modify' - 'default' - 'escape' - 'first' - 'format' - 'join' - 'json_encode' - 'keys' - 'last' - 'length' - 'lower' - 'merge' - 'nl2br' - 'number_format' - 'raw' - 'replace' - 'reverse' - 'slice' - 'sort' - 'split' - 'striptags' - 'title' - 'trim' - 'upper' - 'url_encode'
You can override list in the parameter intaro.twig_sandbox.policy_filters
:
# app/config/config.yml parameters: intaro.twig_sandbox.policy_filters: - 'sort' - 'upper' - 'sort'
Functions
Default list of the allowed functions:
- 'attribute' - 'constant' - 'cycle' - 'date' - 'random' - 'range'
You can override list in parameter intaro.twig_sandbox.policy_functions
:
# app/config/config.yml parameters: intaro.twig_sandbox.policy_functions: - 'date' - 'range'
Allowed types
Default list of allowed return types:
- 'bool' - 'collection' - 'date' - 'float' - 'int' - 'object' - 'string'
You can override list in parameter intaro.twig_sandbox.sandbox_annotation.value_types
:
# app/config/config.yml parameters: intaro.twig_sandbox.sandbox_annotation.value_types: - 'string' - 'date' - 'collection' - 'stdClass'
Environment
You can set twig environment parameters:
$twig = $this->get(EnvironmentBuilder::class)->getSandboxEnvironment([ 'strict_variables' => true ]);
Also, you might want to add extensions to your twig environment. Example how to add:
// Acme/DemoBundle/AcmeDemoBundle.php <?php namespace Acme\DemoBundle; use Symfony\Component\HttpKernel\Bundle\Bundle; use Symfony\Component\DependencyInjection\ContainerBuilder; use Acme\DemoBundle\DependencyInjection\Compiler\TwigSandboxPass; class AcmeDemoBundle extends Bundle { public function build(ContainerBuilder $container) { parent::build($container); $container->addCompilerPass(new TwigSandboxPass()); } }
// Acme/DemoBundle/DependencyInjection/Compiler/TwigSandboxPass.php <?php namespace Acme\DemoBundle\DependencyInjection\Compiler; use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface; use Symfony\Component\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\Reference; use Intaro\TwigSandboxBundle\Builder\EnvironmentBuilder; class TwigSandboxPass implements CompilerPassInterface { public function process(ContainerBuilder $container) { if (!$container->hasDefinition(EnvironmentBuilder::class)) { return; } $sandbox = $container->getDefinition(EnvironmentBuilder::class); $sandbox->addMethodCall('addExtension', [new Reference('acme_demo.twig_extension')]); } }
Other parameters
You can specify additional directories for each bundle to scan (using parameter intaro.twig_sandbox.additional_paths
).
Example:
# app/config/config.yml parameters: intaro.twig_sandbox.additional_paths: AcmeDemoBundle: - 'Model'
Development
Run tests
Install vendors:
make vendor
Run php-cs-fixer, phpstan and phpunit:
make check