diff --git a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php index 7b768f7..ad2ceb5 100644 --- a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php +++ b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php @@ -20,6 +20,56 @@ class TwigSandboxPolicy implements \Twig_Sandbox_SecurityPolicyInterface { /** + * An array of whitelisted methods in the form of methodName => TRUE. + */ + protected $whitelisted_methods = NULL; + + /** + * An array of whitelisted method prefixes -- any method starting with one of + * these prefixes will be allowed. + */ + protected $whitelisted_prefixes = NULL; + + /** + * An array of objects for which any method calls are allowed. + */ + protected $whitelisted_objects = NULL; + + public function __construct() { + // Allow settings.php to override our default whitelisted objects, methods, + // and prefixes. + $whitelisted_objects = Settings::get('twig_sandbox_whitelisted_objects', [ + // Allow any operations on the Attribute object as it is intended to be + // changed from a Twig template, for example calling addClass(). + 'Drupal\Core\Template\Attribute', + ]); + + $whitelisted_methods = Settings::get('twig_sandbox_whitelisted_methods', [ + // Only allow idempotent methods. + 'id', + 'label', + 'bundle', + 'get', + '__toString', + ]); + + $this->whitelisted_prefixes = Settings::get('twig_sandbox_whitelisted_prefixes', [ + 'get', + 'has', + 'is', + ]); + + // Convert a basic array into whitelisted_item => TRUE. This allows us to + // use isset() which is faster than in_array(). + foreach ($whitelisted_methods as $method) { + $this->whitelisted_methods[$method] = TRUE; + } + foreach ($whitelisted_objects as $object) { + $this->whitelisted_objects[$object] = TRUE; + } + } + + /** * {@inheritdoc} */ public function checkSecurity($tags, $filters, $functions) {} @@ -33,43 +83,18 @@ public function checkPropertyAllowed($obj, $property) {} * {@inheritdoc} */ public function checkMethodAllowed($obj, $method) { - if ($obj instanceof Attribute) { - // Allow any operations on the Attribute object as it is intended to be - // changed from a Twig template, for example calling addClass(). This - // cannot be overridden by settings.php. + if (isset($this->whitelisted_objects[get_class($obj)])) { return TRUE; } - // Allow settings.php to override our default whitelisted methods and - // prefixes. - static $whitelisted_methods = NULL; - static $whitelisted_prefixes = NULL; - - if (!isset($whitelisted_methods) || !isset($whitelisted_prefixes)) { - $whitelisted_methods = Settings::get('twig_sandbox_whitelisted_methods') ?: [ - // Only allow idempotent methods. Note: using the form method_name => - // TRUE allows us to use isset() which is faster than in_array(). - 'id' => TRUE, - 'label' => TRUE, - 'bundle' => TRUE, - 'get' => TRUE, - '__toString' => TRUE, - ]; - $whitelisted_prefixes = Settings::get('twig_sandbox_whitelisted_prefixes') ?: [ - 'get', - 'has', - 'is', - ]; - } - // Return quickly for an exact match of the method name. - if (isset($whitelisted_methods[$method])) { + if (isset($this->whitelisted_methods[$method])) { return TRUE; } // If the method name starts with a whitelisted prefix, allow it. // Note: strpos() is between 3x and 7x faster than preg_match in this case. - foreach ($whitelisted_prefixes as $prefix) { + foreach ($this->whitelisted_prefixes as $prefix) { if (strpos($method, $prefix) === 0) { return TRUE; } diff --git a/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php b/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php index 0b17b9f..80eed7a 100644 --- a/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php +++ b/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php @@ -8,6 +8,7 @@ namespace Drupal\Tests\Core\Template; use Drupal\Core\Template\TwigSandboxPolicy; +use Drupal\Core\Template\Loader\StringLoader; use Drupal\Tests\UnitTestCase; /** @@ -26,10 +27,13 @@ class TwigSandboxTest extends UnitTestCase { */ protected $twig; + /** + * {@inheritdoc} + */ protected function setUp() { parent::setUp(); - $loader = new \Twig_Loader_String(); + $loader = new StringLoader(); $this->twig = new \Twig_Environment($loader); $policy = new TwigSandboxPolicy(); $sandbox = new \Twig_Extension_Sandbox($policy, TRUE);