intaro/twig-sandbox-bundle

Annotation configuration of the allowed methods and properties for Twig_Sandbox extension

TwigSandboxBundle

, _(*1)

There is Twig-extension Sandbox which can be used to evaluate untrusted code and where access to unsafe properties and methods is prohibited. This bundle allows to configure security policy for sandbox., _(*2)

Installation

TwigSandboxBundle requires Symfony 6.0 or higher., _(*3)

Install the bundle:, _(*4)

$ composer require intaro/twig-sandbox-bundle

Register the bundle in config/bundles.php:, _(*5)

return [
    // ...
    Intaro\TwigSandboxBundle\IntaroTwigSandboxBundle::class => ['all' => true],
];

Usage

Define allowed properties and methods for your entities using attribute #[Sandbox]. Optionally you can add type option for attribute (for example #[Sandbox(type: 'int')]). This option defines type of value that property stores or method returns., _(*6)

In your application you can use annotation reader to extract value of type option and use this value to perform additional checks or any other actions, for example, use twig filters according to value of the option., _(*7)

<?php
// Acme/DemoBundle/Entity/Product.php

namespace Acme\DemoBundle\Entity;

use Doctrine\ORM\Mapping as ORM;
use Intaro\TwigSandboxBundle\Annotation\Sandbox;

 #[ORM\Table]
 #[ORM\Entity]
class Product
{
    #[ORM\Column(name: 'id', type: 'integer')]
    #[ORM\Id]
    #[ORM\GeneratedValue(strategy: "AUTO")]
    private ?int $id = null;

    #[ORM\Column(name: 'name', type: 'string', length: 255)]
    #[Sandbox(type: 'string')]
    private string $name = '';

    #[ORM\Column(name: 'quantity', type: 'integer', nullable: true)]
    private ?int $quantity = null;


    #[Sandbox(type: 'int')]
    public function getId(): ?int
    {
        return $this->id;
    }

    public function setName(string $name): self
    {
        $this->name = $name;

        return $this;
    }

    #[Sandbox]
    public function getName(): string
    {
        return $this->name;
    }

    public function setQuantity(?int $quantity): self
    {
        $this->quantity = $quantity;

        return $this;
    }

    public function getQuantity(): ?int
    {
        return $this->quantity;
    }
}

And use sandbox environment., _(*8)

use Acme\DemoBundle\Entity\Product;
use Intaro\TwigSandboxBundle\Builder\EnvironmentBuilder;

class Example {

    private EnvironmentBuilder $environmentBuilder;

    public function __construct(EnvironmentBuilder $environmentBuilder)
    {
        $this->environmentBuilder = $environmentBuilder;
    }

    $twig = $this->environmentBuilder->getSandboxEnvironment();

    $product = new Product();
    $product->setName('Product 1');
    $product->setQuantity(5);

    // successful render
    $html1 = $twig->render(
        'Product {{ product.name }}',
        ['product' => $product]
    );

    // render with the exception on access to the quantity method
    $html2 = $twig->render(
        'Product {{ product.name }} in the quantity {{ product.quantity }}',
        ['product' => $product]
    );

}

Validation

You can validate entity fields which contain twig templates with TwigSandbox validator., _(*9)

// in Entity/Page.php

use Intaro\TwigSandboxBundle\Validator\Constraints\TwigSandbox;

class Page
{
    //...

    public static function loadValidatorMetadata(ClassMetadata $metadata)
    {
        $metadata->addPropertyConstraint('template', new TwigSandbox());
    }

    //...
}

Configure

Methods and properties

You can define allowed methods and properties of entities with attribute Intaro\TwigSandboxBundle\Attribute\Sandbox. Example above., _(*10)

Tags

Default list of the allowed tags:, _(*11)

- 'autoescape'
- 'filter'
- 'do'
- 'flush'
- 'for'
- 'set'
- 'verbatium'
- 'if'
- 'spaceless'

You can override list in the parameter intaro.twig_sandbox.policy_tags:, _(*12)

# app/config/config.yml

parameters:
    intaro.twig_sandbox.policy_tags:
        - 'do'
        - 'for'
        - 'if'
        - 'spaceless'

Filters

Default list of the allowed filters:, _(*13)

- 'abs'
- 'batch'
- 'capitalize'
- 'convert_encoding'
- 'date'
- 'date_modify'
- 'default'
- 'escape'
- 'first'
- 'format'
- 'join'
- 'json_encode'
- 'keys'
- 'last'
- 'length'
- 'lower'
- 'merge'
- 'nl2br'
- 'number_format'
- 'raw'
- 'replace'
- 'reverse'
- 'slice'
- 'sort'
- 'split'
- 'striptags'
- 'title'
- 'trim'
- 'upper'
- 'url_encode'

You can override list in the parameter intaro.twig_sandbox.policy_filters:, _(*14)

# app/config/config.yml

parameters:
    intaro.twig_sandbox.policy_filters:
        - 'sort'
        - 'upper'
        - 'sort'

Functions

Default list of the allowed functions:, _(*15)

- 'attribute'
- 'constant'
- 'cycle'
- 'date'
- 'random'
- 'range'

You can override list in parameter intaro.twig_sandbox.policy_functions:, _(*16)

# app/config/config.yml

parameters:
    intaro.twig_sandbox.policy_functions:
        - 'date'
        - 'range'

Allowed types

Default list of allowed return types:, _(*17)

- 'bool'
- 'collection'
- 'date'
- 'float'
- 'int'
- 'object'
- 'string'

You can override list in parameter intaro.twig_sandbox.sandbox_annotation.value_types:, _(*18)

# app/config/config.yml

parameters:
    intaro.twig_sandbox.sandbox_annotation.value_types:
        - 'string'
        - 'date'
        - 'collection'
        - 'stdClass'

Environment

You can set twig environment parameters:, _(*19)

$twig = $this->get(EnvironmentBuilder::class)->getSandboxEnvironment([
    'strict_variables' => true
]);

Also, you might want to add extensions to your twig environment. Example how to add:, _(*20)

// Acme/DemoBundle/AcmeDemoBundle.php
<?php

namespace Acme\DemoBundle;

use Symfony\Component\HttpKernel\Bundle\Bundle;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Acme\DemoBundle\DependencyInjection\Compiler\TwigSandboxPass;

class AcmeDemoBundle extends Bundle
{
    public function build(ContainerBuilder $container)
    {
        parent::build($container);

        $container->addCompilerPass(new TwigSandboxPass());
    }
}

// Acme/DemoBundle/DependencyInjection/Compiler/TwigSandboxPass.php
<?php

namespace Acme\DemoBundle\DependencyInjection\Compiler;

use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Reference;
use Intaro\TwigSandboxBundle\Builder\EnvironmentBuilder;

class TwigSandboxPass implements CompilerPassInterface
{
    public function process(ContainerBuilder $container)
    {
        if (!$container->hasDefinition(EnvironmentBuilder::class)) {
            return;
        }

        $sandbox = $container->getDefinition(EnvironmentBuilder::class);
        $sandbox->addMethodCall('addExtension', [new Reference('acme_demo.twig_extension')]);
    }
}

Development

Run tests

Install vendors:, _(*21)

make vendor

Run php-cs-fixer, phpstan and phpunit:, _(*22)

make check