Fix sandbox for methods

hason · hason · commit fb3f27c74f5c · 2021-01-25T16:04:14.000+01:00
diff --git a/src/Template.php b/src/Template.php
@@ -15,6 +15,8 @@
 use Twig\Error\Error;
 use Twig\Error\LoaderError;
 use Twig\Error\RuntimeError;
+use Twig\Extension\SandboxExtension;
+use Twig\Sandbox\SecurityError;
 
 /**
  * Default base class for compiled templates.
@@ -526,6 +528,7 @@ final protected function getContext($context, $item, $ignoreStrictCheck = false)
      * @return mixed The attribute value, or a Boolean when $isDefinedTest is true, or null when the attribute is not set and $ignoreStrictCheck is true
      *
      * @throws RuntimeError if the attribute does not exist and Twig is running in strict mode and $isDefinedTest is false
+     * @throws SecurityError if the attribute is not allowed
      *
      * @internal
      */
@@ -601,17 +604,23 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
         }
 
         // object property
+        $propertySandboxException = null;
         if (self::METHOD_CALL !== $type && !$object instanceof self) { // \Twig\Template does not have public properties, and we don't want to allow access to internal ones
             if (isset($object->$item) || \array_key_exists((string) $item, (array) $object)) {
                 if ($isDefinedTest) {
                     return true;
                 }
 
                 if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {
-                    $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);
+                    try {
+                        $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);
+                    } catch (SecurityError $propertySandboxException) {
+                    }
                 }
 
-                return $object->$item;
+                if (null === $propertySandboxException) {
+                    return $object->$item;
+                }
             }
         }
 
@@ -678,6 +687,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
                 return false;
             }
 
+            if (null !== $propertySandboxException) {
+                throw $propertySandboxException;
+            }
+
             if ($ignoreStrictCheck || !$this->env->isStrictVariables()) {
                 return;
             }
@@ -690,7 +703,15 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
         }
 
         if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {
-            $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkMethodAllowed($object, $method);
+            try {
+                $this->env->getExtension(SandboxExtension::class)->checkMethodAllowed($object, $call ? '__call' : $method);
+            } catch (SecurityError $e) {
+                if ($call && null !== $propertySandboxException) {
+                    throw $propertySandboxException;
+                }
+
+                throw $e;
+            }
         }
 
         // Some objects throw exceptions when they have __call, and the method we try
@@ -702,6 +723,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s
                 $ret = \call_user_func_array([$object, $method], $arguments);
             }
         } catch (\BadMethodCallException $e) {
+            if ($call && null !== $propertySandboxException) {
+                throw $propertySandboxException;
+            }
+
             if ($call && ($ignoreStrictCheck || !$this->env->isStrictVariables())) {
                 return;
             }

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@`
`15`	`15`	`use Twig\Error\Error;`
`16`	`16`	`use Twig\Error\LoaderError;`
`17`	`17`	`use Twig\Error\RuntimeError;`
	`18`	`+use Twig\Extension\SandboxExtension;`
	`19`	`+use Twig\Sandbox\SecurityError;`
`18`	`20`
`19`	`21`	`/**`
`20`	`22`	`* Default base class for compiled templates.`
`@@ -526,6 +528,7 @@ final protected function getContext($context, $item, $ignoreStrictCheck = false)`
`526`	`528`	`* @return mixed The attribute value, or a Boolean when $isDefinedTest is true, or null when the attribute is not set and $ignoreStrictCheck is true`
`527`	`529`	`*`
`528`	`530`	`* @throws RuntimeError if the attribute does not exist and Twig is running in strict mode and $isDefinedTest is false`
	`531`	`+ * @throws SecurityError if the attribute is not allowed`
`529`	`532`	`*`
`530`	`533`	`* @internal`
`531`	`534`	`*/`
`@@ -601,17 +604,23 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s`
`601`	`604`	`}`
`602`	`605`
`603`	`606`	`// object property`
	`607`	`+ $propertySandboxException = null;`
`604`	`608`	`if (self::METHOD_CALL !== $type && !$object instanceof self) { // \Twig\Template does not have public properties, and we don't want to allow access to internal ones`
`605`	`609`	`if (isset($object->$item) \|\| \array_key_exists((string) $item, (array) $object)) {`
`606`	`610`	`if ($isDefinedTest) {`
`607`	`611`	`return true;`
`608`	`612`	`}`
`609`	`613`
`610`	`614`	`if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {`
`611`		`- $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);`
	`615`	`+ try {`
	`616`	`+ $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkPropertyAllowed($object, $item);`
	`617`	`+ } catch (SecurityError $propertySandboxException) {`
	`618`	`+ }`
`612`	`619`	`}`
`613`	`620`
`614`		`- return $object->$item;`
	`621`	`+ if (null === $propertySandboxException) {`
	`622`	`+ return $object->$item;`
	`623`	`+ }`
`615`	`624`	`}`
`616`	`625`	`}`
`617`	`626`
`@@ -678,6 +687,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s`
`678`	`687`	`return false;`
`679`	`688`	`}`
`680`	`689`
	`690`	`+ if (null !== $propertySandboxException) {`
	`691`	`+ throw $propertySandboxException;`
	`692`	`+ }`
	`693`	`+`
`681`	`694`	`if ($ignoreStrictCheck \|\| !$this->env->isStrictVariables()) {`
`682`	`695`	`return;`
`683`	`696`	`}`
`@@ -690,7 +703,15 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s`
`690`	`703`	`}`
`691`	`704`
`692`	`705`	`if ($this->env->hasExtension('\Twig\Extension\SandboxExtension')) {`
`693`		`- $this->env->getExtension('\Twig\Extension\SandboxExtension')->checkMethodAllowed($object, $method);`
	`706`	`+ try {`
	`707`	`+ $this->env->getExtension(SandboxExtension::class)->checkMethodAllowed($object, $call ? '__call' : $method);`
	`708`	`+ } catch (SecurityError $e) {`
	`709`	`+ if ($call && null !== $propertySandboxException) {`
	`710`	`+ throw $propertySandboxException;`
	`711`	`+ }`
	`712`	`+`
	`713`	`+ throw $e;`
	`714`	`+ }`
`694`	`715`	`}`
`695`	`716`
`696`	`717`	`// Some objects throw exceptions when they have __call, and the method we try`
`@@ -702,6 +723,10 @@ protected function getAttribute($object, $item, array $arguments = [], $type = s`
`702`	`723`	`$ret = \call_user_func_array([$object, $method], $arguments);`
`703`	`724`	`}`
`704`	`725`	`} catch (\BadMethodCallException $e) {`
	`726`	`+ if ($call && null !== $propertySandboxException) {`
	`727`	`+ throw $propertySandboxException;`
	`728`	`+ }`
	`729`	`+`
`705`	`730`	`if ($call && ($ignoreStrictCheck \|\| !$this->env->isStrictVariables())) {`
`706`	`731`	`return;`
`707`	`732`	`}`