Merge commit from fork

bennothommo · web-flow · commit fb88e6fabde3 · 2024-10-16T13:31:35.000+08:00
* Harden theme objects, prevent certain properties from being passed through to ThemeData object

* Improve and properly scope Twig security policy

- Deny access to "include" and "extends" tags/functions, as per Markup docs
- Block methods that write, delete or modify records and attributes in Database/Eloquent and Halcyon models
- Block access to theme datasource
- Prevent extensions from being created or directly interacted with (models and properties provided to extended objects should still be OK)

* Minor

* Make theme magic method calls case insensitive

* Allow include and extends tags/functions

* Add additional blocked methods

* Add test cases
diff --git a/modules/cms/classes/Theme.php b/modules/cms/classes/Theme.php
@@ -1,22 +1,25 @@
-<?php namespace Cms\Classes;
+<?php
+
+namespace Cms\Classes;
 
-use App;
-use ApplicationException;
-use Cache;
 use Cms\Models\ThemeData;
-use Config;
 use DirectoryIterator;
-use Event;
 use Exception;
-use File;
-use Lang;
+use Illuminate\Support\Facades\App;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Lang;
 use System\Models\Parameter;
-use SystemException;
-use Url;
+use Winter\Storm\Exception\ApplicationException;
+use Winter\Storm\Exception\SystemException;
 use Winter\Storm\Halcyon\Datasource\DatasourceInterface;
 use Winter\Storm\Halcyon\Datasource\DbDatasource;
 use Winter\Storm\Halcyon\Datasource\FileDatasource;
-use Yaml;
+use Winter\Storm\Support\Facades\Config;
+use Winter\Storm\Support\Facades\Event;
+use Winter\Storm\Support\Facades\File;
+use Winter\Storm\Support\Facades\Url;
+use Winter\Storm\Support\Facades\Yaml;
+use Winter\Storm\Support\Str;
 
 /**
  * This class represents the CMS theme.
@@ -682,6 +685,11 @@ public function getDatasource(): DatasourceInterface
      */
     public function __get($name)
     {
+        if (in_array(strtolower($name), ['id', 'path', 'dirname', 'config', 'formconfig', 'previewimageurl'])) {
+            $method = 'get'. ucfirst($name);
+            return $this->$method();
+        }
+
         if ($this->hasCustomData()) {
             return $this->getCustomData()->{$name};
         }
@@ -694,6 +702,10 @@ public function __get($name)
      */
     public function __isset($key)
     {
+        if (in_array(strtolower($key), ['id', 'path', 'dirname', 'config', 'formconfig', 'previewimageurl'])) {
+            return true;
+        }
+
         if ($this->hasCustomData()) {
             $theme = $this->getCustomData();
             return $theme->offsetExists($key);
diff --git a/modules/cms/models/ThemeData.php b/modules/cms/models/ThemeData.php
@@ -1,11 +1,13 @@
-<?php namespace Cms\Models;
+<?php
+
+namespace Cms\Models;
 
-use Lang;
-use Model;
 use Cms\Classes\Theme as CmsTheme;
-use System\Classes\CombineAssets;
 use Exception;
+use Illuminate\Support\Facades\Lang;
+use System\Classes\CombineAssets;
 use System\Models\File;
+use Winter\Storm\Database\Model;
 
 /**
  * Customization data used by a theme
diff --git a/modules/system/tests/twig/SecurityPolicyTest.php b/modules/system/tests/twig/SecurityPolicyTest.php
@@ -0,0 +1,269 @@
+<?php
+
+namespace System\Tests\Twig;
+
+use Cms\Classes\Controller;
+use Cms\Classes\Page;
+use Cms\Classes\Theme;
+use System\Tests\Bootstrap\TestCase;
+use Twig\Environment;
+use Winter\Storm\Filesystem\Filesystem;
+use Winter\Storm\Halcyon\Datasource\FileDatasource;
+
+class SecurityPolicyTest extends TestCase
+{
+    protected Environment $twig;
+
+    public function testCannotGetTwigInstanceFromCmsController()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set twig = this.controller.getTwig() %}
+            {{ this.controller.getTwig() }}
+        ');
+    }
+
+    public function testCannotGetTwigLoaderFromCmsController()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set loader = this.controller.getLoader() %}
+            {{ loader.load(\'/\') }}
+        ');
+    }
+
+    public function testCannotRunAPageObjectFromWithinTwig()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {{ this.controller.runPage() }}
+        ');
+    }
+
+    public function testCannotExtendAPageWithADynamicMethod()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set page = this.page.addDynamicMethod("test") %}
+        ');
+    }
+
+    public function testCannotExtendAPageWithADynamicProperty()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set page = this.page.addDynamicProperty("test", "value") %}
+        ');
+    }
+
+    public function testCannotWriteToAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.setAttribute("test", "value") %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testCanReadFromAModel()
+    {
+        $model = new \Winter\Storm\Database\Model();
+        $model->test = 'value';
+
+        $result = trim($this->renderTwigInCmsController('
+            {% set modelTest = model.getAttribute("test") %}
+            {{- modelTest -}}
+        ', [
+            'model' => $model,
+        ]));
+        $this->assertEquals('value', $result);
+    }
+
+    public function testCannotFillAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        try {
+            $model = new \Winter\Storm\Database\Model();
+            $model->addFillable('test');
+            $model->test = 'value';
+
+            $this->renderTwigInCmsController('
+                {% set modelTest = model.fill({ test: \'value2\' }) %}
+            ', [
+                'model' => new \Winter\Storm\Database\Model(),
+            ]);
+        } catch (\Twig\Sandbox\SecurityNotAllowedMethodError $e) {
+            // Ensure value hasn't changed
+            $this->assertEquals('value', $model->test);
+            throw $e;
+        }
+    }
+
+    public function testCannotSaveAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.save() %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testCannotPushAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.push() %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testCannotUpdateAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $model = new \Winter\Storm\Database\Model();
+        $model->addFillable('test');
+        $model->test = 'value';
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.update({ test: \'value2\' }) %}
+        ', [
+            'model' => $model,
+        ]);
+    }
+
+    public function testCannotDeleteAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.delete() %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testCannotForceDeleteAModel()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set modelTest = model.forceDelete() %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testCannotExtendAModelWithABehaviour()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set model = model.extendClassWith("Winter\Storm\Database\Behaviors\Encryptable") %}
+        ', [
+            'model' => new \Winter\Storm\Database\Model(),
+        ]);
+    }
+
+    public function testExtendingModelBeforePassingIntoTwigShouldStillWork()
+    {
+        $model = new \Winter\Storm\Database\Model();
+        $model->addDynamicMethod('foo', function () {
+            return 'foo';
+        });
+
+        $result = trim($this->renderTwigInCmsController('
+            {{- model.foo() -}}
+        ', [
+            'model' => $model,
+        ]));
+        $this->assertEquals('foo', $result);
+    }
+
+    public function testCannotGetDatasourceFromTheme()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set datasource = this.theme.getDatasource() %}
+        ');
+    }
+
+    // Even if someone decides to be clever and make the datasource available, you shouldn't be able to insert/delete/update
+    public function testCannotDeleteInDatasource()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set datasource = datasource.delete() %}
+        ', [
+            'datasource' => new FileDatasource(
+                base_path('modules/system/tests/fixtures/themes/test'),
+                new Filesystem()
+            ),
+        ]);
+    }
+
+    public function testCannotInsertInDatasource()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set datasource = datasource.insert() %}
+        ', [
+            'datasource' => new FileDatasource(
+                base_path('modules/system/tests/fixtures/themes/test'),
+                new Filesystem()
+            ),
+        ]);
+    }
+
+    public function testCannotUpdateInDatasource()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set datasource = datasource.update() %}
+        ', [
+            'datasource' => new FileDatasource(
+                base_path('modules/system/tests/fixtures/themes/test'),
+                new Filesystem()
+            ),
+        ]);
+    }
+
+    public function testCannotChangeThemeDirectory()
+    {
+        $this->expectException(\Twig\Sandbox\SecurityNotAllowedMethodError::class);
+
+        $this->renderTwigInCmsController('
+            {% set theme = this.theme.setDirName("test") %}
+        ');
+    }
+
+    protected function renderTwigInCmsController(string $source, array $vars = [])
+    {
+        $controller = new Controller();
+        $twig = $controller->getTwig();
+        $template = $twig->createTemplate($source, 'test.case');
+        return $twig->render($template, [
+            'this' => [
+                'controller' => $controller,
+                'page' => new Page(),
+                'theme' => new Theme()
+            ],
+        ] + $vars);
+    }
+}
diff --git a/modules/system/twig/SecurityPolicy.php b/modules/system/twig/SecurityPolicy.php
