There is Twig-extension Twig_Extension_Sandbox which can be used to evaluate untrusted code and where access to unsafe attributes and methods is prohibited. This bundle allows to configure security policy for sandbox.
TwigSandboxBundle requires Symfony 2.1 or higher.
Require the bundle in your composer.json file:
{
"require": {
"intaro/twig-sandbox-bundle": "~0.1.0",
}
}Register the bundle in AppKernel:
// app/AppKernel.php
public function registerBundles()
{
$bundles = array(
//...
new Intaro\TwigSandboxBundle\IntaroTwigSandboxBundle(),
);
//...
}Install the bundle:
$ composer update intaro/twig-sandbox-bundle
Define allowed properties and methods for your entities using annotation @Sandbox.
Optionally you can add type option for annotation.
This option defines type of value that property stores or method returns.
In your application you can use annotation reader to extract value of type option and use this value
to perform additional checks or any other actions, for example, use twig filters according to value of the option.
<?php
// Acme/DemoBundle/Entity/Product.php
namespace Acme\DemoBundle\Entity;
use Doctrine\ORM\Mapping as ORM;
use Intaro\TwigSandboxBundle\Annotation\Sandbox;
/**
* @ORM\Table()
* @ORM\Entity
*/
class Product
{
/**
* @var integer
*
* @ORM\Column(name="id", type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @var string $name
*
* @Sandbox(type="string")
* @ORM\Column(name="name", type="string", length=255)
*/
private $name;
/**
* @var integer $quantity
*
* @ORM\Column(name="quantity", type="integer", nullable=true)
*/
private $quantity;
/**
* Get id
*
* @Sandbox(type="int")
* @return integer
*/
public function getId()
{
return $this->id;
}
/**
* Set name
*
* @param string $name
* @return Product
*/
public function setName($name)
{
$this->name = $name;
return $this;
}
/**
* Get name
*
* @Sandbox
* @return string
*/
public function getName()
{
return $this->name;
}
/**
* Set quantity
*
* @param boolean $quantity
* @return Product
*/
public function setQuantity($quantity)
{
$this->quantity = $quantity;
return $this;
}
/**
* Get quantity
*
* @return int
*/
public function getQuantity()
{
return $this->quantity;
}
}And use sandbox environment.
use Acme\DemoBundle\Entity\Product;
$twig = $this->get('intaro.twig_sandbox.builder')->getSandboxEnvironment();
$product = new Product();
$product->setName('Product 1');
$product->setQuantity(5);
//success render
$html1 = $twig->render(
'Product {{ product.name }}',
array(
'product' => $product,
)
);
//render with exception
$html2 = $twig->render(
'Product {{ product.name }} in the quantity {{ product.quantity }}',
array(
'product' => $product,
)
);You can validate entity fields which contain twig templates with TwigSandbox validator.
//in Entity/Page.php
use Intaro\TwigSandboxBundle\Validator\Constraints\TwigSandbox;
class Page
{
//...
public static function loadValidatorMetadata(ClassMetadata $metadata)
{
$metadata->addPropertyConstraint('template', new TwigSandbox());
}
//...
}You can define allowed methods and properties of entities with annotation Intaro\TwigSandboxBundle\Annotation\Sandbox. Example above.
Default list of the allowed tags:
- 'autoescape'
- 'filter'
- 'do'
- 'flush'
- 'for'
- 'set'
- 'verbatium'
- 'if'
- 'spaceless'You can override list in the parameter intaro.twig_sandbox.policy_tags:
# app/config/config.yml
parameters:
intaro.twig_sandbox.policy_tags:
- 'do'
- 'for'
- 'if'
- 'spaceless'Default list of the allowed filters:
- 'abs'
- 'batch'
- 'capitalize'
- 'convert_encoding'
- 'date'
- 'date_modify'
- 'default'
- 'escape'
- 'first'
- 'format'
- 'join'
- 'json_encode'
- 'keys'
- 'last'
- 'length'
- 'lower'
- 'merge'
- 'nl2br'
- 'number_format'
- 'raw'
- 'replace'
- 'reverse'
- 'slice'
- 'sort'
- 'split'
- 'striptags'
- 'title'
- 'trim'
- 'upper'
- 'url_encode'You can override list in the parameter intaro.twig_sandbox.policy_filters:
# app/config/config.yml
parameters:
intaro.twig_sandbox.policy_filters:
- 'sort'
- 'upper'
- 'sort'Default list of the allowed functions:
- 'attribute'
- 'constant'
- 'cycle'
- 'date'
- 'random'
- 'range'You can override list in parameter intaro.twig_sandbox.policy_functions:
# app/config/config.yml
parameters:
intaro.twig_sandbox.policy_functions:
- 'date'
- 'range'Default list of allowed return types:
- 'bool'
- 'collection'
- 'date'
- 'float'
- 'int'
- 'object'
- 'string'You can override list in parameter intaro.twig_sandbox.sandbox_annotation.value_types:
# app/config/config.yml
parameters:
intaro.twig_sandbox.sandbox_annotation.value_types:
- 'string'
- 'date'
- 'collection'
- 'stdClass'You can set twig environment parameters:
$twig = $this->get('intaro.twig_sandbox.builder')->getSandboxEnvironment(array(
'strict_variables' => true
));Also you might want to add extensions to your twig environment. Example how to add:
// Acme/DemoBundle/AcmeDemoBundle.php
<?php
namespace Acme\DemoBundle;
use Symfony\Component\HttpKernel\Bundle\Bundle;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Acme\DemoBundle\DependencyInjection\Compiler\TwigSandboxPass;
class AcmeDemoBundle extends Bundle
{
public function build(ContainerBuilder $container)
{
parent::build($container);
$container->addCompilerPass(new TwigSandboxPass());
}
}// Acme/DemoBundle/DependencyInjection/Compiler/TwigSandboxPass.php
<?php
namespace Acme\DemoBundle\DependencyInjection\Compiler;
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Reference;
class TwigSandboxPass implements CompilerPassInterface
{
public function process(ContainerBuilder $container)
{
if (!$container->hasDefinition('intaro.twig_sandbox.builder')) {
return;
}
$sandbox = $container->getDefinition('intaro.twig_sandbox.builder');
$sandbox->addMethodCall('addExtension', array(new Reference('acme_demo.twig_extension')));
}
}