fixed .. (range operator) in sandbox policy

Teneff · Mar 4, 2018 · 6f45fcf · 6f45fcf
1 parent caf2caa
commit 6f45fcf
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,6 @@
 * 1.35.2 (2018-XX-XX)
 
- * n/a
+ * fixed .. (range operator) in sandbox policy
 
 * 1.35.1 (2018-03-02)
 

diff --git a/lib/Twig/NodeVisitor/Sandbox.php b/lib/Twig/NodeVisitor/Sandbox.php
@@ -48,6 +48,11 @@ protected function doEnterNode(Twig_Node $node, Twig_Environment $env)
                 $this->functions[$node->getAttribute('name')] = $node;
             }
 
+            // the .. operator is equivalent to the range() function
+            if ($node instanceof Twig_Node_Expression_Binary_Range && !isset($this->functions['range'])) {
+                $this->functions['range'] = $node;
+            }
+
             // wrap print to check __toString() calls
             if ($node instanceof Twig_Node_Print) {
                 return new Twig_Node_SandboxedPrint($node->getNode('expr'), $node->getTemplateLine(), $node->getNodeTag());

diff --git a/test/Twig/Tests/Extension/SandboxTest.php b/test/Twig/Tests/Extension/SandboxTest.php
@@ -36,6 +36,7 @@ protected function setUp()
             '1_layout' => '{% block content %}{% endblock %}',
             '1_child' => "{% extends \"1_layout\" %}\n{% block content %}\n{{ \"a\"|json_encode }}\n{% endblock %}",
             '1_include' => '{{ include("1_basic1", sandboxed=true) }}',
+            '1_range_operator' => '{{ (1..2)[0] }}',
         );
     }
 
@@ -143,6 +144,18 @@ public function testSandboxUnallowedFunction()
         }
     }
 
+    public function testSandboxUnallowedRangeOperator()
+    {
+        $twig = $this->getEnvironment(true, array(), self::$templates);
+        try {
+            $twig->loadTemplate('1_range_operator')->render(self::$params);
+            $this->fail('Sandbox throws a SecurityError exception if the unallowed range operator is called');
+        } catch (Twig_Sandbox_SecurityError $e) {
+            $this->assertInstanceOf('Twig_Sandbox_SecurityNotAllowedFunctionError', $e, 'Exception should be an instance of Twig_Sandbox_SecurityNotAllowedFunctionError');
+            $this->assertEquals('range', $e->getFunctionName(), 'Exception should be raised on the "range" function');
+        }
+    }
+
     public function testSandboxAllowMethodFoo()
     {
         $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array('FooObject' => 'foo'));
@@ -191,6 +204,12 @@ public function testSandboxAllowFunction()
         $this->assertEquals('bar', $twig->loadTemplate('1_basic7')->render(self::$params), 'Sandbox allow some functions');
     }
 
+    public function testSandboxAllowRangeOperator()
+    {
+        $twig = $this->getEnvironment(true, array(), self::$templates, array(), array(), array(), array(), array('range'));
+        $this->assertEquals('1', $twig->loadTemplate('1_range_operator')->render(self::$params), 'Sandbox allow the range operator');
+    }
+
     public function testSandboxAllowFunctionsCaseInsensitive()
     {
         foreach (array('getfoobar', 'getFoobar', 'getFooBar') as $name) {