Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allowList functionality to Twig security policy #1293

Merged
merged 4 commits into from
Feb 5, 2025
Merged

Add allowList functionality to Twig security policy #1293

merged 4 commits into from
Feb 5, 2025

Conversation

LukeTowers
Copy link
Member

No description provided.

@bennothommo
Copy link
Member

bennothommo commented Jan 23, 2025
edited
Loading

@LukeTowers the docs state that people can put data to the session, as well forgetting data and flushing the entire session, as per https://wintercms.com/docs/v1.2/markup/this/session.

TBH, I'd be more included to remove this.session entirely, or replacing the App::make('session') call here with a limited proxy class that doesn't expose the Session class directly.

@LukeTowers
Copy link
Member Author

@bennothommo in that case then I'll add those methods in but leave the rest blocked. I'm not opposed to a potential proxy class but I'm not sure how much better that'll be than the allowList approach

@bennothommo
Copy link
Member

bennothommo commented Jan 23, 2025
edited
Loading

@LukeTowers I feel the Proxy class might be "cleaner", rather than having methods allowed several levels deep in a policy where it could be perhaps forgotten. Ideally I'd like a proxy class for the controller too.

@LukeTowers
Copy link
Member Author

eh, possibly; my main argument against a proxy class is what else is going to use said proxy class? If it's a proxy just for the sake of locking down that interface and is only used in that one case but requires a whole separate file & class for the functionality then I'd argue that it'd be more of a pain to maintain that vs maintaining the centralized security policy for Twig as a whole.

@bennothommo
Copy link
Member

@LukeTowers we could always use an anonymous class ;)

$this->getTwig()->addGlobal('this', [
    // ...
    'session' => new class {
        public function get($key)
        {
            // ...
        }

        public function has($key)
        {
            // ...
        }
    }
    // ...
]);

@LukeTowers LukeTowers marked this pull request as ready for review February 5, 2025 21:27
@LukeTowers LukeTowers requested a review from jaxwilko February 5, 2025 21:27
@LukeTowers LukeTowers added the maintenance PRs that fix bugs, are translation changes or make only minor changes label Feb 5, 2025
@LukeTowers LukeTowers added this to the 1.2.8 milestone Feb 5, 2025
jaxwilko
jaxwilko approved these changes Feb 5, 2025
View reviewed changes
Copy link
Member

@jaxwilko jaxwilko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LukeTowers LukeTowers merged commit c231c40 into develop Feb 5, 2025
13 checks passed
@LukeTowers LukeTowers deleted the wip/improve-twig-security-policy branch February 5, 2025 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaxwilko jaxwilko jaxwilko approved these changes

Assignees
No one assigned
Labels
maintenance PRs that fix bugs, are translation changes or make only minor changes
Projects
None yet
Milestone
1.2.8
Development

Successfully merging this pull request may close these issues.
3 participants
@LukeTowers @bennothommo @jaxwilko