better SSTI in |map and |filter

rhukster · rhukster · commit 8c2c1cb72611 · 2023-06-13T17:45:40.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,8 +3,10 @@
 
 1. [](#new)
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
+1. [](#improved)
+   * More robust SSTI handling in `|filter` and `|map`
 1. [](#bugfix)
-   * * Fixed Twig `|map()` allowing code execution
+   * Fixed Twig `|map()` allowing code execution
 
 # v1.7.41.2
 ## 06/01/2023
diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php
@@ -1708,7 +1708,7 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
      */
     function filterFilter(Environment $env, $array, $arrow)
     {
-        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
         }
 
@@ -1724,7 +1724,7 @@ function filterFilter(Environment $env, $array, $arrow)
      */
     function mapFilter(Environment $env, $array, $arrow)
     {
-        if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
         }
 
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
@@ -1950,10 +1950,10 @@ public static function getSupportPageTypes(array $defaults = null)
     }
 
     /**
-     * @param string $name
+     * @param string|array $name
      * @return bool
      */
-    public static function isDangerousFunction(string $name): bool
+    public static function isDangerousFunction($name): bool
     {
         static $commandExecutionFunctions = [
             'exec',
@@ -2050,6 +2050,10 @@ public static function isDangerousFunction(string $name): bool
             'posix_setuid',
         ];
 
+        if (is_array($name) || strpos($name, ":") !== false) {
+            return false;
+        }
+
         if (in_array($name, $commandExecutionFunctions)) {
             return true;
         }

Original file line number	Diff line number	Diff line change
`@@ -1708,7 +1708,7 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)`
`1708`	`1708`	`*/`
`1709`	`1709`	`function filterFilter(Environment $env, $array, $arrow)`
`1710`	`1710`	`{`
`1711`		`- if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {`
	`1711`	`+ if (!$arrow instanceof \Closure && !is_string($arrow) \|\| Utils::isDangerousFunction($arrow)) {`
`1712`	`1712`	`throw new RuntimeError('Twig \|filter("' . $arrow . '") is not allowed.');`
`1713`	`1713`	`}`
`1714`	`1714`
`@@ -1724,7 +1724,7 @@ function filterFilter(Environment $env, $array, $arrow)`
`1724`	`1724`	`*/`
`1725`	`1725`	`function mapFilter(Environment $env, $array, $arrow)`
`1726`	`1726`	`{`
`1727`		`- if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {`
	`1727`	`+ if (!$arrow instanceof \Closure && !is_string($arrow) \|\| Utils::isDangerousFunction($arrow)) {`
`1728`	`1728`	`throw new RuntimeError('Twig \|map("' . $arrow . '") is not allowed.');`
`1729`	`1729`	`}`
`1730`	`1730`