From 1f6e640d96c098373110a11e858eac536e75c158 Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien.potencier@gmail.com>
Date: Tue, 3 Apr 2012 09:03:41 +0200
Subject: [PATCH] added compilation checks to avoid misuses of the sandbox tag

---
 CHANGELOG                                          |    1 +
 lib/Twig/NodeVisitor/Sandbox.php                   |   13 +++++++++++
 .../Tests/Fixtures/tags/sandbox/not_valid1.test    |   11 ++++++++++
 .../Tests/Fixtures/tags/sandbox/not_valid2.rst     |   14 ++++++++++++
 test/Twig/Tests/Fixtures/tags/sandbox/simple.test  |   22 ++++++++++++++++++++
 test/Twig/Tests/integrationTest.php                |    2 +
 6 files changed, 63 insertions(+), 0 deletions(-)
 create mode 100644 test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test
 create mode 100644 test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst
 create mode 100644 test/Twig/Tests/Fixtures/tags/sandbox/simple.test

diff --git a/CHANGELOG b/CHANGELOG
index ab6f198..6e2e2a3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,6 @@
 * 1.6.5 (2012-XX-XX)
 
+ * added compilation checks to avoid misuses of the sandbox tag
  * fixed filesystem loader freshness logic for high traffic websites
 
 * 1.6.4 (2012-04-02)
diff --git a/lib/Twig/NodeVisitor/Sandbox.php b/lib/Twig/NodeVisitor/Sandbox.php
index 1957f8a..61ef0c6 100644
--- a/lib/Twig/NodeVisitor/Sandbox.php
+++ b/lib/Twig/NodeVisitor/Sandbox.php
@@ -32,6 +32,19 @@ class Twig_NodeVisitor_Sandbox implements Twig_NodeVisitorInterface
      */
     public function enterNode(Twig_NodeInterface $node, Twig_Environment $env)
     {
+        // in a sandbox tag, only include tags are allowed
+        if ($node instanceof Twig_Node_Sandbox && !$node->getNode('body') instanceof Twig_Node_Include) {
+            foreach ($node->getNode('body') as $n) {
+                if ($n instanceof Twig_Node_Text && ctype_space($n->getAttribute('data'))) {
+                    continue;
+                }
+
+                if (!$n instanceof Twig_Node_Include) {
+                    throw new Twig_Error_Syntax('Only "include" tags are allowed within a "sandbox" section', $n->getLine());
+                }
+            }
+        }
+
         if ($node instanceof Twig_Node_Module) {
             $this->inAModule = true;
             $this->tags = array();
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test
new file mode 100644
index 0000000..683c59a
--- /dev/null
+++ b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid1.test
@@ -0,0 +1,11 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+    a
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 4
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst
new file mode 100644
index 0000000..3dcfa88
--- /dev/null
+++ b/test/Twig/Tests/Fixtures/tags/sandbox/not_valid2.rst
@@ -0,0 +1,14 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+
+    {% if 1 %}
+        {%- include "foo.twig" %}
+    {% endif %}
+{%- endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--EXCEPTION--
+Twig_Error_Syntax: Only "include" tags are allowed within a "sandbox" section in "index.twig" at line 5
diff --git a/test/Twig/Tests/Fixtures/tags/sandbox/simple.test b/test/Twig/Tests/Fixtures/tags/sandbox/simple.test
new file mode 100644
index 0000000..de20f3d
--- /dev/null
+++ b/test/Twig/Tests/Fixtures/tags/sandbox/simple.test
@@ -0,0 +1,22 @@
+--TEST--
+sandbox tag
+--TEMPLATE--
+{%- sandbox %}
+    {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}
+    {%- include "foo.twig" %}
+    {%- include "foo.twig" %}
+{%- endsandbox %}
+
+{%- sandbox %}{% include "foo.twig" %}{% endsandbox %}
+--TEMPLATE(foo.twig)--
+foo
+--DATA--
+return array()
+--EXPECT--
+foo
+foo
+foo
+foo
diff --git a/test/Twig/Tests/integrationTest.php b/test/Twig/Tests/integrationTest.php
index 5a34418..cb60a82 100644
--- a/test/Twig/Tests/integrationTest.php
+++ b/test/Twig/Tests/integrationTest.php
@@ -68,6 +68,8 @@ class Twig_Tests_IntegrationTest extends PHPUnit_Framework_TestCase
             $twig = new Twig_Environment($loader, $config);
             $twig->addExtension(new TestExtension());
             $twig->addExtension(new Twig_Extension_Debug());
+            $policy = new Twig_Sandbox_SecurityPolicy(array(), array(), array(), array(), array());
+            $twig->addExtension(new Twig_Extension_Sandbox($policy, false));
 
             try {
                 $template = $twig->loadTemplate('index.twig');
-- 
1.7.2.5