New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency twig/twig to v3 [security] #490

Open

renovate wants to merge 1 commit into main from renovate/packagist-twig-twig-vulnerability

Contributor

renovate bot commented Nov 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
twig/twig (source)	`^1.25` -> `^3.0`

GitHub Vulnerability Alerts

CVE-2024-45411

Description

Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.

The security issue happens when all these conditions are met:

The sandbox is disabled globally;
The sandbox is enabled via a sandboxed include() function which references a template name (like included.twig) and not a Template or TemplateWrapper instance;
The included template has been loaded before the include() call but in a non-sandbox context (possible as the sandbox has been globally disabled).

Resolution

The patch ensures that the sandbox security checks are always run at runtime.

Credits

We would like to thank Fabien Potencier for reporting and fixing the issue.

CVE-2024-51754

Description

In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).

Resolution

The sandbox mode now checks the __toString() method call on all objects.

The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.

Credits

We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

CVE-2024-51755

Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the __isset() method is now called after the security check.
This is a BC break.

Resolution

The sandbox mode now ensures access to array-like's properties is allowed.

The patch for this issue is available here for the 3.11.x branch, and here for the 3.x branch.

Credits

We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

Release Notes

twigphp/Twig (twig/twig)

`v3.11.2`

[BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects
They are now checked via the property policy
Fix a security issue in the sandbox mode allowing an attacker to be able to call toString()
under some circumstances on an object even if the __toString() method is not allowed by the security policy

`v3.11.1`

`v3.11.0`

Deprecate OptimizerNodeVisitor::OPTIMIZE_RAW_FILTER
Add Twig\Cache\ChainCache and Twig\Cache\ReadOnlyFilesystemCache
Add the possibility to deprecate attributes and nodes on Node
Add the possibility to add a package and a version to the deprecated tag
Add the possibility to add a package for filter/function/test deprecations
Mark ConstantExpression as being @final
Add the find filter
Fix optimizer mode validation in OptimizerNodeVisitor
Add the possibility to yield from a generator in PrintNode
Add the shuffle filter
Add the singular and plural filters in StringExtension
Deprecate the second argument of Twig\Node\Expression\CallExpression::compileArguments()
Deprecate Twig\ExpressionParser\parseHashExpression() in favor of
Twig\ExpressionParser::parseMappingExpression()
Deprecate Twig\ExpressionParser\parseArrayExpression() in favor of
Twig\ExpressionParser::parseSequenceExpression()
Add sequence and mapping tests
Deprecate Twig\Node\Expression\NameExpression::isSimple() and
Twig\Node\Expression\NameExpression::isSpecial()

`v3.10.3`

Fix missing ; in generated code

`v3.10.2`

Fix support for the deprecated escaper signature

`v3.10.1`

Fix BC break on escaper extension
Fix constant return type

`v3.10.0`

Make CoreExtension::formatDate, CoreExtension::convertDate, and
CoreExtension::formatNumber part of the public API
Add needs_charset option for filters and functions
Extract the escaping logic from the EscaperExtension class to a new
EscaperRuntime class.

The following methods from Twig\\Extension\\EscaperExtension are
deprecated: setEscaper(), getEscapers(), setSafeClasses,
addSafeClasses(). Use the same methods on the
Twig\\Runtime\\EscaperRuntime class instead.
Fix capturing output from extensions that still use echo
Fix a PHP warning in the Lexer on malformed templates
Fix blocks not available under some circumstances
Synchronize source context in templates when setting a Node on a Node

`v3.9.3`

Add missing twig_escape_filter_is_safe deprecated function
Fix yield usage with CaptureNode
Add missing unwrap call when using a TemplateWrapper instance internally
Ensure Lexer is initialized early on

`v3.9.2`

Fix usage of display_end hook

`v3.9.1`

Fix missing $blocks variable in CaptureNode

`v3.9.0`

Add support for PHP 8.4
Deprecate AbstractNodeVisitor
Deprecate passing Template to Environment::resolveTemplate(), Environment::load(), and Template::loadTemplate()
Add a new "yield" mode for output generation;
Node implementations that use "echo" or "print" should use "yield" instead;
all Node implementations should be flagged with #[YieldReady] once they've been made ready for "yield";
the "use_yield" Environment option can be turned on when all nodes have been made #[YieldReady];
"yield" will be the only strategy supported in the next major version
Add return type for Symfony 7 compatibility
Fix premature loop exit in Security Policy lookup of allowed methods/properties
Deprecate all internal extension functions in favor of methods on the extension classes
Mark all extension functions as @internal
Add SourcePolicyInterface to selectively enable the Sandbox based on a template's Source
Throw a proper Twig exception when using cycle on an empty array

`v3.8.0`

Catch errors thrown during template rendering
Fix IntlExtension::formatDateTime use of date formatter prototype
Fix premature loop exit in Security Policy lookup of allowed methods/properties
Remove NumberFormatter::TYPE_CURRENCY (deprecated in PHP 8.3)
Restore return type annotations
Allow Symfony 7 packages to be installed
Deprecate twig_test_iterable function. Use the native is_iterable instead.

`v3.7.1`

Fix some phpdocs

`v3.7.0`

Add support for the ...spread operator on arrays and hashes

`v3.6.1`

Suppress some native return type deprecation messages

`v3.6.0`

Allow psr/container 2.0
Add the new PHP 8.0 IntlDateFormatter::RELATIVE_* constants for date formatting
Make the Lexer initialize itself lazily

`v3.5.1`

Arrow functions passed to the "reduce" filter now accept the current key as a third argument
Restores the leniency of the matches twig comparison
Fix error messages in sandboxed mode for "has some" and "has every"

`v3.5.0`

Make Twig\ExpressionParser non-internal
Add "has some" and "has every" operators
Add Compile::reset()
Throw a better runtime error when the "matches" regexp is not valid
Add "twig *_names" intl functions
Fix optimizing closures callbacks
Add a better exception when getting an undefined constant via constant
Fix if nodes when outside of a block and with an empty body

`v3.4.3`

Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)

`v3.4.2`

Allow inherited magic method to still run with calling class
Fix CallExpression::reflectCallable() throwing TypeError
Fix typo in naming (currency_code)

`v3.4.1`

Fix optimizing non-public named closures

`v3.4.0`

Add support for named closures

`v3.3.10`

Enable bytecode invalidation when auto_reload is enabled

`v3.3.9`

Fix custom escapers when using multiple Twig environments
Add support for "constant('class', object)"
Do not reuse internally generated variable names during parsing

`v3.3.8`

Fix a security issue when in a sandbox: the sort filter must require a Closure for the arrow parameter
Fix deprecation notice on round
Fix call to deprecated convertToHtml method

`v3.3.7`

Allow more null support when Twig expects a string (for better 8.1 support)
Only use Commonmark extensions if markdown enabled

`v3.3.6`

Only use Commonmark extensions if markdown enabled

`v3.3.5`

Allow CommonMark extensions to easily be added
Allow null when Twig expects a string (for better 8.1 support)
Make some performance optimizations
Allow Symfony translation contract v3+

`v3.3.4`

Bump minimum supported Symfony component versions
Fix a deprecated message

`v3.3.3`

Allow Symfony 6
Improve compatibility with PHP 8.1
Explicitly specify the encoding for mb_ord in JS escaper

`v3.3.2`

Revert "Throw a proper exception when a template name is an absolute path (as it has never been supported)"

`v3.3.1`

Enable bytecode invalidation when auto_reload is enabled

`v3.3.0`

Fix macro calls in a "cache" tag
Add the slug filter
Allow extra bundle to be compatible with Twig 2

`v3.2.1`

Fix extra bundle compat with older versions of Symfony

`v3.1.1`

Fix "include(template_from_string())"

`v3.1.0`

Fix sandbox support when using "include(template_from_string())"
Make round brackets optional for one argument tests like "same as" or "divisible by"
Add support for ES2015 style object initialisation shortcut { a } is the same as { 'a': a }

`v3.0.5`

Fix twig_compare w.r.t. whitespace trimming
Fix sandbox not disabled if syntax error occurs within {% sandbox %} tag
Fix a regression when not using a space before an operator
Restrict callables to closures in filters
Allow trailing commas in argument lists (in calls as well as definitions)

`v3.0.4`

Fix comparison operators
Fix options not taken into account when using "Michelf\MarkdownExtra"
Fix "Twig\Extra\Intl\IntlExtension::getCountryName()" to accept "null" as a first argument
Throw exception in case non-Traversable data is passed to "filter"
Fix context optimization on PHP 7.4
Fix PHP 8 compatibility
Fix ambiguous syntax parsing

`v3.0.3`

Add a check to ensure that iconv() is defined

`v3.0.2`

Avoid exceptions when an intl resource is not found
Fix implementation of case-insensitivity for method names

`v3.0.1`

fixed Symfony 5.0 support for the HTML extra extension

`v3.0.0`

fixed number formatter in Intl extra extension when using a formatter prototype

`v2.16.1`

`v2.16.0`

`v2.15.6`

`v2.15.5`

`v2.15.4`

`v2.15.3`

`v2.15.2`

`v2.15.1`

`v2.15.0`

`v2.14.13`

`v2.14.12`

`v2.14.11`

`v2.14.10`

`v2.14.9`

`v2.14.8`

`v2.14.7`

`v2.14.6`

`v2.14.5`

`v2.14.4`

`v2.14.3`

`v2.14.2`

`v2.14.1`

`v2.14.0`

`v2.13.1`

`v2.13.0`

`v2.12.5`

`v2.12.4`

`v2.12.3`

`v2.12.2`

`v2.12.1`

`v2.12.0`

`v2.11.3`

`v2.11.2`

`v2.11.1`

`v2.11.0`

`v2.10.0`

`v2.9.0`

`v2.8.1`

`v2.8.0`

`v2.7.4`

`v2.7.3`

`v2.7.2`

`v2.7.1`

`v2.7.0`

`v2.6.2`

`v2.6.1`

`v2.6.0`

`v2.5.0`

`v2.4.8`

`v2.4.7`

`v2.4.6`

`v2.4.5`

`v2.4.4`

`v2.4.3`

`v2.4.2`

`v2.4.1`

`v2.4.0`

`v2.3.2`

`v2.3.1`

`v2.3.0`

`v2.2.0`

`v2.1.0`

`v2.0.0`

`v1.44.8`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          fix(deps): update dependency twig/twig to v3 [security]

5cf9e26

Contributor Author

renovate bot commented Nov 6, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: services/backend/composer.lock

Command failed: composer update twig/twig:3.11.2 --with-dependencies --ignore-platform-reqs --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Package "twig/twig:3.11.2" listed for update is not installed. Ignoring.
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 will be shutdown on August 1st 2025. You should upgrade to Composer 2. See https://blog.packagist.com/shutting-down-packagist-org-support-for-composer-1-x/
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - The requested package twig/twig (locked at v1.44.7, required as ^3.0) is satisfiable by twig/twig[v1.44.7] but these conflict with your requirements or minimum-stability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet