Issue #3473195 by longwave, catch, jurgenhaas, naveenvalecha, quietone: twig/twig has a possible sandbox bypass <v3.14.0

composer.lock

@@ -495,7 +495,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "cc2af7de02a19bfde449293a84468f5fb1e33cea"
+                "reference": "ae9843a9e8be2b8dcd5e1e89bdb0b5ae985187ee"
             },
             "require": {
                 "asm89/stack-cors": "^2.1",
@@ -540,7 +540,7 @@
                 "symfony/serializer": "^6.4",
                 "symfony/validator": "^6.4",
                 "symfony/yaml": "^6.4",
-                "twig/twig": "^3.5.0"
+                "twig/twig": "^3.14.0"
             },
             "conflict": {
                 "drush/drush": "<12.4.3"
@@ -4369,30 +4369,37 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.8.0",
+            "version": "v3.14.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "9d15f0ac07f44dc4217883ec6ae02fd555c6f71d"
+                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/9d15f0ac07f44dc4217883ec6ae02fd555c6f71d",
-                "reference": "9d15f0ac07f44dc4217883ec6ae02fd555c6f71d",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
+                "reference": "126b2c97818dbff0cdf3fbfc881aedb3d40aae72",
                 "shasum": ""
             },
             "require": {
-                "php": ">=7.2.5",
+                "php": ">=8.0.2",
+                "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-ctype": "^1.8",
                 "symfony/polyfill-mbstring": "^1.3",
-                "symfony/polyfill-php80": "^1.22"
+                "symfony/polyfill-php81": "^1.29"
             },
             "require-dev": {
                 "psr/container": "^1.0|^2.0",
-                "symfony/phpunit-bridge": "^5.4.9|^6.3|^7.0"
+                "symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0"
             },
             "type": "library",
             "autoload": {
+                "files": [
+                    "src/Resources/core.php",
+                    "src/Resources/debug.php",
+                    "src/Resources/escaper.php",
+                    "src/Resources/string_loader.php"
+                ],
                 "psr-4": {
                     "Twig\\": "src/"
                 }
@@ -4425,7 +4432,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.8.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.14.0"
             },
             "funding": [
                 {
@@ -4437,7 +4444,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-11-21T18:54:41+00:00"
+            "time": "2024-09-09T17:55:12+00:00"
         }
     ],
     "packages-dev": [

composer/Metapackage/CoreRecommended/composer.json

@@ -61,6 +61,6 @@
         "symfony/var-dumper": "~v6.4.0",
         "symfony/var-exporter": "~v6.4.1",
         "symfony/yaml": "~v6.4.0",
-        "twig/twig": "~v3.8.0"
+        "twig/twig": "~v3.14.0"
     }
 }

core/.deprecation-ignore.txt

@@ -55,3 +55,19 @@
 %The ".*" class uses "Symfony\\Component\\DependencyInjection\\ContainerAwareTrait" that is deprecated since Symfony 6.4, use dependency injection instead.%
 %The ".*" class implements "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
 %The ".*" interface extends "Symfony\\Component\\DependencyInjection\\ContainerAwareInterface" that is deprecated since Symfony 6.4, use dependency injection instead.%
+
+# Twig 3.
+%The ".*" class extends "Twig\\NodeVisitor\\AbstractNodeVisitor" that is deprecated since 3.9%
+%Since twig/twig 3.9: Twig node "Drupal\\Core\\Template\\TwigNodeTrans" is not marked as ready for using "yield" instead of "echo"; please make it ready and then flag it with the #\[YieldReady\] attribute.%
+%Since twig/twig 3.9: Twig node "Drupal\\sdc_other_node_visitor\\.*" is not marked as ready for using "yield" instead of "echo"; please make it ready and then flag it with the #\[YieldReady\] attribute.%
+%Since twig/twig 3.9: Using "echo" is deprecated, use "yield" instead in "Drupal\\Core\\Template\\TwigNodeTrans", then flag the class with #\[YieldReady\].%
+%Since twig/twig 3.11: Changing the value of a "filter" node in a NodeVisitor class is not supported anymore.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "attach_library" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "sdc_additional_context" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "render_var" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Not passing an instance of "TwigFunction" when creating a "sdc_validate_props" function of type "Twig\\Node\\Expression\\FunctionExpression" is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\FilterExpression" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\DefaultFilter" class is deprecated.%
+%Since twig/twig 3.12: Getting node "filter" on a "Twig\\Node\\Expression\\Filter\\RawFilter" class is deprecated.%
+%Since twig/twig 3.12: The "tag" constructor argument of the "Drupal\\Core\\Template\\TwigNodeTrans" class is deprecated and ignored%
+%Since twig/twig 3.12: Twig Filter "spaceless" is deprecated%

core/.phpstan-baseline.php

@@ -913,6 +913,18 @@ $ignoreErrors[] = [
 	'count' => 1,
 	'path' => __DIR__ . '/lib/Drupal/Core/Template/TwigEnvironment.php',
 ];
+$ignoreErrors[] = [
+	'message' => '#^Class Drupal\\\\Core\\\\Template\\\\TwigNodeVisitor extends deprecated class Twig\\\\NodeVisitor\\\\AbstractNodeVisitor\\:
+since 3\\.9 \\(to be removed in 4\\.0\\)$#',
+	'count' => 1,
+	'path' => __DIR__ . '/lib/Drupal/Core/Template/TwigNodeVisitor.php',
+];
+$ignoreErrors[] = [
+	'message' => '#^Class Drupal\\\\Core\\\\Template\\\\TwigNodeVisitorCheckDeprecations extends deprecated class Twig\\\\NodeVisitor\\\\AbstractNodeVisitor\\:
+since 3\\.9 \\(to be removed in 4\\.0\\)$#',
+	'count' => 1,
+	'path' => __DIR__ . '/lib/Drupal/Core/Template/TwigNodeVisitorCheckDeprecations.php',
+];
 $ignoreErrors[] = [
 	'message' => '#^Call to deprecated constant REQUEST_TIME\\: Deprecated in drupal\\:8\\.3\\.0 and is removed from drupal\\:11\\.0\\.0\\. Use \\\\Drupal\\:\\:time\\(\\)\\-\\>getRequestTime\\(\\); $#',
 	'count' => 1,
@@ -1432,6 +1444,12 @@ $ignoreErrors[] = [
 	'count' => 1,
 	'path' => __DIR__ . '/modules/forum/src/ForumUninstallValidator.php',
 ];
+$ignoreErrors[] = [
+	'message' => '#^Class Drupal\\\\help_topics_twig_tester\\\\HelpTestTwigNodeVisitor extends deprecated class Twig\\\\NodeVisitor\\\\AbstractNodeVisitor\\:
+since 3\\.9 \\(to be removed in 4\\.0\\)$#',
+	'count' => 1,
+	'path' => __DIR__ . '/modules/help/tests/modules/help_topics_twig_tester/src/HelpTestTwigNodeVisitor.php',
+];
 $ignoreErrors[] = [
 	'message' => '#^Method Drupal\\\\history\\\\Plugin\\\\views\\\\field\\\\HistoryUserTimestamp\\:\\:render\\(\\) should return Drupal\\\\Component\\\\Render\\\\MarkupInterface\\|string but return statement is missing\\.$#',
 	'count' => 1,

core/composer.json

@@ -33,7 +33,7 @@
         "symfony/process": "^6.4",
         "symfony/polyfill-iconv": "^1.26",
         "symfony/yaml": "^6.4",
-        "twig/twig": "^3.5.0",
+        "twig/twig": "^3.14.0",
         "doctrine/annotations": "^1.14",
         "guzzlehttp/guzzle": "^7.5",
         "guzzlehttp/psr7": "^2.4.5",

core/modules/system/tests/src/Kernel/Theme/TwigIncludeTest.php

@@ -45,7 +45,7 @@ class TwigIncludeTest extends KernelTestBase {
     $element = [];
     $element['test'] = [
       '#type' => 'inline_template',
-      '#template' => "{% include '@__main__\/core/tests/fixtures/files/sql-2.sql' %}",
+      '#template' => "{% include '@__main__/core/tests/fixtures/files/sql-2.sql' %}",
     ];
     try {
       $renderer->renderRoot($element);

core/tests/Drupal/KernelTests/Core/Theme/TwigEnvironmentTest.php

@@ -10,7 +10,6 @@ use Drupal\Core\Template\TwigEnvironment;
 use Drupal\Core\Template\TwigPhpStorageCache;
 use Drupal\KernelTests\KernelTestBase;
 use Symfony\Component\DependencyInjection\Definition;
-use Twig\Environment;
 use Twig\Error\LoaderError;
 
 /**
@@ -216,17 +215,6 @@ TWIG;
     file_put_contents($template_file, $template_after);
     $output = $environment->load(basename($template_file))->render();
     $this->assertEquals($template_before, $output);
-
-    $environment->invalidate();
-    // Manually change $templateClassPrefix to force a different template
-    // classname, as the other class is still loaded. This wouldn't be a problem
-    // on a real site where you reload the page.
-    $reflection = new \ReflectionClass(Environment::class);
-    $property_reflection = $reflection->getProperty('templateClassPrefix');
-    $property_reflection->setValue($environment, 'otherPrefix');
-
-    $output = $environment->load(basename($template_file))->render();
-    $this->assertEquals($template_after, $output);
   }
 
   /**