Fix a security issue when an included sandboxed template has been loaded before without the sandbox context

fabpot · fabpot · commit 11f68e2aeb52 · 2024-09-09T19:04:10.000+02:00
diff --git a/src/Extension/CoreExtension.php b/src/Extension/CoreExtension.php
@@ -1431,13 +1431,6 @@ public static function include(Environment $env, $context, $template, $variables
             if (!$alreadySandboxed = $sandbox->isSandboxed()) {
                 $sandbox->enableSandbox();
             }
-
-            foreach ((\is_array($template) ? $template : [$template]) as $name) {
-                // if a Template instance is passed, it might have been instantiated outside of a sandbox, check security
-                if ($name instanceof TemplateWrapper || $name instanceof Template) {
-                    $name->unwrap()->checkSecurity();
-                }
-            }
         }
 
         try {
@@ -1452,6 +1445,10 @@ public static function include(Environment $env, $context, $template, $variables
                 return '';
             }
 
+            if ($isSandboxed) {
+                $loaded->unwrap()->checkSecurity();
+            }
+
             return $loaded->render($variables);
         } finally {
             if ($isSandboxed && !$alreadySandboxed) {
diff --git a/tests/Extension/CoreTest.php b/tests/Extension/CoreTest.php
@@ -12,8 +12,13 @@
  */
 
 use PHPUnit\Framework\TestCase;
+use Twig\Environment;
 use Twig\Error\RuntimeError;
 use Twig\Extension\CoreExtension;
+use Twig\Extension\SandboxExtension;
+use Twig\Loader\ArrayLoader;
+use Twig\Sandbox\SecurityError;
+use Twig\Sandbox\SecurityPolicy;
 
 class CoreTest extends TestCase
 {
@@ -354,6 +359,40 @@ public static function provideCompareCases()
             [1, 42, "\x00\x34\x32"],
         ];
     }
+
+    public function testSandboxedInclude()
+    {
+        $twig = new Environment(new ArrayLoader([
+            'index' => '{{ include("included", sandboxed: true) }}',
+            'included' => '{{ "included"|e }}',
+        ]));
+        $policy = new SecurityPolicy(allowedFunctions: ['include']);
+        $sandbox = new SandboxExtension($policy, false);
+        $twig->addExtension($sandbox);
+
+        // We expect a compile error
+        $this->expectException(SecurityError::class);
+        $twig->render('index');
+    }
+
+    public function testSandboxedIncludeWithPreloadedTemplate()
+    {
+        $twig = new Environment(new ArrayLoader([
+            'index' => '{{ include("included", sandboxed: true) }}',
+            'included' => '{{ "included"|e }}',
+        ]));
+        $policy = new SecurityPolicy(allowedFunctions: ['include']);
+        $sandbox = new SandboxExtension($policy, false);
+        $twig->addExtension($sandbox);
+
+        // The template is loaded without the sandbox enabled
+        // so, no compile error
+        $twig->load('included');
+
+        // We expect a runtime error
+        $this->expectException(SecurityError::class);
+        $twig->render('index');
+    }
 }
 
 final class CoreTestIteratorAggregate implements \IteratorAggregate
