From cda017fa4ffa10c4000b271b6ab45f00bf44b91e Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Wed, 7 Dec 2022 11:59:34 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B05725=20-=20Twig=20update=20'filter',=20'?=
 =?UTF-8?q?map'=20and=20'reduce'=20filters?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../portal/src/Twig/AppExtension.php          | 77 +++++++++++++++----
 test/twig/test.html                           | 10 +--
 test/twig/test.html.twig                      |  4 +-
 3 files changed, 71 insertions(+), 20 deletions(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
index c4f51f9c7..8e29416aa 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
@@ -20,6 +20,7 @@
 namespace Combodo\iTop\Portal\Twig;
 
 use Dict;
+use PhpParser\Node\Expr\Closure;
 use Twig\Extension\AbstractExtension;
 use Twig_SimpleFilter;
 use Twig_SimpleFunction;
@@ -98,7 +99,7 @@ class AppExtension extends AbstractExtension
 			return $sUrl;
 		});
 		//since 2.7.7 3.0.2 3.1.0 N°4867 "Twig content not allowed" error when use the extkey widget search icon in the user portal
-		//overwrite native twig filter : disable use of 'system' filter
+		// Since 2.7.8 filter more functions as filter 'filter' is used by the portal
 		$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
 			$ret = $this->SanitizeFilter($array, $arrow);
 			if ($ret !== false) {
@@ -106,20 +107,13 @@ class AppExtension extends AbstractExtension
 			}
 			return twig_array_filter($array, $arrow);
 		});
+		// Since 2.7.8 deactivate map
 		$filters[] = new Twig_SimpleFilter('map', function ($array, $arrow) {
-			$ret = $this->SanitizeFilter($array, $arrow);
-			if ($ret !== false) {
-				return [$ret];
-			}
-			return twig_array_map($array, $arrow);
+			return $array;
 		});
+		// Since 2.7.8 deactivate reduce
 		$filters[] = new Twig_SimpleFilter('reduce', function ($array, $arrow, $initial = null) {
-			$ret = $this->SanitizeFilter($array, $arrow);
-			if ($ret !== false) {
-				return $ret;
-			}
-			// reduce return mixed results not only arrays
-			return twig_array_reduce($array, $arrow, $initial);
+			return $array;
 		});
 
 		return $filters;
@@ -127,10 +121,67 @@ class AppExtension extends AbstractExtension
 
 	private function SanitizeFilter($array, $arrow)
 	{
+		$aRestricted = [
+			'system',
+			'exec',
+			'passthru',
+			'popen',
+			'proc_open',
+			'shell_exec',
+			'file_get_contents',
+			'file_put_contents',
+			'eval',
+			'pcntl_exec',
+			'chgrp',
+			'chmod',
+			'chown',
+			'lchgrp',
+			'lchown',
+			'umask',
+			'copy',
+			'delete',
+			'unlink',
+			'link',
+			'mkdir',
+			'rmdir',
+			'rename',
+			'symlink',
+			'tempnam',
+			'tmpfile',
+			'touch',
+			'fgetc',
+			'fgetcsv',
+			'fgets',
+			'fgetss',
+			'file',
+			'flock',
+			'fopen',
+			'fpassthru',
+			'fputcsv',
+			'fputs',
+			'fread',
+			'fscanf',
+			'ftruncate',
+			'fwrite',
+			'glob',
+			'readfile',
+			'readlink',
+			'parse_ini_file',
+			'mail',
+		];
+		$aRestrictedStartWith = ['ftp_', 'zip_', 'stream_'];
+
 		if (is_string($arrow)) {
-			if (in_array(strtolower($arrow), ['system', 'exec', 'passthru', 'popen'])) {
+			if (in_array(strtolower($arrow), $aRestricted)) {
 				return json_encode($array);
 			}
+			foreach ($aRestrictedStartWith as $sRestrictedStartWith) {
+				if (utils::StartsWith($arrow, $sRestrictedStartWith)) {
+					return json_encode($array);
+				}
+			}
+		} elseif ($arrow instanceof Closure) {
+			return json_encode($array);
 		}
 		return false;
 	}
diff --git a/test/twig/test.html b/test/twig/test.html
index 3fb370a80..15039796e 100644
--- a/test/twig/test.html
+++ b/test/twig/test.html
@@ -19,7 +19,7 @@
 [&quot;touch+\/tmp\/test+&quot;]
 
 <div>[34, 36, 38, 40, 42]|filter(v => v > 38)|join(', ')</div>
-40, 42
+[34,36,38,40,42]
 
 <div>app.request.server.all|join(',')</div>
 
@@ -28,16 +28,16 @@
 
 
 <div>[0]|reduce('system','echo')</div>
-[0]
+0
 
 <div>[1, 2, 3]|reduce((carry, v) => carry + v)</div>
-6
+1, 2, 3
 
 <div>['echo']|map('system')|join</div>
-[&quot;echo&quot;]
+echo
 
 <div>{"Bob": "Smith", "Alice": "Dupond"}|map((value, key) => "#{key} #{value}")|join(', ')</div>
-Bob Smith, Alice Dupond
+Smith, Dupond
 
 <div>['echo',1]|sort('system')|join</div>
 echo1
diff --git a/test/twig/test.html.twig b/test/twig/test.html.twig
index 1e350299f..1232f8104 100644
--- a/test/twig/test.html.twig
+++ b/test/twig/test.html.twig
@@ -28,11 +28,11 @@
 {{ self }}
 
 <div>[0]|reduce('system','echo')</div>
-{{ [0]|reduce('system','echo') }}
+{{ [0]|reduce('system','echo')|join(', ') }}
 
 <div>[1, 2, 3]|reduce((carry, v) => carry + v)</div>
 {% set numbers = [1, 2, 3] %}
-{{ numbers|reduce((carry, v) => carry + v) }}
+{{ numbers|reduce((carry, v) => carry + v)|join(', ') }}
 
 <div>['echo']|map('system')|join</div>
 {{ ['echo']|map('system')|join }}