N°8017 - Security - dependabot - Symfony's VarDumper vulnerable to un… (#731)

Upgrade all Symfony components to last security fix (~6.4.0)
2026-04-26 20:18:52 +02:00 · 2025-08-06 08:54:56 +02:00
parent 603340b852
commit cdbcd14767
608 changed files with 5020 additions and 3793 deletions
--- a/lib/symfony/twig-bridge/NodeVisitor/TranslationNodeVisitor.php
+++ b/lib/symfony/twig-bridge/NodeVisitor/TranslationNodeVisitor.php
@@ -18,14 +18,14 @@ use Twig\Node\Expression\ConstantExpression;
 use Twig\Node\Expression\FilterExpression;
 use Twig\Node\Expression\FunctionExpression;
 use Twig\Node\Node;
-use Twig\NodeVisitor\AbstractNodeVisitor;
+use Twig\NodeVisitor\NodeVisitorInterface;

 /**
 * TranslationNodeVisitor extracts translation messages.
 *
 * @author Fabien Potencier <fabien@symfony.com>
 */
-final class TranslationNodeVisitor extends AbstractNodeVisitor
+final class TranslationNodeVisitor implements NodeVisitorInterface
 {
    public const UNDEFINED_DOMAIN = '_undefined';

@@ -49,7 +49,7 @@ final class TranslationNodeVisitor extends AbstractNodeVisitor
        return $this->messages;
    }

-    protected function doEnterNode(Node $node, Environment $env): Node
+    public function enterNode(Node $node, Environment $env): Node
    {
        if (!$this->enabled) {
            return $node;
@@ -57,7 +57,7 @@ final class TranslationNodeVisitor extends AbstractNodeVisitor

        if (
            $node instanceof FilterExpression
-            && 'trans' === $node->getNode('filter')->getAttribute('value')
+            && 'trans' === ($node->hasAttribute('twig_callable') ? $node->getAttribute('twig_callable')->getName() : $node->getNode('filter')->getAttribute('value'))
            && $node->getNode('node') instanceof ConstantExpression
        ) {
            // extract constant nodes with a trans filter
@@ -85,7 +85,7 @@ final class TranslationNodeVisitor extends AbstractNodeVisitor
            ];
        } elseif (
            $node instanceof FilterExpression
-            && 'trans' === $node->getNode('filter')->getAttribute('value')
+            && 'trans' === ($node->hasAttribute('twig_callable') ? $node->getAttribute('twig_callable')->getName() : $node->getNode('filter')->getAttribute('value'))
            && $node->getNode('node') instanceof ConcatBinary
            && $message = $this->getConcatValueFromNode($node->getNode('node'), null)
        ) {
@@ -98,7 +98,7 @@ final class TranslationNodeVisitor extends AbstractNodeVisitor
        return $node;
    }

-    protected function doLeaveNode(Node $node, Environment $env): ?Node
+    public function leaveNode(Node $node, Environment $env): ?Node
    {
        return $node;
    }
@@ -149,6 +149,22 @@ final class TranslationNodeVisitor extends AbstractNodeVisitor
            return $node->getAttribute('value');
        }

+        if (
+            $node instanceof FunctionExpression
+            && 'constant' === $node->getAttribute('name')
+        ) {
+            $nodeArguments = $node->getNode('arguments');
+            if ($nodeArguments->getIterator()->current() instanceof ConstantExpression) {
+                $constantName = $nodeArguments->getIterator()->current()->getAttribute('value');
+                if (\defined($constantName)) {
+                    $value = \constant($constantName);
+                    if (\is_string($value)) {
+                        return $value;
+                    }
+                }
+            }
+        }
+
        return self::UNDEFINED_DOMAIN;
    }