From f0141530b99427a7c9ef7f5088b45616b89b6aab Mon Sep 17 00:00:00 2001
From: Eric Espie <eric.espie@combodo.com>
Date: Thu, 24 Nov 2022 16:12:53 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B05725=20-=20Twig=20update=20'filter',=20'?=
 =?UTF-8?q?map'=20and=20'reduce'=20filters=20(+1=20squashed=20commits)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Squashed commits:

[00148dec5] N°5725 - Twig update 'filter', 'map' and 'reduce' filters
---
 .../portal/src/Twig/AppExtension.php          | 32 ++++++-
 test/twig/TwigTest.php                        |  5 +
 test/twig/test.html                           | 79 +++++++++-------
 test/twig/test.html.twig                      | 92 ++++++++++---------
 4 files changed, 131 insertions(+), 77 deletions(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
index b44f62e869..c4f51f9c76 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php
@@ -100,15 +100,41 @@ class AppExtension extends AbstractExtension
 		//since 2.7.7 3.0.2 3.1.0 N°4867 "Twig content not allowed" error when use the extkey widget search icon in the user portal
 		//overwrite native twig filter : disable use of 'system' filter
 		$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
-			if ($arrow == 'system'){
-				return json_encode($array);
+			$ret = $this->SanitizeFilter($array, $arrow);
+			if ($ret !== false) {
+				return [$ret];
 			}
-			return  twig_array_filter($array, $arrow);
+			return twig_array_filter($array, $arrow);
+		});
+		$filters[] = new Twig_SimpleFilter('map', function ($array, $arrow) {
+			$ret = $this->SanitizeFilter($array, $arrow);
+			if ($ret !== false) {
+				return [$ret];
+			}
+			return twig_array_map($array, $arrow);
+		});
+		$filters[] = new Twig_SimpleFilter('reduce', function ($array, $arrow, $initial = null) {
+			$ret = $this->SanitizeFilter($array, $arrow);
+			if ($ret !== false) {
+				return $ret;
+			}
+			// reduce return mixed results not only arrays
+			return twig_array_reduce($array, $arrow, $initial);
 		});
 
 		return $filters;
 	}
 
+	private function SanitizeFilter($array, $arrow)
+	{
+		if (is_string($arrow)) {
+			if (in_array(strtolower($arrow), ['system', 'exec', 'passthru', 'popen'])) {
+				return json_encode($array);
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * @return array|\Twig\TwigFunction[]|\Twig_SimpleFunction[]
 	 */
diff --git a/test/twig/TwigTest.php b/test/twig/TwigTest.php
index f47bc10bed..f14420c817 100644
--- a/test/twig/TwigTest.php
+++ b/test/twig/TwigTest.php
@@ -5,6 +5,11 @@ use Combodo\iTop\Portal\Twig\AppExtension;
 use Twig_Environment;
 use Twig_Loader_Array;
 
+/**
+ * @runTestsInSeparateProcesses
+ * @preserveGlobalState disabled
+ * @backupGlobals disabled
+ */
 class TwigTest extends ItopDataTestCase
 {
 	protected function setUp(): void
diff --git a/test/twig/test.html b/test/twig/test.html
index 2406bbfd4f..3fb370a80a 100644
--- a/test/twig/test.html
+++ b/test/twig/test.html
@@ -1,33 +1,46 @@
-<div>
-        User Name
-    </div><div>
-        ['id']|filter('system')
-    </div>
-    [&quot;id&quot;]
-    <div>
-        ['touch+/tmp/test+']|filter('system')|join(',')
-    </div>
-    [&quot;touch+\/tmp\/test+&quot;]
-    <div>
-        set sizes = [34, 36, 38, 40, 42]
-        sizes|filter(v => v > 38)|join(', ')
-    </div>
-        40, 42
-    <div>
-        app.request.server.all|join(',')
-    </div><div>
-        self
-    </div><div>
-        [0]|reduce('system','echo')
-    </div>
-    [&quot;echo&quot;]
-    <div>
-        ['echo']|map('system')|join
-    </div>
-    [&quot;echo&quot;]
-    <div>
-        ['echo',1]|sort('system')|join
-    </div>
-    echo1
-    POST /subscribe?0=cat+/etc/passwd HTTP/1.1
-    email=""@attacker.tld
\ No newline at end of file
+<div>User Name</div>
+
+<div>['id']|filter('system')|join</div>
+[&quot;id&quot;]
+
+<div>['echo']|filter('passthru')|join</div>
+[&quot;echo&quot;]
+
+<div>['echo']|filter('popen')|join</div>
+[&quot;echo&quot;]
+
+<div>['echo']|filter('exec')|join</div>
+[&quot;echo&quot;]
+
+<div>['id']|filter('SysteM')|join</div>
+[&quot;id&quot;]
+
+<div>['touch+/tmp/test+']|filter('system')|join(',')</div>
+[&quot;touch+\/tmp\/test+&quot;]
+
+<div>[34, 36, 38, 40, 42]|filter(v => v > 38)|join(', ')</div>
+40, 42
+
+<div>app.request.server.all|join(',')</div>
+
+
+<div>self</div>
+
+
+<div>[0]|reduce('system','echo')</div>
+[0]
+
+<div>[1, 2, 3]|reduce((carry, v) => carry + v)</div>
+6
+
+<div>['echo']|map('system')|join</div>
+[&quot;echo&quot;]
+
+<div>{"Bob": "Smith", "Alice": "Dupond"}|map((value, key) => "#{key} #{value}")|join(', ')</div>
+Bob Smith, Alice Dupond
+
+<div>['echo',1]|sort('system')|join</div>
+echo1
+
+POST /subscribe?0=cat+/etc/passwd HTTP/1.1
+email=""@attacker.tld
\ No newline at end of file
diff --git a/test/twig/test.html.twig b/test/twig/test.html.twig
index 5825249c30..1e350299f0 100644
--- a/test/twig/test.html.twig
+++ b/test/twig/test.html.twig
@@ -1,41 +1,51 @@
-{% spaceless %}
-    <div>
-        {{ 'UI:Login:UserNamePrompt'|dict_s }}
-    </div>
-    <div>
-        ['id']|filter('system')
-    </div>
-    {{ ['id']|filter('system') }}
-    <div>
-        ['touch+/tmp/test+']|filter('system')|join(',')
-    </div>
-    {{ ['touch+/tmp/test+']|filter('system')|join(',') }}
-    <div>
-        set sizes = [34, 36, 38, 40, 42]
-        sizes|filter(v => v > 38)|join(', ')
-    </div>
-    {% set sizes = [34, 36, 38, 40, 42] %}
-    {{ sizes|filter(v => v > 38)|join(', ') }}
-    <div>
-        app.request.server.all|join(',')
-    </div>
-    {{ app.request.server.all|join(',') }} {# needs syfony #}
-    <div>
-        self
-    </div>
-    {{ self }} {# ??? not sure #}
-    <div>
-        [0]|reduce('system','echo')
-    </div>
-    {{ [0]|reduce('system','echo') }}
-    <div>
-        ['echo']|map('system')|join
-    </div>
-    {{ ['echo']|map('system')|join }}
-    <div>
-        ['echo',1]|sort('system')|join
-    </div>
-    {{ ['echo',1]|sort('system')|join }}
-    POST /subscribe?0=cat+/etc/passwd HTTP/1.1
-    email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld
-{% endspaceless %}
\ No newline at end of file
+<div>{{ 'UI:Login:UserNamePrompt'|dict_s }}</div>
+
+<div>['id']|filter('system')|join</div>
+{{ ['id']|filter('system')|join }}
+
+<div>['echo']|filter('passthru')|join</div>
+{{ ['echo']|filter('passthru')|join }}
+
+<div>['echo']|filter('popen')|join</div>
+{{ ['echo']|filter('popen')|join }}
+
+<div>['echo']|filter('exec')|join</div>
+{{ ['echo']|filter('exec')|join }}
+
+<div>['id']|filter('SysteM')|join</div>
+{{ ['id']|filter('SysteM')|join }}
+
+<div>['touch+/tmp/test+']|filter('system')|join(',')</div>
+{{ ['touch+/tmp/test+']|filter('system')|join(',') }}
+
+<div>[34, 36, 38, 40, 42]|filter(v => v > 38)|join(', ')</div>
+{{ [34, 36, 38, 40, 42]|filter(v => v > 38)|join(', ') }}
+
+<div>app.request.server.all|join(',')</div>
+{{ app.request.server.all|join(',')}}
+
+<div>self</div>
+{{ self }}
+
+<div>[0]|reduce('system','echo')</div>
+{{ [0]|reduce('system','echo') }}
+
+<div>[1, 2, 3]|reduce((carry, v) => carry + v)</div>
+{% set numbers = [1, 2, 3] %}
+{{ numbers|reduce((carry, v) => carry + v) }}
+
+<div>['echo']|map('system')|join</div>
+{{ ['echo']|map('system')|join }}
+
+<div>{"Bob": "Smith", "Alice": "Dupond"}|map((value, key) => "#{key} #{value}")|join(', ')</div>
+{% set people = {
+"Bob": "Smith",
+"Alice": "Dupond",
+} %}
+{{ people|map((value, key) => "#{key} #{value}")|join(', ') }}
+
+<div>['echo',1]|sort('system')|join</div>
+{{ ['echo',1]|sort('system')|join }}
+
+POST /subscribe?0=cat+/etc/passwd HTTP/1.1
+email="{{ app.request.query.filter(0,0,1024,{'options':'system'}) }}"@attacker.tld
\ No newline at end of file