Problem/Motivation
When developing #2907810: [PP-1] Add $entity->toUrl() and $entity->toLink() methods to allowed methods list in Twig sandbox policy it was identified that the current sandbox method matching is very broad, allowing for methods to match _any_ object. This means it could possibly lead to unintended calls to possibly unsafe methods.
By hardening this is also makes rationalizing new additions to the allowed methods like ::toUrl and ::toLink if its possible to restrict the methods to a specific interface instead of trying to guess at any place the method might exist and how safe or unsafe its usage might be.
Steps to reproduce
Proposed resolution
Modify the format of the allowed_method settings to allow targeting methods on specific interfaces or classes. Something like:
$allowed_methods = Settings::get('twig_sandbox_allowed_methods', [
// Only allow idempotent methods.
EntityInterface::class . '::id',
EntityInterface::class . '::label',
EntityInterface::class . '::bundle',
// Globally allowed methods.
'::get',
'::__toString',
'::toString',
]);
Remaining tasks
Finalize how much we harden this.
User interface changes
n/a
API changes
Data model changes
Release notes snippet
Twig sandboxing
Drupal's Twig default sandboxing has been hardened. It now allows access to the id, label, and bundle methods only on entities, not on any object. If you have custom templates that make use of these methods, you will need to customise the twig_sandbox_allowed_methods setting.