also handle SSTI in reduce twig filter + function

CHANGELOG.md

@@ -4,10 +4,11 @@
 1. [](#new)
    * Added a new `system.languages.debug` option that adds a `<span class="translate-debug"></span>` around strings translated with `|t`. This can be styled by the theme as needed.
 1. [](#improved)
-   * More robust SSTI handling in `|filter` and `|map`
+   * More robust SSTI handling in `filter`, `map`, and `reduce` Twig filters and functions
    * Various SSTI improvements `Utils::isDangerousFunction()`
 1. [](#bugfix)
    * Fixed Twig `|map()` allowing code execution
+   * Fixed Twig `|reduce()` allowing code execution
 
 # v1.7.41.2
 ## 06/01/2023

system/src/Grav/Common/Twig/Extension/GravExtension.php

@@ -171,9 +171,10 @@ public function getFilters(): array
             new TwigFilter('count', 'count'),
             new TwigFilter('array_diff', 'array_diff'),
 
-            // Security fix
-            new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),
-            new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
+            // Security fixes
+            new TwigFilter('filter', [$this, 'filterFunc'], ['needs_environment' => true]),
+            new TwigFilter('map', [$this, 'mapFunc'], ['needs_environment' => true]),
+            new TwigFilter('reduce', [$this, 'reduceFunc'], ['needs_environment' => true]),
         ];
     }
 
@@ -250,6 +251,11 @@ public function getFunctions(): array
             new TwigFunction('count', 'count'),
             new TwigFunction('array_diff', 'array_diff'),
             new TwigFunction('parse_url', 'parse_url'),
+
+            // Security fixes
+            new TwigFunction('filter', [$this, 'filterFunc'], ['needs_environment' => true]),
+            new TwigFunction('map', [$this, 'mapFunc'], ['needs_environment' => true]),
+            new TwigFunction('reduce', [$this, 'reduceFunc'], ['needs_environment' => true]),
         ];
     }
 
@@ -1706,7 +1712,7 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
      * @return array|CallbackFilterIterator
      * @throws RuntimeError
      */
-    function filterFilter(Environment $env, $array, $arrow)
+    function filterFunc(Environment $env, $array, $arrow)
     {
         if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
@@ -1722,12 +1728,28 @@ function filterFilter(Environment $env, $array, $arrow)
      * @return array|CallbackFilterIterator
      * @throws RuntimeError
      */
-    function mapFilter(Environment $env, $array, $arrow)
+    function mapFunc(Environment $env, $array, $arrow)
     {
         if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
             throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
         }
 
         return twig_array_map($env, $array, $arrow);
     }
+
+    /**
+     * @param Environment $env
+     * @param array $array
+     * @param callable|string $arrow
+     * @return array|CallbackFilterIterator
+     * @throws RuntimeError
+     */
+    function reduceFunc(Environment $env, $array, $arrow)
+    {
+        if (!$arrow instanceof \Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
+            throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.');
+        }
+
+        return twig_array_map($env, $array, $arrow);
+    }
 }