Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security policy wildcard support for methods/properties #3901

Open
wants to merge 8 commits into
base: 2.x
Choose a base branch
from

Conversation

YSaxon
Copy link
Contributor

@YSaxon YSaxon commented Oct 27, 2023

Allows for flexible wildcard support in allowedMethods and allowedProperties in SecurityPolicy.

  • Class can be specified as wildcard, * => ['foo',...] in order to allow those methods/properties for all classes.
  • Method/property can be specified as wildcard eg. \Foo\Bar\Baz => '*' in order to allow all methods/properties for that class.
  • Method/property can also be specified with a trailing wildcard to allow all methods/properties with a certain prefix, eg. \Foo\Bar\Baz => ['get*', ...] in order to allow all Baz methods/properties that start with get.

Here are some real examples of security policy items that previously had to be hardcoded that can now be expressed with wildcards:

'Twig\Template' => '*',
'Twig\Markup' => '*'
Drupal\Core\Template\Attribute => '*'
'*' => ['get*', 'has*', 'is*', '__toString', 'toString', 'id', 'label', 'bundle']

@YSaxon YSaxon marked this pull request as ready for review October 30, 2023 19:37
Copy link
Contributor

@fabpot fabpot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will be for 3.x as 2.x EOL is reached.
I know I've merged your other PR in 2.x, but as it was security related, I accepted it

* - Method/property can also be specified with a trailing wildcard to allow all methods/properties with a certain prefix, eg. `\DateTime => ['get*', ...]` in order to allow all methods/properties that start with `get`.
*
* @author Yaakov Saxon <ysaxon@gmail.com>
*/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's mark this class as@internal.

*/
final class MemberMatcher
{
private $allowedMembers;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private $allowedMembers;
private array $allowedMembers;

final class MemberMatcher
{
private $allowedMembers;
private $cache = [];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private $cache = [];
private array $cache = [];


public function isAllowed($obj, string $member): bool
{
$cacheKey = get_class($obj) . "::" . $member;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$cacheKey = get_class($obj) . "::" . $member;
$cacheKey = get_class($obj).'::'.$member;

if ('*' === $class || $obj instanceof $class) {
foreach ($members as $allowedMember) {
if ('*' === $allowedMember) {
$this->cache[$cacheKey] = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$this->cache[$cacheKey] = true;
return $this->cache[$cacheKey];

Same below


return true;
}
// if allowedMember ends with a *, check if the member starts with the allowedMember
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we only allow *to be at the end?

@fabpot
Copy link
Contributor

fabpot commented Dec 19, 2023

I forgot to mention that overall I'm not sold yet this is something I want in core. I very much prefer white-listing explicitly what is allowed. With *, future methods/properties/classes will be automatically "accepted", which can be problematic.

@fabpot
Copy link
Contributor

fabpot commented Dec 19, 2023

Or maybe that's fine but we need to make it very clear in the docs that this should be used with caution (can you some docs for this new feature?).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants