github-actions[bot]
commented
2 months ago | 🏰 Composer Production Dependency changes 🏰 | Prod Packages | Operation | Base | Target | Link |
|---|---|---|---|---|---|
| symfony/deprecation-contracts | Upgraded | v3.3.0 | v3.5.0 | Compare | |
| symfony/polyfill-ctype | Upgraded | v1.28.0 | v1.31.0 | Compare | |
| symfony/polyfill-mbstring | Upgraded | v1.28.0 | v1.31.0 | Compare | |
| symfony/polyfill-php80 | Upgraded | v1.28.0 | v1.31.0 | Compare | |
| symfony/polyfill-php81 | Upgraded | v1.28.0 | v1.31.0 | Compare | |
| twig/twig | Upgraded | v3.7.1 | v3.11.1 | Compare |
This PR contains the following updates:
3.7.1->3.11.2Twig has a possible sandbox bypass
CVE-2024-45411 / GHSA-6j75-5wfj-gh66
More information
#### Details ##### Description Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. The security issue happens when all these conditions are met: * The sandbox is disabled globally; * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance; * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled). ##### Resolution The patch ensures that the sandbox security checks are always run at runtime. ##### Credits We would like to thank Fabien Potencier for reporting and fixing the issue. #### Severity - CVSS Score: 8.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H` #### References - [https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66](https://redirect.github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66) - [https://nvd.nist.gov/vuln/detail/CVE-2024-45411](https://nvd.nist.gov/vuln/detail/CVE-2024-45411) - [https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6](https://redirect.github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6) - [https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de](https://redirect.github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de) - [https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635](https://redirect.github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635) - [https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233](https://redirect.github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml](https://redirect.github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml) - [https://github.com/twigphp/Twig](https://redirect.github.com/twigphp/Twig) - [https://symfony.com/blog/twig-security-release-possible-sandbox-bypass](https://symfony.com/blog/twig-security-release-possible-sandbox-bypass) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6j75-5wfj-gh66) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Twig has unguarded calls to
__isset()and to array-accesses when the sandbox is enabledCVE-2024-51755 / GHSA-jjxq-ff2g-95vh
More information
#### Details ##### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ##### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://redirect.github.com/twigphp/Twig/commit/ec39a9dccc5fb4eaaba55e5d79a6f84a8dd8b69d) for the 3.11.x branch, and [here](https://redirect.github.com/twigphp/Twig/commit/b957e5a44cc0075d04ccff52f8fa9d8e6db3e3a0) for the 3.x branch. ##### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix. #### Severity - CVSS Score: 2.2 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh](https://redirect.github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh) - [https://nvd.nist.gov/vuln/detail/CVE-2024-51755](https://nvd.nist.gov/vuln/detail/CVE-2024-51755) - [https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21](https://redirect.github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml](https://redirect.github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51755.yaml) - [https://github.com/twigphp/Twig](https://redirect.github.com/twigphp/Twig) - [https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled](https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jjxq-ff2g-95vh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Twig has unguarded calls to
__toString()when nesting an object into an arrayCVE-2024-51754 / GHSA-6377-hfv9-hqf6
More information
#### Details ##### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ##### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://redirect.github.com/twigphp/Twig/commit/cafc608ece310e62a35a76f17e25c04ab9ed05cc) for the 3.11.x branch, and [here](https://redirect.github.com/twigphp/Twig/commit/d4a302681bca9f7c6ce2835470d53609cdf3e23e) for the 3.x branch. ##### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix. #### Severity - CVSS Score: 2.2 / 10 (Low) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N` #### References - [https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6](https://redirect.github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6) - [https://nvd.nist.gov/vuln/detail/CVE-2024-51754](https://nvd.nist.gov/vuln/detail/CVE-2024-51754) - [https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73](https://redirect.github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml](https://redirect.github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-51754.yaml) - [https://github.com/twigphp/Twig](https://redirect.github.com/twigphp/Twig) - [https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array](https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6377-hfv9-hqf6) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
twigphp/Twig (twig/twig)
### [`v3.11.2`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3112-2024-11-06) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.11.1...v3.11.2) - \[BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects They are now checked via the property policy - Fix a security issue in the sandbox mode allowing an attacker to be able to call `toString()` under some circumstances on an object even if the `__toString()` method is not allowed by the security policy ### [`v3.11.1`](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.11.0...v3.11.1) ### [`v3.11.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3110-2024-08-08) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.3...v3.11.0) - Deprecate `OptimizerNodeVisitor::OPTIMIZE_RAW_FILTER` - Add `Twig\Cache\ChainCache` and `Twig\Cache\ReadOnlyFilesystemCache` - Add the possibility to deprecate attributes and nodes on `Node` - Add the possibility to add a package and a version to the `deprecated` tag - Add the possibility to add a package for filter/function/test deprecations - Mark `ConstantExpression` as being `@final` - Add the `find` filter - Fix optimizer mode validation in `OptimizerNodeVisitor` - Add the possibility to yield from a generator in `PrintNode` - Add the `shuffle` filter - Add the `singular` and `plural` filters in `StringExtension` - Deprecate the second argument of `Twig\Node\Expression\CallExpression::compileArguments()` - Deprecate `Twig\ExpressionParser\parseHashExpression()` in favor of `Twig\ExpressionParser::parseMappingExpression()` - Deprecate `Twig\ExpressionParser\parseArrayExpression()` in favor of `Twig\ExpressionParser::parseSequenceExpression()` - Add `sequence` and `mapping` tests - Deprecate `Twig\Node\Expression\NameExpression::isSimple()` and `Twig\Node\Expression\NameExpression::isSpecial()` ### [`v3.10.3`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3103-2024-05-16) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.2...v3.10.3) - Fix missing ; in generated code ### [`v3.10.2`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3102-2024-05-14) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.1...v3.10.2) - Fix support for the deprecated escaper signature ### [`v3.10.1`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3101-2024-05-12) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.10.0...v3.10.1) - Fix BC break on escaper extension - Fix constant return type ### [`v3.10.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#3100-2024-05-11) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.3...v3.10.0) - Make `CoreExtension::formatDate`, `CoreExtension::convertDate`, and `CoreExtension::formatNumber` part of the public API - Add `needs_charset` option for filters and functions - Extract the escaping logic from the `EscaperExtension` class to a new `EscaperRuntime` class. The following methods from `Twig\\Extension\\EscaperExtension` are deprecated: `setEscaper()`, `getEscapers()`, `setSafeClasses`, `addSafeClasses()`. Use the same methods on the `Twig\\Runtime\\EscaperRuntime` class instead. - Fix capturing output from extensions that still use echo - Fix a PHP warning in the Lexer on malformed templates - Fix blocks not available under some circumstances - Synchronize source context in templates when setting a Node on a Node ### [`v3.9.3`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#393-2024-04-18) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.2...v3.9.3) - Add missing `twig_escape_filter_is_safe` deprecated function - Fix yield usage with CaptureNode - Add missing unwrap call when using a TemplateWrapper instance internally - Ensure Lexer is initialized early on ### [`v3.9.2`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#392-2024-04-17) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.1...v3.9.2) - Fix usage of display_end hook ### [`v3.9.1`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#391-2024-04-17) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.9.0...v3.9.1) - Fix missing `$blocks` variable in `CaptureNode` ### [`v3.9.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#390-2024-04-16) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.8.0...v3.9.0) - Add support for PHP 8.4 - Deprecate AbstractNodeVisitor - Deprecate passing Template to Environment::resolveTemplate(), Environment::load(), and Template::loadTemplate() - Add a new "yield" mode for output generation; Node implementations that use "echo" or "print" should use "yield" instead; all Node implementations should be flagged with `#[YieldReady]` once they've been made ready for "yield"; the "use_yield" Environment option can be turned on when all nodes have been made `#[YieldReady]`; "yield" will be the only strategy supported in the next major version - Add return type for Symfony 7 compatibility - Fix premature loop exit in Security Policy lookup of allowed methods/properties - Deprecate all internal extension functions in favor of methods on the extension classes - Mark all extension functions as [@internal](https://redirect.github.com/internal) - Add SourcePolicyInterface to selectively enable the Sandbox based on a template's Source - Throw a proper Twig exception when using cycle on an empty array ### [`v3.8.0`](https://redirect.github.com/twigphp/Twig/blob/HEAD/CHANGELOG#380-2023-11-21) [Compare Source](https://redirect.github.com/twigphp/Twig/compare/v3.7.1...v3.8.0) - Catch errors thrown during template rendering - Fix IntlExtension::formatDateTime use of date formatter prototype - Fix premature loop exit in Security Policy lookup of allowed methods/properties - Remove NumberFormatter::TYPE_CURRENCY (deprecated in PHP 8.3) - Restore return type annotations - Allow Symfony 7 packages to be installed - Deprecate `twig_test_iterable` function. Use the native `is_iterable` instead.Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.