Make the sandbox a first-class citizen with a dedicated Sandbox class#4854
Open
fabpot wants to merge 1 commit into
Open
Make the sandbox a first-class citizen with a dedicated Sandbox class#4854fabpot wants to merge 1 commit into
fabpot wants to merge 1 commit into
Conversation
|
📋 PR Summary This PR refactors Twig's sandbox into a first-class citizen by introducing a dedicated Changes
|
There was a problem hiding this comment.
📋 Upsun Dispatch Review: full · 26 files reviewed · no issues found
Review details
Commit: Commit ac46f0a
Model: claude-opus-4-8
Panel: security · correctness · robustness · design
ac46f0a to
34a32bb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I've been thinking about making the sabdbox feature as a first class citizen for years. With all the work that has been done recently on security issues, I spent some time on it again. Here is the result.
The main ideas:
SandboxExtensionis registered on the environmen directly, so it instruments all compiled template, and adds runtime checks to all renders, trusted or not. As recommended in the docs, you should have a dedicated environment for sandboxes, different from the main one, but it's not really "enforced" nor natural to do.enableSandbox()/disableSandbox()with try/finally patterns scattered across the codebase to support rendering sandboxed and non-sandboxed templates from a environment.includeanything the loader can load, sees every application global, and inherits all extensions, this is a footgun (again, already not recommended in the docs).enableSandbox(),{% include(..., sandboxed: true) %}, and{% sandbox %}.The new
Twig\Sandbox\Sandboxclass renders untrusted templates through a dedicated, always-sandboxed environment crafted by the developer. Taht way, there is no state to toggle and nothing leaks between the main environment and the sandbox, in either direction.