Headline
CVE-2023-34253: Fixed Twig `|filter()` allowing code execution · getgrav/grav@9d6a2db
Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways – (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.
Expand Up
@@ -9,6 +9,7 @@
namespace Grav\Common\Twig\Extension;
use CallbackFilterIterator;
use Cron\CronExpression;
use Grav\Common\Config\Config;
use Grav\Common\Data\Data;
Expand Down Expand Up
@@ -41,6 +42,7 @@
use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
use Traversable;
use Twig\Environment;
use Twig\Error\RuntimeError;
use Twig\Extension\AbstractExtension;
use Twig\Extension\GlobalsInterface;
use Twig\Loader\FilesystemLoader;
Expand Down Expand Up
@@ -167,6 +169,9 @@ public function getFilters(): array
// PHP methods
new TwigFilter('count’, ‘count’),
new TwigFilter('array_diff’, ‘array_diff’),
// Security fix
new TwigFilter('filter’, [$this, ‘filterFilter’], [‘needs_environment’ => true]),
];
}
Expand Down Expand Up
@@ -1676,4 +1681,20 @@ public function ofTypeFunc($var, $typeTest = null, $className = null)
return is_string($var);
}
}
/**
* @param Environment $env
* @param array $array
* @param callable|string $arrow
* @return array|CallbackFilterIterator
* @throws RuntimeError
*/
function filterFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
throw new RuntimeError(‘Twig |filter("’ . $arrow . ‘") is not allowed.’);
}
return \twig_array_filter($env, $array, $arrow);
}
}
Related news
Hi, actually we have sent the bug report to [email protected] on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0006 | | **CVE Identifier** | R...