Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-07-09 03:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9525 from turbo124/v5-develop

Browse Source 
Add twig security policy by default
This commit is contained in:
David Bomba 2024-05-16 10:21:59 +10:00 committed by GitHub
commit 16138adaa7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Export/CSV/ProductSalesExport.php
View File

@ -146,9 +146,15 @@ class ProductSalesExport extends BaseExport
->each(function ($invoice) use($product_keys) { ->each(function ($invoice) use($product_keys) {
foreach ($invoice->line_items as $item) { foreach ($invoice->line_items as $item) {
if($product_keys && in_array($item->product_key, $product_keys)) if($product_keys)
{
if(in_array($item->product_key, $product_keys))
$this->csv->insertOne($this->buildRow($invoice, $item)); $this->csv->insertOne($this->buildRow($invoice, $item));
}
else {
$this->csv->insertOne($this->buildRow($invoice, $item));
}
} }
}); });

8
app/Filters/InvoiceFilters.php
View File

@ -227,7 +227,13 @@ class InvoiceFilters extends QueryFilters
if (is_numeric($date)) { if (is_numeric($date)) {
$date = Carbon::createFromTimestamp((int)$date); $date = Carbon::createFromTimestamp((int)$date);
} else { } else {
$date = Carbon::parse($date);
try{
$date = Carbon::parse($date);
}
catch(\Exception $e){
return $this->builder;
}
} }
return $this->builder->where('date', '>=', $date); return $this->builder->where('date', '>=', $date);

11
app/Helpers/Epc/EpcQrGenerator.php
View File

@ -82,13 +82,22 @@ class EpcQrGenerator
$this->company->present()->name(), $this->company->present()->name(),
isset($this->company?->custom_fields?->company1) ? $this->company->settings->custom_value1 : '', isset($this->company?->custom_fields?->company1) ? $this->company->settings->custom_value1 : '',
$this->formatMoney($this->amount), $this->formatMoney($this->amount),
$this->sepa['purpose'], $this->getPurposeCode(),
substr($this->invoice->number, 0, 34), substr($this->invoice->number, 0, 34),
'', '',
' ' ' '
]), "\n"); ]), "\n");
} }
private function getPurposeCode(): string
{
if(isset($this->invoice->client->id_number) && strlen($this->invoice->client->id_number) > 2)
return $this->invoice->client->id_number;
return $this->sepa['purpose'];
}
private function validateFields() private function validateFields()
{ {
if (Ninja::isSelfHost() && isset($this->company?->custom_fields?->company2)) { if (Ninja::isSelfHost() && isset($this->company?->custom_fields?->company2)) {

2
app/Http/Requests/Company/UpdateCompanyRequest.php
View File

@ -137,7 +137,7 @@ class UpdateCompanyRequest extends Request
} }
if (isset($settings['email_style_custom'])) { if (isset($settings['email_style_custom'])) {
$settings['email_style_custom'] = str_replace(['{!!','!!}','{{','}}','@dd', '@dump', '@if', '@if(','@endif','@isset','@unless','@auth','@empty','@guest','@env','@section','@switch', '@foreach', '@while', '@include', '@each', '@once', '@push', '@use', '@forelse', '@verbatim', '<?php', '@php', '@for','@class','</s','<s','html;base64'], '', $settings['email_style_custom']); $settings['email_style_custom'] = str_replace(['{!!','!!}','{{','}}','@checked','@dd', '@dump', '@if', '@if(','@endif','@isset','@unless','@auth','@empty','@guest','@env','@section','@switch', '@foreach', '@while', '@include', '@each', '@once', '@push', '@use', '@forelse', '@verbatim', '<?php', '@php', '@for','@class','</sc','<sc','html;base64', '@elseif', '@else', '@endunless', '@endisset', '@endempty', '@endauth', '@endguest', '@endproduction', '@endenv', '@hasSection', '@endhasSection', '@sectionMissing', '@endsectionMissing', '@endfor', '@endforeach', '@empty', '@endforelse', '@endwhile', '@continue', '@break', '@includeIf', '@includeWhen', '@includeUnless', '@includeFirst', '@component', '@endcomponent', '@endsection', '@yield', '@show', '@append', '@overwrite', '@stop', '@extends', '@endpush', '@stack', '@prepend', '@endprepend', '@slot', '@endslot', '@endphp', '@method', '@csrf', '@error', '@enderror', '@json', '@endverbatim', '@inject'], '', $settings['email_style_custom']);
} }
if(isset($settings['company_logo']) && strlen($settings['company_logo']) > 2) if(isset($settings['company_logo']) && strlen($settings['company_logo']) > 2)

26
app/Services/Template/TemplateService.php
View File

@ -100,6 +100,7 @@ class TemplateService
$this->twig->addExtension(new IntlExtension()); $this->twig->addExtension(new IntlExtension());
$this->twig->addExtension(new \Twig\Extension\DebugExtension()); $this->twig->addExtension(new \Twig\Extension\DebugExtension());
$function = new \Twig\TwigFunction('img', function ($string, $style = '') { $function = new \Twig\TwigFunction('img', function ($string, $style = '') {
return '<img src="' . $string . '" style="' . $style . '"></img>'; return '<img src="' . $string . '" style="' . $style . '"></img>';
}); });
@ -122,25 +123,14 @@ class TemplateService
$this->twig->addFilter($filter); $this->twig->addFilter($filter);
$filter = new \Twig\TwigFilter('filter', function ($array, $arrow){ $allowedTags = ['if', 'for', 'set', 'filter'];
$allowedFilters = ['escape', 'e', 'upper', 'lower', 'capitalize', 'filter', 'length', 'merge','format_currency','map', 'join', 'first', 'date','sum'];
$allowedFunctions = ['range', 'cycle', 'constant', 'date',];
$allowedProperties = [];
$allowedMethods = ['img','t'];
if(is_string($arrow) && in_array($arrow, ['popen','exec','shell_exec','system','passthru','proc_open','pcntl_exec','sleep','escapeshellcmd','escapeshellarg'])) $policy = new \Twig\Sandbox\SecurityPolicy($allowedTags, $allowedFilters, $allowedFunctions, $allowedProperties, $allowedMethods);
throw new RuntimeError("Attempt to access command line"); $this->twig->addExtension(new \Twig\Extension\SandboxExtension($policy, true));
if (!is_iterable($array)) {
throw new RuntimeError(sprintf('The "filter" filter expects an array or "Traversable", got "%s".', \is_object($array) ? \get_class($array) : \gettype($array)));
}
if (\is_array($array)) {
return array_filter($array, $arrow, \ARRAY_FILTER_USE_BOTH);
}
// the IteratorIterator wrapping is needed as some internal PHP classes are \Traversable but do not implement \Iterator
return new \CallbackFilterIterator(new \IteratorIterator($array), $arrow);
});
$this->twig->addFilter($filter);
return $this; return $this;
} }

2
app/Utils/TemplateEngine.php
View File

@ -255,7 +255,7 @@ class TemplateEngine
/*If no custom design exists, send back a blank!*/ /*If no custom design exists, send back a blank!*/
if (strlen($wrapper) > 1) { if (strlen($wrapper) > 1) {
$wrapper = $this->renderView($wrapper, $data); // $wrapper = $this->renderView($wrapper, $data);
} else { } else {
$wrapper = ''; $wrapper = '';
} }

1
app/Utils/Traits/MakesInvoiceHtml.php
View File

@ -36,6 +36,7 @@ trait MakesInvoiceHtml
* @param string $string The Blade file string * @param string $string The Blade file string
* @param array $data The array of template variables * @param array $data The array of template variables
* @return string The return HTML string * @return string The return HTML string
* @deprecated // not needed!
* @throws FatalThrowableError * @throws FatalThrowableError
*/ */
public function renderView($string, $data = []): string public function renderView($string, $data = []): string