commit 2cd57ec7508cf6a4547010c97394f638ce56c8a8
parent 1138a3f1db019f5bea4074993135d0016e37df7a
Author: Jan Dankert <develop@jandankert.de>
Date: Mon, 27 Jun 2022 01:11:02 +0200
New: Secure Flag for Script Interpreter which is enabled by default.
Diffstat:
5 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/modules/cms/generator/TemplateGenerator.class.php b/modules/cms/generator/TemplateGenerator.class.php
@@ -133,7 +133,7 @@ class TemplateGenerator
$templateParser = new DslTemplate();
$templateParser->parseTemplate($src);
if ($templateParser->tagsFound) {
- $executor = new DslInterpreter( DslInterpreter::FLAG_THROW_ERROR );
+ $executor = new DslInterpreter( DslInterpreter::FLAG_THROW_ERROR + DslInterpreter::FLAG_SECURE );
$executor->addContext([
'console' => new DslConsole(),
'cms' => new DslCms(),
diff --git a/modules/cms/generator/ValueGenerator.class.php b/modules/cms/generator/ValueGenerator.class.php
@@ -800,7 +800,7 @@ class ValueGenerator extends BaseGenerator
break;
case self::CODE_SCRIPT:
- $executor = new DslInterpreter(DslInterpreter::FLAG_THROW_ERROR );
+ $executor = new DslInterpreter(DslInterpreter::FLAG_THROW_ERROR + DslInterpreter::FLAG_SECURE );
$executor->addContext( [
'console' => new DslConsole(),
'cms' => new DslCms(),
@@ -1188,7 +1188,7 @@ class ValueGenerator extends BaseGenerator
*/
protected function filterValue( $inhalt, $code)
{
- $executor = new DslInterpreter(DslInterpreter::FLAG_THROW_ERROR );
+ $executor = new DslInterpreter(DslInterpreter::FLAG_THROW_ERROR + DslInterpreter::FLAG_SECURE );
$executor->addContext( [
'page' => new DslObject( (new BaseObject($this->context->pageContext->objectId))->load() ),
diff --git a/modules/dsl/ast/DslProperty.class.php b/modules/dsl/ast/DslProperty.class.php
@@ -5,6 +5,7 @@ namespace dsl\ast;
use cms\generator\dsl\DslObject;
use dsl\context\Scriptable;
use dsl\DslRuntimeException;
+use dsl\executor\DslInterpreter;
class DslProperty implements DslStatement
{
@@ -43,8 +44,8 @@ class DslProperty implements DslStatement
$objectContext[ $method ] = function() use ($method, $object) {
// For Security: Do not expose all available objects, they must implement a marker interface.
- if ( ! $object instanceof Scriptable )
- throw new DslRuntimeException('security: Object '.get_class($object).' is not scriptable and therefore not available in script context');
+ if ( DslInterpreter::isSecure() && ! $object instanceof Scriptable )
+ throw new DslRuntimeException('Object '.get_class($object).' is not marked as scriptable and therefore not available in secure mode');
return call_user_func_array( array($object,$method),func_get_args() );
};
diff --git a/modules/dsl/context/BaseScriptableObject.class.php b/modules/dsl/context/BaseScriptableObject.class.php
@@ -7,12 +7,26 @@ use dsl\standard\Helper;
class BaseScriptableObject implements Scriptable
{
-
+ /**
+ * Standard String representation of a Scriptable Object.
+ * This object becomes "Stringable".
+ * This string may be used in userscripts, if the object is used as a string, maybe by mistake.
+ *
+ * This method may be overwritten by subclasses.
+ *
+ * @return string
+ */
public function __toString()
{
return "Script object";
}
+
+ /**
+ * a useful help function which outputs all properties and methods of this objects.
+ *
+ * @return string a short info about this object
+ */
public function help()
{
return Helper::getHelp($this);
diff --git a/modules/dsl/executor/DslInterpreter.class.php b/modules/dsl/executor/DslInterpreter.class.php
@@ -28,15 +28,20 @@ class DslInterpreter
private $writer;
private $flags;
- const FLAG_SHOW_ERROR = 1;
- const FLAG_SHOW_TRACE = 2;
- const FLAG_THROW_ERROR = 4;
- const FLAG_DEBUG = 8;
+ const FLAG_SHOW_ERROR = 1;
+ const FLAG_SHOW_TRACE = 2;
+ const FLAG_THROW_ERROR = 4;
+ const FLAG_DEBUG = 8;
+ const FLAG_SECURE = 16;
- public function __construct( $flags = self::FLAG_SHOW_ERROR )
+ private static $secure = true;
+
+ public function __construct( $flags = self::FLAG_SHOW_ERROR + self::FLAG_SECURE )
{
$this->flags = $flags;
+ self::$secure = boolval($this->flags & self::FLAG_SECURE );
+
// Standard-Globals
$this->addContext( [
'System'=> new System(),
@@ -106,4 +111,11 @@ class DslInterpreter
return $this->writer->buffer;
}
+
+ /**
+ * @return bool
+ */
+ public static function isSecure() {
+ return self::$secure;
+ }
}
\ No newline at end of file