From 5231dbd6e77627f63bcb5456195be2e4d8696be8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Fri, 23 Aug 2024 22:28:29 +0200
Subject: [PATCH] Remove project path in twig label error messages to prevent
 information leakage

---
 .../AdminPages/BaseAdminController.php        |  2 +-
 src/Controller/LabelController.php            |  2 +-
 src/Exceptions/TwigModeException.php          | 15 ++++++
 tests/Exceptions/TwigModeExceptionTest.php    | 49 +++++++++++++++++++
 4 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 tests/Exceptions/TwigModeExceptionTest.php

diff --git a/src/Controller/AdminPages/BaseAdminController.php b/src/Controller/AdminPages/BaseAdminController.php
index e214cb83..3c219e29 100644
--- a/src/Controller/AdminPages/BaseAdminController.php
+++ b/src/Controller/AdminPages/BaseAdminController.php
@@ -217,7 +217,7 @@ abstract class BaseAdminController extends AbstractController
             try {
                 $pdf_data = $this->labelGenerator->generateLabel($entity->getOptions(), $example);
             } catch (TwigModeException $exception) {
-                $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
             }
         }
 
diff --git a/src/Controller/LabelController.php b/src/Controller/LabelController.php
index ab38e49f..d1bcfdbf 100644
--- a/src/Controller/LabelController.php
+++ b/src/Controller/LabelController.php
@@ -117,7 +117,7 @@ class LabelController extends AbstractController
                     $pdf_data = $this->labelGenerator->generateLabel($form_options, $targets);
                     $filename = $this->getLabelName($targets[0], $profile);
                 } catch (TwigModeException $exception) {
-                    $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                    $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
                 }
             } else {
                 //$this->addFlash('warning', 'label_generator.no_entities_found');
diff --git a/src/Exceptions/TwigModeException.php b/src/Exceptions/TwigModeException.php
index adcc86aa..b76d14d3 100644
--- a/src/Exceptions/TwigModeException.php
+++ b/src/Exceptions/TwigModeException.php
@@ -46,8 +46,23 @@ use Twig\Error\Error;
 
 class TwigModeException extends RuntimeException
 {
+    private const PROJECT_PATH = __DIR__ . '/../../';
+
     public function __construct(?Error $previous = null)
     {
         parent::__construct($previous->getMessage(), 0, $previous);
     }
+
+    /**
+     * Returns the message of this exception, where it is tried to remove any sensitive information (like filepaths).
+     * @return string
+     */
+    public function getSafeMessage(): string
+    {
+        //Resolve project root path
+        $projectPath = realpath(self::PROJECT_PATH);
+
+        //Remove occurrences of the project path from the message
+        return str_replace($projectPath, '[Part-DB Root Folder]', $this->getMessage());
+    }
 }
diff --git a/tests/Exceptions/TwigModeExceptionTest.php b/tests/Exceptions/TwigModeExceptionTest.php
new file mode 100644
index 00000000..c5a8ef94
--- /dev/null
+++ b/tests/Exceptions/TwigModeExceptionTest.php
@@ -0,0 +1,49 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2024 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Tests\Exceptions;
+
+use App\Exceptions\TwigModeException;
+use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Twig\Error\Error;
+
+class TwigModeExceptionTest extends KernelTestCase
+{
+
+    private string $projectPath;
+
+    public function setUp(): void
+    {
+        self::bootKernel();
+
+        $this->projectPath = self::getContainer()->getParameter('kernel.project_dir');
+    }
+
+    public function testGetSafeMessage(): void
+    {
+        $testException = new Error("Error at : " . $this->projectPath . "/src/dir/path/file.php");
+
+        $twigModeException = new TwigModeException($testException);
+
+        $this->assertSame("Error at : " . $this->projectPath . "/src/dir/path/file.php", $testException->getMessage());
+        $this->assertSame("Error at : [Part-DB Root Folder]/src/dir/path/file.php", $twigModeException->getSafeMessage());
+    }
+}