Remove project path in twig label error messages to prevent information leakage

2025-07-13 03:44:36 +02:00 · 2024-08-23 22:28:29 +02:00 · 2024-08-23 22:28:29 +02:00 · 5231dbd6e7
commit 5231dbd6e7
parent 77671550a7
4 changed files with 66 additions and 2 deletions
--- a/src/Controller/AdminPages/BaseAdminController.php
+++ b/src/Controller/AdminPages/BaseAdminController.php
@ -217,7 +217,7 @@ abstract class BaseAdminController extends AbstractController
            try {
                $pdf_data = $this->labelGenerator->generateLabel($entity->getOptions(), $example);
            } catch (TwigModeException $exception) {
-                $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
            }
        }

--- a/src/Controller/LabelController.php
+++ b/src/Controller/LabelController.php
@ -117,7 +117,7 @@ class LabelController extends AbstractController
                    $pdf_data = $this->labelGenerator->generateLabel($form_options, $targets);
                    $filename = $this->getLabelName($targets[0], $profile);
                } catch (TwigModeException $exception) {
-                    $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                    $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
                }
            } else {
                //$this->addFlash('warning', 'label_generator.no_entities_found');
--- a/src/Exceptions/TwigModeException.php
+++ b/src/Exceptions/TwigModeException.php
@ -46,8 +46,23 @@ use Twig\Error\Error;

 class TwigModeException extends RuntimeException
 {
+    private const PROJECT_PATH = __DIR__ . '/../../';
+
    public function __construct(?Error $previous = null)
    {
        parent::__construct($previous->getMessage(), 0, $previous);
    }
+
+    /**
+     * Returns the message of this exception, where it is tried to remove any sensitive information (like filepaths).
+     * @return string
+     */
+    public function getSafeMessage(): string
+    {
+        //Resolve project root path
+        $projectPath = realpath(self::PROJECT_PATH);
+
+        //Remove occurrences of the project path from the message
+        return str_replace($projectPath, '[Part-DB Root Folder]', $this->getMessage());
+    }
 }