PHPackages ysaxon/pyrocms-ssti-fix - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Templating & Views](/categories/templating) 4. / 5. ysaxon/pyrocms-ssti-fix ActiveLibrary[Templating & Views](/categories/templating) ysaxon/pyrocms-ssti-fix ======================= Security fix for PyroCMS SSTI vulnerability (CVE-2023-29689). Applies Twig sandbox to user-editable templates. v0.1.2(4mo ago)00MITPHPPHP ^7.4 || ^8.0 Since Jan 9Pushed 4mo agoCompare [ Source](https://github.com/YSaxon/pyrocms-ssti-fix)[ Packagist](https://packagist.org/packages/ysaxon/pyrocms-ssti-fix)[ RSS](/packages/ysaxon-pyrocms-ssti-fix/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)Dependencies (2)Versions (4)Used By (0) [![Packagist Version](https://camo.githubusercontent.com/5f1a4f090060f405709b586e1ed633f9418ed4dc237afbfe6f7dd4b547f56c8d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f797361786f6e2f7079726f636d732d737374692d666978)](https://camo.githubusercontent.com/5f1a4f090060f405709b586e1ed633f9418ed4dc237afbfe6f7dd4b547f56c8d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f797361786f6e2f7079726f636d732d737374692d666978) 🛡️ PyroCMS SSTI Fix =================== [](#️-pyrocms-ssti-fix) **Drop-in security fix for CVE-2023-29689** - Server-Side Template Injection leading to Remote Code Execution in PyroCMS 3.9. The Problem ----------- [](#the-problem) PyroCMS allows admin users to edit templates stored in the database. Without sandboxing, attackers with admin access can inject malicious Twig code: ``` {{['id']|map('system')|join}} ``` This executes arbitrary system commands. The upstream maintainers consider this "working as intended" since admin users are trusted - but in multi-tenant or enterprise environments, "admin" ≠ "trusted with shell access". The Solution ------------ [](#the-solution) This package automatically sandboxes user-editable templates while leaving legitimate theme/addon templates unrestricted. It uses Twig's `SourcePolicyInterface` (contributed upstream by the author of this package) to selectively apply restrictions. Installation ------------ [](#installation) ``` composer require ysaxon/pyrocms-ssti-fix ``` Unfortunately, due to PyroCMS [disabling autodiscovery](https://github.com/pyrocms/pyrocms/commit/978bbb63c9b871df85bf6ba98756fbd621bff4ec) you will need to add the serviceProvider yourself. You can do that with ``` sed -i "/App\\\Providers\\\AppServiceProvider::class,/a \ YSaxon\\\PyroCmsSstiFix\\\SandboxServiceProvider::class," config/app.php ``` Requirements ------------ [](#requirements) - PHP 7.4+ or 8.0+ - Twig 2.16+ or 3.9+ (for `SourcePolicyInterface` support) - Laravel 6.0+ / PyroCMS 3.x How It Works ------------ [](#how-it-works) ``` ┌─────────────────────────────────────────────────────────────┐ │ Twig Render Request │ └─────────────────────────────────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ StorageSourcePolicy │ │ │ │ Is template from storage path (database/user-editable)? │ │ │ │ YES ──────────────────► Enable Sandbox │ │ │ - Block: map, filter, reduce │ │ │ - Block: dangerous tags │ │ │ - Whitelist safe operations │ │ │ │ NO ───────────────────► No Sandbox │ │ (Theme/addon templates work │ │ normally) │ └─────────────────────────────────────────────────────────────┘ ``` Configuration (Optional) ------------------------ [](#configuration-optional) Default settings are secure and work for most installations. To customize: ``` php artisan vendor:publish --tag=pyrocms-ssti-fix-config ``` This creates `config/pyrocms-ssti-fix.php`: ``` return [ // Master switch 'enabled' => env('PYROCMS_SSTI_FIX_ENABLED', true), // Override auto-detected storage path 'storage_path' => env('PYROCMS_SSTI_FIX_STORAGE_PATH', null), // Customize allowed tags/filters/functions/methods/properties 'policy' => [ 'tags' => [SecurityPolicyDefaults::INCLUDE_DEFAULTS], 'filters' => [SecurityPolicyDefaults::INCLUDE_DEFAULTS], // ... see config file for full options ], ]; ``` What's Blocked -------------- [](#whats-blocked) The default security policy **blocks** these dangerous features in sandboxed templates: ### Filters (RCE vectors) [](#filters-rce-vectors) - `map` - `{{['cmd']|map('system')}}` executes shell commands - `filter` - Can call arbitrary PHP functions - `reduce` - Can call arbitrary PHP functions ### Tags (inclusion attacks) [](#tags-inclusion-attacks) - `include`, `extends`, `block`, `macro`, `import`, `embed`, `use` ### Functions [](#functions) - `source` - Reads arbitrary file contents - `include` - Includes other templates - `template_from_string` - Creates templates from strings What's Allowed -------------- [](#whats-allowed) Safe operations remain available in sandboxed templates: ``` {# Variables #} {{ entry.title }} {{ user.name|upper }} {# Loops and conditionals #} {% for item in items %} {% if item.active %} {{ item.name }} {% endif %} {% endfor %} {# Safe filters #} {{ text|escape }} {{ date|date('Y-m-d') }} {{ items|length }} {{ name|lower|trim }} {# Safe functions #} {{ max(a, b) }} {{ random(['red', 'blue', 'green']) }} ``` Extending the Whitelist ----------------------- [](#extending-the-whitelist) If your admin templates legitimately need additional features: ``` // config/pyrocms-ssti-fix.php 'policy' => [ 'filters' => [ SecurityPolicyDefaults::INCLUDE_DEFAULTS, 'my_custom_filter', // Add specific filter ], 'methods' => [ SecurityPolicyDefaults::INCLUDE_DEFAULTS, 'App\Models\Post' => ['getTitle', 'getSummary'], ], ], ``` Testing the Fix --------------- [](#testing-the-fix) After installation, verify the exploit is blocked: 1. Go to PyroCMS admin → Users → Roles 2. Edit a role's description field 3. Enter: `{{['id']|map('system')|join}}` 4. Save and view **Before fix:** Shows output of `id` command (or crashes) **After fix:** Shows error or `[rendering failed: Filter "map" is not allowed.]` Troubleshooting --------------- [](#troubleshooting) ### "Twig not found in container" [](#twig-not-found-in-container) The package couldn't find Twig. This usually means: - PyroCMS/streams-platform isn't fully loaded yet - You're not running in a PyroCMS environment Enable debug mode to see details: ``` PYROCMS_SSTI_FIX_DEBUG=true ``` ### Legitimate templates breaking [](#legitimate-templates-breaking) If admin-editable templates use features that are now blocked: 1. Check logs for which feature was blocked 2. Add it to the whitelist in config (if safe) 3. Or refactor the template to use allowed features ### Performance concerns [](#performance-concerns) The package caches all path checks and method/property lookups. In `auto` mode, only storage-path templates incur sandbox overhead. Security Notes -------------- [](#security-notes) - This package **does not** fix the underlying architectural issue (Twig rendering user input) - It mitigates exploitation by restricting what sandboxed templates can do - Admin users can still create annoying templates; they just can't achieve RCE - Consider additional hardening (WAF rules, CSP, etc.) for defense in depth Credits ------- [](#credits) - **Yaakov Saxon** - Package author, `SourcePolicyInterface` contributor to Twig - **Twig PR #3893** - Upstream contribution enabling selective sandbox License ------- [](#license) MIT License - see [LICENSE](LICENSE) file. Related ------- [](#related) - [CVE-2023-29689](https://nvd.nist.gov/vuln/detail/CVE-2023-29689) - NVD entry - [GHSA-w7vm-4v3j-vgpw](https://github.com/advisories/GHSA-w7vm-4v3j-vgpw) - GitHub Advisory - [Twig Sandbox Documentation](https://twig.symfony.com/doc/3.x/api.html#sandbox-extension) ### Health Score 30 — LowBetter than 64% of packages Maintenance78 Regular maintenance activity Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity31 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 3 Last Release 123d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/8010974149eeb083a9f703f0c832bbfc1efbb63d8fd165185de413dd017b1e77?d=identicon)[YSaxon](/maintainers/YSaxon) --- Top Contributors [![YSaxon](https://avatars.githubusercontent.com/u/11711101?v=4)](https://github.com/YSaxon "YSaxon (18 commits)") --- Tags twigsecuritypyrocmssandboxpatchfixvulnerabilitysstiCVE-2023-29689 ### Embed Badge ![Health badge](/badges/ysaxon-pyrocms-ssti-fix/health.svg) ``` [![Health](https://phpackages.com/badges/ysaxon-pyrocms-ssti-fix/health.svg)](https://phpackages.com/packages/ysaxon-pyrocms-ssti-fix) ``` ### Alternatives [rcrowe/twigbridge Adds the power of Twig to Laravel 9105.9M50](/packages/rcrowe-twigbridge)[twig/extra-bundle A Symfony bundle for extra Twig extensions 91292.0M315](/packages/twig-extra-bundle)[latte/latte ☕ Latte: the intuitive and fast template engine for those who want the most secure PHP sites. Introduces context-sensitive escaping. 1.3k15.7M683](/packages/latte-latte)[twig/intl-extra A Twig extension for Intl 36663.2M221](/packages/twig-intl-extra)[twig/string-extra A Twig extension for Symfony String 21946.0M133](/packages/twig-string-extra)[twig/cssinliner-extra A Twig extension to allow inlining CSS 23018.5M55](/packages/twig-cssinliner-extra) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)