Remove project path in twig label error messages to prevent information leakage

Author: jbtronics

src/Controller/AdminPages/BaseAdminController.php

@@ -217,7 +217,7 @@ protected function _edit(AbstractNamedDBElement $entity, Request $request, Entit
             try {
                 $pdf_data = $this->labelGenerator->generateLabel($entity->getOptions(), $example);
             } catch (TwigModeException $exception) {
-                $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
             }
         }
 

src/Controller/LabelController.php

@@ -117,7 +117,7 @@ public function generator(Request $request, ?LabelProfile $profile = null): Resp
                     $pdf_data = $this->labelGenerator->generateLabel($form_options, $targets);
                     $filename = $this->getLabelName($targets[0], $profile);
                 } catch (TwigModeException $exception) {
-                    $form->get('options')->get('lines')->addError(new FormError($exception->getMessage()));
+                    $form->get('options')->get('lines')->addError(new FormError($exception->getSafeMessage()));
                 }
             } else {
                 //$this->addFlash('warning', 'label_generator.no_entities_found');

src/Exceptions/TwigModeException.php

@@ -46,8 +46,23 @@
 
 class TwigModeException extends RuntimeException
 {
+    private const PROJECT_PATH = __DIR__ . '/../../';
+
     public function __construct(?Error $previous = null)
     {
         parent::__construct($previous->getMessage(), 0, $previous);
     }
+
+    /**
+     * Returns the message of this exception, where it is tried to remove any sensitive information (like filepaths).
+     * @return string
+     */
+    public function getSafeMessage(): string
+    {
+        //Resolve project root path
+        $projectPath = realpath(self::PROJECT_PATH);
+
+        //Remove occurrences of the project path from the message
+        return str_replace($projectPath, '[Part-DB Root Folder]', $this->getMessage());
+    }
 }

tests/Exceptions/TwigModeExceptionTest.php

@@ -0,0 +1,49 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2024 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Tests\Exceptions;
+
+use App\Exceptions\TwigModeException;
+use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
+use Twig\Error\Error;
+
+class TwigModeExceptionTest extends KernelTestCase
+{
+
+    private string $projectPath;
+
+    public function setUp(): void
+    {
+        self::bootKernel();
+
+        $this->projectPath = self::getContainer()->getParameter('kernel.project_dir');
+    }
+
+    public function testGetSafeMessage(): void
+    {
+        $testException = new Error("Error at : " . $this->projectPath . "/src/dir/path/file.php");
+
+        $twigModeException = new TwigModeException($testException);
+
+        $this->assertSame("Error at : " . $this->projectPath . "/src/dir/path/file.php", $testException->getMessage());
+        $this->assertSame("Error at : [Part-DB Root Folder]/src/dir/path/file.php", $twigModeException->getSafeMessage());
+    }
+}