[FrameworkBundle] Detect indirect env vars in routing

ro0NL · fabpot · commit 85e902847fde · 2019-08-05T07:22:32.000+02:00
diff --git a/Routing/Router.php b/Routing/Router.php
@@ -147,7 +147,7 @@ private function resolve($value)
                 return '%%';
             }
 
-            if (preg_match('/^env\(\w+\)$/', $match[1])) {
+            if (preg_match('/^env\((?:\w++:)*+\w++\)$/', $match[1])) {
                 throw new RuntimeException(sprintf('Using "%%%s%%" is not allowed in routing configuration.', $match[1]));
             }
 
@@ -156,7 +156,7 @@ private function resolve($value)
             if (\is_string($resolved) || is_numeric($resolved)) {
                 $this->collectedParameters[$match[1]] = $resolved;
 
-                return (string) $resolved;
+                return (string) $this->resolve($resolved);
             }
 
             throw new RuntimeException(sprintf('The container parameter "%s", used in the route configuration value "%s", must be a string or numeric, but it is of type %s.', $match[1], $value, \gettype($resolved)));
diff --git a/Tests/Routing/RouterTest.php b/Tests/Routing/RouterTest.php
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Bundle\FrameworkBundle\Routing\Router;
 use Symfony\Component\DependencyInjection\Config\ContainerParametersResource;
+use Symfony\Component\DependencyInjection\Exception\RuntimeException;
 use Symfony\Component\Routing\Route;
 use Symfony\Component\Routing\RouteCollection;
 
@@ -122,13 +123,13 @@ public function testPatternPlaceholders()
         $routes->add('foo', new Route('/before/%parameter.foo%/after/%%escaped%%'));
 
         $sc = $this->getServiceContainer($routes);
-        $sc->setParameter('parameter.foo', 'foo');
+        $sc->setParameter('parameter.foo', 'foo-%%escaped%%');
 
         $router = new Router($sc, 'foo');
         $route = $router->getRouteCollection()->get('foo');
 
         $this->assertEquals(
-            '/before/foo/after/%escaped%',
+            '/before/foo-%escaped%/after/%escaped%',
             $route->getPath()
         );
     }
@@ -147,6 +148,22 @@ public function testEnvPlaceholders()
         $router->getRouteCollection();
     }
 
+    public function testIndirectEnvPlaceholders()
+    {
+        $routes = new RouteCollection();
+
+        $routes->add('foo', new Route('/%foo%'));
+
+        $router = new Router($container = $this->getServiceContainer($routes), 'foo');
+        $container->setParameter('foo', 'foo-%bar%');
+        $container->setParameter('bar', '%env(string:FOO)%');
+
+        $this->expectException(RuntimeException::class);
+        $this->expectExceptionMessage('Using "%env(string:FOO)%" is not allowed in routing configuration.');
+
+        $router->getRouteCollection();
+    }
+
     public function testHostPlaceholders()
     {
         $routes = new RouteCollection();

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@ private function resolve($value)`
`147`	`147`	`return '%%';`
`148`	`148`	`}`
`149`	`149`
`150`		`- if (preg_match('/^env\(\w+\)$/', $match[1])) {`
	`150`	`+ if (preg_match('/^env\((?:\w++:)*+\w++\)$/', $match[1])) {`
`151`	`151`	`throw new RuntimeException(sprintf('Using "%%%s%%" is not allowed in routing configuration.', $match[1]));`
`152`	`152`	`}`
`153`	`153`
`@@ -156,7 +156,7 @@ private function resolve($value)`
`156`	`156`	`if (\is_string($resolved) \|\| is_numeric($resolved)) {`
`157`	`157`	`$this->collectedParameters[$match[1]] = $resolved;`
`158`	`158`
`159`		`- return (string) $resolved;`
	`159`	`+ return (string) $this->resolve($resolved);`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`throw new RuntimeException(sprintf('The container parameter "%s", used in the route configuration value "%s", must be a string or numeric, but it is of type %s.', $match[1], $value, \gettype($resolved)));`