Bundle security measures
Environment restriction
OpenTemplateController maintains a hard-coded allow-list of safe environments:
__invoke(), the controller checks kernel.environment against this list and throws a NotFoundHttpException (HTTP 404) if the environment is not dev or test. This applies even if the route was accidentally registered in production — it acts as a defense-in-depth layer independent of routing configuration.
Template name validation
Before the controller loads any file,validateTemplateName() inspects the raw template string passed in the URL:
| Check | Rejection reason |
|---|---|
| Empty string | Template name cannot be empty. |
Contains .. | Path traversal detected |
Contains a null byte (\0) | Path traversal detected |
Starts with / | Absolute path not allowed |
Matches [A-Za-z]:\\ | Absolute Windows path not allowed |
BadRequestException (HTTP 400) before the Twig loader is invoked.
File path verification
After Twig resolves the template name to an absolute path,validateFilePath() runs a second check:
realpath()normalizes the resolved path, removing symlink indirection and..segments.- The method collects every registered path from the active Twig loader (
FilesystemLoaderpaths, traversingChainLoaderrecursively). - It verifies that the resolved file path starts with at least one allowed loader path.
BadRequestException is thrown.
When only an
ArrayLoader is configured (no FilesystemLoader), validateFilePath() delegates security to Twig’s own loader security and returns early. This is an edge case for non-filesystem template sources.Line number validation
Theline query parameter is parsed as an integer. Any value less than 1 causes a BadRequestException. This prevents both negative values and crafted inputs from influencing the IDE URL.
Route restrictions
Routes must be imported underwhen@dev: and when@test: guards in config/routes.yaml:
php bin/console nowo:twig-inspector:install writes them for you.
Deployment checklist
Bundle registered only under
dev and test in config/bundles.php:Routes imported with
when@dev: and when@test: guards — never under a bare _default key.framework.ide is set to a local IDE URL scheme (e.g. phpstorm://open?file=%%f&line=%%l). This URL is only ever opened by the developer’s own browser.Inspector cookie (
twig_inspector_is_active) is set only on localhost or a private dev server. Do not commit it to shared staging environments.Never expose the dev server (port 8000, FrankenPHP, etc.) to the public internet while the bundle is active.
Integrator considerations
- Template paths in the overlay: when the inspector is enabled, the JavaScript tooltip shows template names and file paths to the developer. Ensure those paths are not visible to untrusted users if you run the dev server on a shared network.
- IDE URL schemes: the
framework.idevalue is used verbatim in the redirect. Use only local IDE URL schemes (e.g.phpstorm://,vscode://,subl://). Remote or HTTP URLs should not be configured here in any environment. - Cookie scope: the inspector cookie is scoped to the origin. It does not travel to other domains, but it does apply to all paths on the dev server origin.
Supported versions
| Version | Supported |
|---|---|
| 1.x | Yes |
Reporting a vulnerability
If you discover a security vulnerability in Twig Inspector Bundle, please report it responsibly — do not open a public GitHub issue.Contact the maintainer privately
Send details to hectorfranco@nowo.tech (or the maintainers listed in
composer.json).Include reproduction details
Provide a clear description of the vulnerability, steps to reproduce it, and an assessment of the potential impact.
Allow time for a fix
The maintainer will acknowledge receipt, may ask follow-up questions, and will work on a fix. Please allow reasonable time before any public disclosure.
Responsible disclosure helps protect all users of the bundle. We appreciate the effort to report privately.