jekyll_flexible_include 2.0.7 → 2.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38eeb054b62e4c999437208ce95cb7291174167839d344db3df48670954b32ef
-  data.tar.gz: '0962b93b74c28d6521c655cea29f0646c11051d8f3ddaf690618b9ed91e7276b'
+  metadata.gz: d22302901e7a454d82515fd64525479b2932d8856ee572565ea2fae672b6bb28
+  data.tar.gz: 22c05d1fb04c976ebfb6a7e005e998bc572a21cb5fce7eed4ac2284c38840c2e
 SHA512:
-  metadata.gz: 2e3ec9a8c269bda135c245a54b995abd6f2229658190a5f89e1bad97372e85f4a37af7c7227cbaa8b518f1ae90a6b70ecc3f0f9c881859329fdf241123047ca6
-  data.tar.gz: b8f6497ee5505ac0f43f28a6c9d0bb639be7b7c2bc712375f8ae6774522ccaae6ecd0108be1bdcb0d72cb1656e0b1a268ffa52d3feb675722295aca6c698961d
+  metadata.gz: 04f0e0f7a4ecc3e929a2084311b4c6ee70483256117703a56642c78ab2962b8cfdbc01d3e027dc9fbae188ee8d2adeac202bb0dfa28759ff32fa46262d5c985c
+  data.tar.gz: 66b2a6c4383bcc86d5492a0c4155ecbf168e0dedd1c680d005a5f5cfca319b978158c5e71d2027f58109ae9ee02d449fd189044cb4860f793945fd2ce6d7971b

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 2.0.10 / 2022-04-15
+  * Fixed nil pointer
+
+## 2.0.9 / 2022-04-15
+  * Changed how path matching was implemented.
+
+## 2.0.8 / 2022-04-14
+  * Added the ability to restrict arbitrary command execution, and specify the allowable directories to read from.
+
 ## 2.0.7 / 2022-04-14
   * Added `file=` option, so the included file or process is better defined. This option is not required; the file/process can be specified without it as before.
   * Documented `data-lt-active="false"`.

data/README.md

@@ -48,6 +48,37 @@ The following options imply `pre`:
   * `label` specifies that an automatically generated label be placed above the contents. There is no need to specify this option if `download` or `copy_button` options are provided.
   * `label="blah blah"` specifies a label for the contents; this value overrides the default label. The value can be enclosed in single or double quotes.
 
+### Restricting Directory Access
+By default, `flexible_include` can read from all directories according to the permissions of the user account that launched the `jekyll` process.
+For security-conscience environments, the accessible paths can be restricted.
+
+Defining an environment variable called `FLEXIBLE_INCLUDE_PATHS` prior to launching Jekyll will restrict the paths that `flexible_include` will be able to read from.
+This environment variable consists of a colon-delimited set of
+[file and directory glob patterns](https://docs.ruby-lang.org/en/2.7.0/Dir.html#method-c-glob).
+For example, the following restricts access to only the files within:
+ 1. The `~/my_dir` directory tree of the account of the user that launched Jekyll.
+ 2. The directory tree rooted at `/var/files`.
+ 3. The directory tree rooted at the expanded value of the `$work` environment variable.
+```shell
+export FLEXIBLE_INCLUDE_PATHS='~/.*:$sites/.*:$work/.*'
+```
+Note that the above matches dot (hidden) files as well as regular files.
+To just match visible files:
+```shell
+export FLEXIBLE_INCLUDE_PATHS='~/my_dir/**/*:/var/files/**/*:$work/**/*'
+```
+
+#### Note
+The specified directories are traversed when the plugin starts, and the filenames are stored in memory. Directories with lots of files might take a noticable amount to time to enumerate the files.
+
+
+### Restricting Arbitrary Processes
+By default, `flexible_include` can execute any command. You can disable that by setting the environment variable `DISABLE_FLEXIBLE_INCLUDE` to any non-empty value.
+```shell
+export DISABLE_FLEXIBLE_INCLUDE=true
+```
+
+If a potential command execution is intercepted, a big red message will appear on the generated web page that says `Arbitrary command execution denied by DISABLE_FLEXIBLE_INCLUDE value.`, and a red error message will be logged on the console that says something like: `ERROR FlexibleInclude: _posts/2020/2020-10-03-jekyll-plugins.html - Arbitrary command execution denied by DISABLE_FLEXIBLE_INCLUDE value.`
 
 
 ## Installation

data/lib/flexible_include/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JekyllFlexibleIncludePluginVersion
-  VERSION = "2.0.7"
+  VERSION = "2.0.10"
 end

data/lib/flexible_include.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "benchmark"
 require "jekyll"
 require "jekyll_plugin_logger"
 require "securerandom"
@@ -13,6 +14,36 @@ end
 class FlexibleInclude < Liquid::Tag
   FlexibleIncludeError = Class.new(Liquid::Error)
 
+  @read_regexes = nil
+
+  def self.normalize_path(path)
+    JekyllTagHelper.expand_env(path)
+                   .gsub("~", Dir.home)
+  end
+
+  # If FLEXIBLE_INCLUDE_PATHS='~/lib/.*:.*:$WORK/.*'
+  # Then @read_regexes will be set to regexes of ["/home/my_user_id/lib/.*", "/pwd/.*", "/work/envar/path/.*"]
+  def self.security_check
+    @execution_denied = ENV['DISABLE_FLEXIBLE_INCLUDE']
+
+    unless @read_regexes
+      flexible_include_paths = ENV['FLEXIBLE_INCLUDE_PATHS']
+      read_paths = normalize_path(flexible_include_paths) if flexible_include_paths
+      if read_paths
+        @read_regexes = read_paths.split(":").map do |path|
+          abs_path = path.start_with?('/') ? path : (Pathname.new(Dir.pwd) + path).to_s
+          Regexp.new(abs_path)
+        end
+      end
+    end
+  end
+
+  def self.access_allowed(path)
+    return true unless @read_regexes
+
+    @read_regexes.find { |regex| regex.match(normalize_path(path)) }
+  end
+
   # @param tag_name [String] the name of the tag, which we already know.
   # @param markup [String] the arguments from the tag, as a single string.
   # @param parse_context [Liquid::ParseContext] hash that stores Liquid options.
@@ -24,6 +55,8 @@ class FlexibleInclude < Liquid::Tag
     super
     @logger = PluginMetaLogger.instance.new_logger(self, PluginMetaLogger.instance.config)
     @helper = JekyllTagHelper.new(tag_name, markup, @logger)
+
+    self.class.security_check
   end
 
   # @param liquid_context [Liquid::Context]
@@ -36,6 +69,7 @@ class FlexibleInclude < Liquid::Tag
     @label_specified = @label
     @copy_button = @helper.parameter_specified? "copyButton"
     @pre = @copy_button || @dark || @download || @label_specified || @helper.parameter_specified?("pre") # Download or label implies pre
+
     filename = @helper.parameter_specified? "file"
     filename ||= @helper.params.first # Do this after all options have been checked for
     @label ||= filename
@@ -48,13 +82,19 @@ class FlexibleInclude < Liquid::Tag
     path = JekyllTagHelper.expand_env(filename)
     case path
     when /\A\// # Absolute path
+      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
+
       @logger.debug { "Absolute path=#{path}, filename=#{filename}" }
     when /\A~/ # Relative path to user's home directory
+      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
+
       @logger.debug { "User home start filename=#{filename}, path=#{path}" }
       filename.slice! "~/"
       path = File.join(ENV['HOME'], filename)
       @logger.debug { "User home end filename=#{filename}, path=#{path}" }
     when /\A!/ # Run command and return response
+      return denied("Arbitrary command execution denied by DISABLE_FLEXIBLE_INCLUDE value.") if @execution_denied
+
       filename = JekyllTagHelper.remove_quotes(@helper.argv.first) if @helper.argv.first
       filename.slice! "!"
       contents = run(filename)
@@ -72,6 +112,11 @@ class FlexibleInclude < Liquid::Tag
 
   private
 
+  def denied(msg)
+    @logger.error("#{@helper.page.path} - #{msg}")
+    "<p style='color: white; background-color: red; padding: 2pt 1em 2pt 1em;'>#{msg}</p>"
+  end
+
   def read_file(file)
     File.read(file)
   end

data/lib/jekyll_tag_helper.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "shellwords"
+require 'key_value_parser'
 
 class JekyllTagHelper
   attr_reader :argv, :liquid_context, :logger, :params, :tag_name
@@ -9,7 +10,7 @@ class JekyllTagHelper
     string.gsub("{", "&#123;").gsub("}", "&#125;").gsub("<", "&lt;")
   end
 
-  # Expand environment variable references
+  # Expand a environment variable reference
   def self.expand_env(str)
     str.gsub(/\$([a-zA-Z_][a-zA-Z0-9_]*)|\${\g<1>}|%\g<1>%/) { ENV[Regexp.last_match(1)] }
   end

data/spec/glob_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../lib/flexible_include"
+
+RSpec.describe(FlexibleInclude) do
+  it "controls access to files" do
+    ENV['FLEXIBLE_INCLUDE_PATHS'] = '~/.*:spec/.*'
+
+    FlexibleInclude.send(:new, 'my_tag', "", Liquid::ParseContext.new)
+    FlexibleInclude.security_check
+    expect(FlexibleInclude.access_allowed(__FILE__)).to be_truthy
+
+    expect(FlexibleInclude.access_allowed("~/.mem_settings.yaml")).to be_truthy
+
+    home_file = JekyllTagHelper.expand_env("$HOME/.mem_settings.yaml")
+    expect(FlexibleInclude.access_allowed(home_file)).to be_truthy
+
+    expect(FlexibleInclude.access_allowed('/asdf')).to be_falsey
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "jekyll"
+
+require_relative "../lib/flexible_include"
+
+Jekyll.logger.log_level = :info
+
+RSpec.configure do |config|
+  config.filter_run :focus
+  config.order = "random"
+  config.run_all_when_everything_filtered = true
+
+  # See https://relishapp.com/rspec/rspec-core/docs/command-line/only-failures
+  config.example_status_persistence_file_path = "spec/status_persistence.txt"
+end

data/spec/status_persistence.txt

@@ -0,0 +1,3 @@
+example_id               | status | run_time        |
+------------------------ | ------ | --------------- |
+./spec/glob_spec.rb[1:1] | passed | 0.01217 seconds |

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jekyll_flexible_include
 version: !ruby/object:Gem::Version
-  version: 2.0.7
+  version: 2.0.10
 platform: ruby
 authors:
 - Mike Slinn
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-04-14 00:00:00.000000000 Z
+date: 2022-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -88,6 +88,9 @@ files:
 - lib/flexible_include.rb
 - lib/flexible_include/version.rb
 - lib/jekyll_tag_helper.rb
+- spec/glob_spec.rb
+- spec/spec_helper.rb
+- spec/status_persistence.txt
 homepage: https://www.mslinn.com/blog/2020/10/03/jekyll-plugins.html#flexibleInclude
 licenses:
 - MIT
@@ -120,4 +123,7 @@ signing_key:
 specification_version: 4
 summary: Jekyll plugin supports various ways to include content into the generated
   site.
-test_files: []
+test_files:
+- spec/glob_spec.rb
+- spec/spec_helper.rb
+- spec/status_persistence.txt