jekyll_flexible_include 2.0.8 → 2.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64eb6af1f283738c8152205359b97b42081c571cc8cd16dc30d263108e21aba0
-  data.tar.gz: 87b46d76f2f43022c458fff1dc4f3ea5523ccc0afe29ca7eb4c6c7f41554427d
+  metadata.gz: f3c2d80bab20b338d7635734938862e2ed99af858dc8f4967e7f0995fc0e5304
+  data.tar.gz: 3683ddcebf92f60dd12955e34eb64a910e8d51a16e46fa2b8c40fafb5b33b682
 SHA512:
-  metadata.gz: 143e9c8cc4e9d5a109ce41020e46c4c8c0366e9c30bf4201263767e5276818ca32293430d6464afbea3a1925c90256219394dcf77b57735dd49ff3efa42dd940
-  data.tar.gz: 2dd1b9df7fa2936231ef0bb85ef8ecb87fc7afa9d519a9fda3dd9167869b13671c9ece3c13b1576ac11d9c0abc1adc498e7bc66fd5fb3fdb9634e417666119a6
+  metadata.gz: 694653b9d9104793c425af90a2f93be38ee822c399bc60b1ce1bb012f70ea8af0268a8d4679353a4aab1f0dcd143b8738f58c74e094dc973b27081ac46690abd
+  data.tar.gz: 38b218be26c2bef642f13bf313150ef92676d214d5ade4b8333d936e47883f5b2a8b941b4a67f58427794706b68e976cd04847a1efba286dabe3d25eb914b3a9

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 2.0.11 / 2022-04-15
+  * Added & => & to the escaped characters
+
+## 2.0.10 / 2022-04-15
+  * Fixed nil pointer
+
+## 2.0.9 / 2022-04-15
+  * Changed how path matching was implemented.
+
 ## 2.0.8 / 2022-04-14
   * Added the ability to restrict arbitrary command execution, and specify the allowable directories to read from.
 

data/README.md

@@ -60,7 +60,7 @@ For example, the following restricts access to only the files within:
  2. The directory tree rooted at `/var/files`.
  3. The directory tree rooted at the expanded value of the `$work` environment variable.
 ```shell
-export FLEXIBLE_INCLUDE_PATHS='~/my_dir/**/{*,.*}:/var/files/**/{*,.*}:$work/**/{*,.*}'
+export FLEXIBLE_INCLUDE_PATHS='~/.*:$sites/.*:$work/.*'
 ```
 Note that the above matches dot (hidden) files as well as regular files.
 To just match visible files:
@@ -68,6 +68,9 @@ To just match visible files:
 export FLEXIBLE_INCLUDE_PATHS='~/my_dir/**/*:/var/files/**/*:$work/**/*'
 ```
 
+#### Note
+The specified directories are traversed when the plugin starts, and the filenames are stored in memory. Directories with lots of files might take a noticable amount to time to enumerate the files.
+
 
 ### Restricting Arbitrary Processes
 By default, `flexible_include` can execute any command. You can disable that by setting the environment variable `DISABLE_FLEXIBLE_INCLUDE` to any non-empty value.

data/lib/flexible_include/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JekyllFlexibleIncludePluginVersion
-  VERSION = "2.0.8"
+  VERSION = "2.0.11"
 end

data/lib/flexible_include.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "benchmark"
 require "jekyll"
 require "jekyll_plugin_logger"
 require "securerandom"
@@ -13,6 +14,36 @@ end
 class FlexibleInclude < Liquid::Tag
   FlexibleIncludeError = Class.new(Liquid::Error)
 
+  @read_regexes = nil
+
+  def self.normalize_path(path)
+    JekyllTagHelper.expand_env(path)
+                   .gsub("~", Dir.home)
+  end
+
+  # If FLEXIBLE_INCLUDE_PATHS='~/lib/.*:.*:$WORK/.*'
+  # Then @read_regexes will be set to regexes of ["/home/my_user_id/lib/.*", "/pwd/.*", "/work/envar/path/.*"]
+  def self.security_check
+    @execution_denied = ENV['DISABLE_FLEXIBLE_INCLUDE']
+
+    unless @read_regexes
+      flexible_include_paths = ENV['FLEXIBLE_INCLUDE_PATHS']
+      read_paths = normalize_path(flexible_include_paths) if flexible_include_paths
+      if read_paths
+        @read_regexes = read_paths.split(":").map do |path|
+          abs_path = path.start_with?('/') ? path : (Pathname.new(Dir.pwd) + path).to_s
+          Regexp.new(abs_path)
+        end
+      end
+    end
+  end
+
+  def self.access_allowed(path)
+    return true unless @read_regexes
+
+    @read_regexes.find { |regex| regex.match(normalize_path(path)) }
+  end
+
   # @param tag_name [String] the name of the tag, which we already know.
   # @param markup [String] the arguments from the tag, as a single string.
   # @param parse_context [Liquid::ParseContext] hash that stores Liquid options.
@@ -25,12 +56,7 @@ class FlexibleInclude < Liquid::Tag
     @logger = PluginMetaLogger.instance.new_logger(self, PluginMetaLogger.instance.config)
     @helper = JekyllTagHelper.new(tag_name, markup, @logger)
 
-    @execution_denied = ENV['DISABLE_FLEXIBLE_INCLUDE']
-
-    # If FLEXIBLE_INCLUDE_PATHS='~/lib/**/*:*/**/*'
-    # Then @read_paths will be set to ["~/lib/**/*", "*/**/*"]
-    @read_paths = ENV['FLEXIBLE_INCLUDE_PATHS']
-    @read_paths = @read_paths.split(":").map { |x| JekyllTagHelper.expand_env x } if @read_paths
+    self.class.security_check
   end
 
   # @param liquid_context [Liquid::Context]
@@ -43,6 +69,7 @@ class FlexibleInclude < Liquid::Tag
     @label_specified = @label
     @copy_button = @helper.parameter_specified? "copyButton"
     @pre = @copy_button || @dark || @download || @label_specified || @helper.parameter_specified?("pre") # Download or label implies pre
+
     filename = @helper.parameter_specified? "file"
     filename ||= @helper.params.first # Do this after all options have been checked for
     @label ||= filename
@@ -55,16 +82,19 @@ class FlexibleInclude < Liquid::Tag
     path = JekyllTagHelper.expand_env(filename)
     case path
     when /\A\// # Absolute path
-      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless access_allowed(path)
+      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
+
       @logger.debug { "Absolute path=#{path}, filename=#{filename}" }
     when /\A~/ # Relative path to user's home directory
-      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless access_allowed(path)
+      return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
+
       @logger.debug { "User home start filename=#{filename}, path=#{path}" }
       filename.slice! "~/"
       path = File.join(ENV['HOME'], filename)
       @logger.debug { "User home end filename=#{filename}, path=#{path}" }
     when /\A!/ # Run command and return response
       return denied("Arbitrary command execution denied by DISABLE_FLEXIBLE_INCLUDE value.") if @execution_denied
+
       filename = JekyllTagHelper.remove_quotes(@helper.argv.first) if @helper.argv.first
       filename.slice! "!"
       contents = run(filename)
@@ -82,11 +112,6 @@ class FlexibleInclude < Liquid::Tag
 
   private
 
-  def access_allowed(path)
-    return true unless @read_paths
-    Dir.glob(@read_paths).find { |x| x == path }
-  end
-
   def denied(msg)
     @logger.error("#{@helper.page.path} - #{msg}")
     "<p style='color: white; background-color: red; padding: 2pt 1em 2pt 1em;'>#{msg}</p>"

data/lib/jekyll_tag_helper.rb

@@ -1,12 +1,16 @@
 # frozen_string_literal: true
 
 require "shellwords"
+require 'key_value_parser'
 
 class JekyllTagHelper
   attr_reader :argv, :liquid_context, :logger, :params, :tag_name
 
   def self.escape_html(string)
-    string.gsub("{", "&#123;").gsub("}", "&#125;").gsub("<", "&lt;")
+    string.gsub("&", "&amp;")
+          .gsub("{", "&#123;")
+          .gsub("}", "&#125;")
+          .gsub("<", "&lt;")
   end
 
   # Expand a environment variable reference

data/spec/glob_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "../lib/flexible_include"
+
+RSpec.describe(FlexibleInclude) do
+  it "controls access to files" do
+    ENV['FLEXIBLE_INCLUDE_PATHS'] = '~/.*:spec/.*'
+
+    FlexibleInclude.send(:new, 'my_tag', "", Liquid::ParseContext.new)
+    FlexibleInclude.security_check
+    expect(FlexibleInclude.access_allowed(__FILE__)).to be_truthy
+
+    expect(FlexibleInclude.access_allowed("~/.mem_settings.yaml")).to be_truthy
+
+    home_file = JekyllTagHelper.expand_env("$HOME/.mem_settings.yaml")
+    expect(FlexibleInclude.access_allowed(home_file)).to be_truthy
+
+    expect(FlexibleInclude.access_allowed('/asdf')).to be_falsey
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "jekyll"
+
+require_relative "../lib/flexible_include"
+
+Jekyll.logger.log_level = :info
+
+RSpec.configure do |config|
+  config.filter_run :focus
+  config.order = "random"
+  config.run_all_when_everything_filtered = true
+
+  # See https://relishapp.com/rspec/rspec-core/docs/command-line/only-failures
+  config.example_status_persistence_file_path = "spec/status_persistence.txt"
+end

data/spec/status_persistence.txt

@@ -0,0 +1,3 @@
+example_id               | status | run_time        |
+------------------------ | ------ | --------------- |
+./spec/glob_spec.rb[1:1] | passed | 0.01217 seconds |

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jekyll_flexible_include
 version: !ruby/object:Gem::Version
-  version: 2.0.8
+  version: 2.0.11
 platform: ruby
 authors:
 - Mike Slinn
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-04-14 00:00:00.000000000 Z
+date: 2022-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -88,6 +88,9 @@ files:
 - lib/flexible_include.rb
 - lib/flexible_include/version.rb
 - lib/jekyll_tag_helper.rb
+- spec/glob_spec.rb
+- spec/spec_helper.rb
+- spec/status_persistence.txt
 homepage: https://www.mslinn.com/blog/2020/10/03/jekyll-plugins.html#flexibleInclude
 licenses:
 - MIT
@@ -120,4 +123,7 @@ signing_key:
 specification_version: 4
 summary: Jekyll plugin supports various ways to include content into the generated
   site.
-test_files: []
+test_files:
+- spec/glob_spec.rb
+- spec/spec_helper.rb
+- spec/status_persistence.txt