jekyll_flexible_include 2.0.8 → 2.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +4 -1
- data/lib/flexible_include/version.rb +1 -1
- data/lib/flexible_include.rb +37 -13
- data/lib/jekyll_tag_helper.rb +1 -0
- data/spec/glob_spec.rb +20 -0
- data/spec/spec_helper.rb +16 -0
- data/spec/status_persistence.txt +3 -0
- metadata +9 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b71142b75599a60998290ed57afbe3231330bf42dba89c7f892e3e08e3eb07e2
|
|
4
|
+
data.tar.gz: e1cf42634742f63c2f6f44e4e800093003fbe9a01e47f12414c8876c9663f0d1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1456652118883acd55de272df6c00c8ce29c42031609282ffe95ff043c15f5c57f9f293d23490edf78267dc672408045018e69cb2edcd6be144cd214b180b9a4
|
|
7
|
+
data.tar.gz: 88a9c4d75a15fdd84980816a266fbfd12d6e1e81cfac041881393b33d015ddbcfad30c0a2d1e4ae7b5ea09048838a0fddfc7352db508a6520543b4cca67ab06a
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -60,7 +60,7 @@ For example, the following restricts access to only the files within:
|
|
|
60
60
|
2. The directory tree rooted at `/var/files`.
|
|
61
61
|
3. The directory tree rooted at the expanded value of the `$work` environment variable.
|
|
62
62
|
```shell
|
|
63
|
-
export FLEXIBLE_INCLUDE_PATHS='
|
|
63
|
+
export FLEXIBLE_INCLUDE_PATHS='~/.*:$sites/.*:$work/.*'
|
|
64
64
|
```
|
|
65
65
|
Note that the above matches dot (hidden) files as well as regular files.
|
|
66
66
|
To just match visible files:
|
|
@@ -68,6 +68,9 @@ To just match visible files:
|
|
|
68
68
|
export FLEXIBLE_INCLUDE_PATHS='~/my_dir/**/*:/var/files/**/*:$work/**/*'
|
|
69
69
|
```
|
|
70
70
|
|
|
71
|
+
#### Note
|
|
72
|
+
The specified directories are traversed when the plugin starts, and the filenames are stored in memory. Directories with lots of files might take a noticable amount to time to enumerate the files.
|
|
73
|
+
|
|
71
74
|
|
|
72
75
|
### Restricting Arbitrary Processes
|
|
73
76
|
By default, `flexible_include` can execute any command. You can disable that by setting the environment variable `DISABLE_FLEXIBLE_INCLUDE` to any non-empty value.
|
data/lib/flexible_include.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "benchmark"
|
|
3
4
|
require "jekyll"
|
|
4
5
|
require "jekyll_plugin_logger"
|
|
5
6
|
require "securerandom"
|
|
@@ -13,6 +14,35 @@ end
|
|
|
13
14
|
class FlexibleInclude < Liquid::Tag
|
|
14
15
|
FlexibleIncludeError = Class.new(Liquid::Error)
|
|
15
16
|
|
|
17
|
+
@read_regexes = nil
|
|
18
|
+
|
|
19
|
+
def self.normalize_path(path)
|
|
20
|
+
JekyllTagHelper.expand_env(path)
|
|
21
|
+
.gsub("~", Dir.home)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# If FLEXIBLE_INCLUDE_PATHS='~/lib/.*:.*:$WORK/.*'
|
|
25
|
+
# Then @read_regexes will be set to regexes of ["/home/my_user_id/lib/.*", "/pwd/.*", "/work/envar/path/.*"]
|
|
26
|
+
def self.security_check
|
|
27
|
+
@execution_denied = ENV['DISABLE_FLEXIBLE_INCLUDE']
|
|
28
|
+
|
|
29
|
+
unless @read_regexes
|
|
30
|
+
read_paths = normalize_path(ENV['FLEXIBLE_INCLUDE_PATHS'])
|
|
31
|
+
if read_paths
|
|
32
|
+
@read_regexes = read_paths.split(":").map do |path|
|
|
33
|
+
abs_path = path.start_with?('/') ? path : (Pathname.new(Dir.pwd) + path).to_s
|
|
34
|
+
Regexp.new(abs_path)
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def self.access_allowed(path)
|
|
41
|
+
return true unless @read_regexes
|
|
42
|
+
|
|
43
|
+
@read_regexes.find { |regex| regex.match(normalize_path(path)) }
|
|
44
|
+
end
|
|
45
|
+
|
|
16
46
|
# @param tag_name [String] the name of the tag, which we already know.
|
|
17
47
|
# @param markup [String] the arguments from the tag, as a single string.
|
|
18
48
|
# @param parse_context [Liquid::ParseContext] hash that stores Liquid options.
|
|
@@ -25,12 +55,7 @@ class FlexibleInclude < Liquid::Tag
|
|
|
25
55
|
@logger = PluginMetaLogger.instance.new_logger(self, PluginMetaLogger.instance.config)
|
|
26
56
|
@helper = JekyllTagHelper.new(tag_name, markup, @logger)
|
|
27
57
|
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
# If FLEXIBLE_INCLUDE_PATHS='~/lib/**/*:*/**/*'
|
|
31
|
-
# Then @read_paths will be set to ["~/lib/**/*", "*/**/*"]
|
|
32
|
-
@read_paths = ENV['FLEXIBLE_INCLUDE_PATHS']
|
|
33
|
-
@read_paths = @read_paths.split(":").map { |x| JekyllTagHelper.expand_env x } if @read_paths
|
|
58
|
+
self.class.security_check
|
|
34
59
|
end
|
|
35
60
|
|
|
36
61
|
# @param liquid_context [Liquid::Context]
|
|
@@ -43,6 +68,7 @@ class FlexibleInclude < Liquid::Tag
|
|
|
43
68
|
@label_specified = @label
|
|
44
69
|
@copy_button = @helper.parameter_specified? "copyButton"
|
|
45
70
|
@pre = @copy_button || @dark || @download || @label_specified || @helper.parameter_specified?("pre") # Download or label implies pre
|
|
71
|
+
|
|
46
72
|
filename = @helper.parameter_specified? "file"
|
|
47
73
|
filename ||= @helper.params.first # Do this after all options have been checked for
|
|
48
74
|
@label ||= filename
|
|
@@ -55,16 +81,19 @@ class FlexibleInclude < Liquid::Tag
|
|
|
55
81
|
path = JekyllTagHelper.expand_env(filename)
|
|
56
82
|
case path
|
|
57
83
|
when /\A\// # Absolute path
|
|
58
|
-
return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless access_allowed(path)
|
|
84
|
+
return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
|
|
85
|
+
|
|
59
86
|
@logger.debug { "Absolute path=#{path}, filename=#{filename}" }
|
|
60
87
|
when /\A~/ # Relative path to user's home directory
|
|
61
|
-
return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless access_allowed(path)
|
|
88
|
+
return denied("Access to #{path} denied by FLEXIBLE_INCLUDE_PATHS value.") unless self.class.access_allowed(path)
|
|
89
|
+
|
|
62
90
|
@logger.debug { "User home start filename=#{filename}, path=#{path}" }
|
|
63
91
|
filename.slice! "~/"
|
|
64
92
|
path = File.join(ENV['HOME'], filename)
|
|
65
93
|
@logger.debug { "User home end filename=#{filename}, path=#{path}" }
|
|
66
94
|
when /\A!/ # Run command and return response
|
|
67
95
|
return denied("Arbitrary command execution denied by DISABLE_FLEXIBLE_INCLUDE value.") if @execution_denied
|
|
96
|
+
|
|
68
97
|
filename = JekyllTagHelper.remove_quotes(@helper.argv.first) if @helper.argv.first
|
|
69
98
|
filename.slice! "!"
|
|
70
99
|
contents = run(filename)
|
|
@@ -82,11 +111,6 @@ class FlexibleInclude < Liquid::Tag
|
|
|
82
111
|
|
|
83
112
|
private
|
|
84
113
|
|
|
85
|
-
def access_allowed(path)
|
|
86
|
-
return true unless @read_paths
|
|
87
|
-
Dir.glob(@read_paths).find { |x| x == path }
|
|
88
|
-
end
|
|
89
|
-
|
|
90
114
|
def denied(msg)
|
|
91
115
|
@logger.error("#{@helper.page.path} - #{msg}")
|
|
92
116
|
"<p style='color: white; background-color: red; padding: 2pt 1em 2pt 1em;'>#{msg}</p>"
|
data/lib/jekyll_tag_helper.rb
CHANGED
data/spec/glob_spec.rb
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require_relative "../lib/flexible_include"
|
|
4
|
+
|
|
5
|
+
RSpec.describe(FlexibleInclude) do
|
|
6
|
+
it "controls access to files" do
|
|
7
|
+
ENV['FLEXIBLE_INCLUDE_PATHS'] = '~/.*:spec/.*'
|
|
8
|
+
|
|
9
|
+
FlexibleInclude.send(:new, 'my_tag', "", Liquid::ParseContext.new)
|
|
10
|
+
FlexibleInclude.security_check
|
|
11
|
+
expect(FlexibleInclude.access_allowed(__FILE__)).to be_truthy
|
|
12
|
+
|
|
13
|
+
expect(FlexibleInclude.access_allowed("~/.mem_settings.yaml")).to be_truthy
|
|
14
|
+
|
|
15
|
+
home_file = JekyllTagHelper.expand_env("$HOME/.mem_settings.yaml")
|
|
16
|
+
expect(FlexibleInclude.access_allowed(home_file)).to be_truthy
|
|
17
|
+
|
|
18
|
+
expect(FlexibleInclude.access_allowed('/asdf')).to be_falsey
|
|
19
|
+
end
|
|
20
|
+
end
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "jekyll"
|
|
4
|
+
|
|
5
|
+
require_relative "../lib/flexible_include"
|
|
6
|
+
|
|
7
|
+
Jekyll.logger.log_level = :info
|
|
8
|
+
|
|
9
|
+
RSpec.configure do |config|
|
|
10
|
+
config.filter_run :focus
|
|
11
|
+
config.order = "random"
|
|
12
|
+
config.run_all_when_everything_filtered = true
|
|
13
|
+
|
|
14
|
+
# See https://relishapp.com/rspec/rspec-core/docs/command-line/only-failures
|
|
15
|
+
config.example_status_persistence_file_path = "spec/status_persistence.txt"
|
|
16
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jekyll_flexible_include
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.
|
|
4
|
+
version: 2.0.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike Slinn
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: exe
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2022-04-
|
|
13
|
+
date: 2022-04-15 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: jekyll
|
|
@@ -88,6 +88,9 @@ files:
|
|
|
88
88
|
- lib/flexible_include.rb
|
|
89
89
|
- lib/flexible_include/version.rb
|
|
90
90
|
- lib/jekyll_tag_helper.rb
|
|
91
|
+
- spec/glob_spec.rb
|
|
92
|
+
- spec/spec_helper.rb
|
|
93
|
+
- spec/status_persistence.txt
|
|
91
94
|
homepage: https://www.mslinn.com/blog/2020/10/03/jekyll-plugins.html#flexibleInclude
|
|
92
95
|
licenses:
|
|
93
96
|
- MIT
|
|
@@ -120,4 +123,7 @@ signing_key:
|
|
|
120
123
|
specification_version: 4
|
|
121
124
|
summary: Jekyll plugin supports various ways to include content into the generated
|
|
122
125
|
site.
|
|
123
|
-
test_files:
|
|
126
|
+
test_files:
|
|
127
|
+
- spec/glob_spec.rb
|
|
128
|
+
- spec/spec_helper.rb
|
|
129
|
+
- spec/status_persistence.txt
|