Skip to content

Commit

Permalink
patch symlink vuln and properly test
Browse files Browse the repository at this point in the history
Signed-off-by: Parker Moore <parkrmoore@gmail.com>
  • Loading branch information
benbalter authored and parkr committed Jan 14, 2014
1 parent b1a7e14 commit 98b366e
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 20 deletions.
19 changes: 6 additions & 13 deletions lib/jekyll/tags/include.rb
Original file line number Diff line number Diff line change
Expand Up @@ -88,13 +88,12 @@ def retrieve_variable(context)

def render(context)
dir = File.join(context.registers[:site].source, INCLUDES_DIR)
validate_dir(dir, context.registers[:site].safe)

file = retrieve_variable(context) || @file
validate_file_name(file)

path = File.join(dir, file)
validate_file(path, context.registers[:site].safe)
validate_path(path, context.registers[:site].safe)

begin
partial = Liquid::Template.parse(source(path, context))
Expand All @@ -108,17 +107,11 @@ def render(context)
end
end

def validate_dir(dir, safe)
if File.symlink?(dir) && safe
raise IOError.new "Includes directory '#{dir}' cannot be a symlink"
end
end

def validate_file(file, safe)
if !File.exists?(file)
raise IOError.new "Included file '#{@file}' not found in '#{INCLUDES_DIR}' directory"
elsif File.symlink?(file) && safe
raise IOError.new "The included file '#{INCLUDES_DIR}/#{@file}' should not be a symlink"
def validate_path(path, safe)
if !File.exist?(path)
raise IOError.new "Included file '#{path}' not found"
elsif path != File.realpath(path) && safe
raise IOError.new "The included file '#{path}' should not be a symlink"
end
end

Expand Down
13 changes: 6 additions & 7 deletions test/test_tags.rb
Original file line number Diff line number Diff line change
Expand Up @@ -350,20 +350,19 @@ def fill_post(code, override = {})

context "with symlink'd include" do

setup do
content = <<CONTENT
should "not allow symlink includes" do
File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
assert_raise IOError do
content = <<CONTENT
---
title: Include symlink
---
{% include tmp/pages-test %}
CONTENT
create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
end

should "not allow symlink includes" do
File.open("/tmp/pages-test", 'w') { |file| file.write("SYMLINK TEST") }
create_post(content, {'permalink' => 'pretty', 'source' => source_dir, 'destination' => dest_dir, 'read_posts' => true, 'safe' => true })
end
assert_no_match /SYMLINK TEST/, @result
end
end
Expand Down

0 comments on commit 98b366e

Please sign in to comment.