New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.7.x: EntryFilter#filter symlink fix #7224

Merged
merged 7 commits into from Sep 7, 2018

Conversation

Projects
None yet
4 participants
@parkr
Member

parkr commented Sep 6, 2018

In EntryFilter#filter, we check for include? before we check for symlink?, which allows symlinks to be read in a build when they shouldn't be by just including them.

I am committing a failing test in one commit, and a fix in another commit so we can demonstrate what fails.

@parkr parkr added the security label Sep 6, 2018

@parkr parkr requested a review from jekyll/core Sep 6, 2018

EntryFilter#filter: reject all symlinks, even if included
Previously, you could include the name of a symlinked file
and Jekyll would not filter it. This is considered a bypass
of the symlink checking, and thus a security bug.
special?(e) || backup?(e) || excluded?(e) || symlink?(e)
end
next true if symlink?(e)
next false if included?(e)

This comment has been minimized.

@ashmaroli

ashmaroli Sep 6, 2018

Member

@parkr For knowledge purposes, can you pleas explain what these two lines mean..?

Thanks =)

This comment has been minimized.

@DirtyF

DirtyF Sep 6, 2018

Member

We first check for symlinks and directly go to next entry if true

This comment has been minimized.

@parkr

parkr Sep 7, 2018

Member

Added a comment!

# no support for symlinks on Windows
skip_if_windows "Jekyll does not currently support symlinks on Windows."
site = Site.new(site_configuration("safe" => true, "include" => ["symlinked-file-outside-source"]))

This comment has been minimized.

@ashmaroli

ashmaroli Sep 6, 2018

Member

We have a helper for this.. fixture_site

site = fixture_site(
  :safe => true,
  :include => ["filename"]
)
should "only read the layouts which are in the site" do
layouts = LayoutReader.new(@site).read
refute layouts.keys.include?("symlink"), "Should not read the symlinked layout"

This comment has been minimized.

@ashmaroli

ashmaroli Sep 6, 2018

Member

Prefer using Hash#include? or Hash#key?` instead..?

@DirtyF

LGTM, thanks @parkr ❤️

@DirtyF

This comment has been minimized.

Member

DirtyF commented Sep 6, 2018

@pathawks is Utterson preventing Travis from running tests here?

@pathawks

This comment has been minimized.

Member

pathawks commented Sep 6, 2018

@DirtyF I can't imagine why that would be the case 🤷‍♂️

@parkr

This comment has been minimized.

Member

parkr commented Sep 7, 2018

I don't see why Travis / AppVeyor aren't working... I ran script/cibuild locally and the tests pass.

@parkr parkr self-assigned this Sep 7, 2018

@DirtyF

This comment has been minimized.

Member

DirtyF commented Sep 7, 2018

Looks like Checks API is waiting for Utterson to complete before launching Travis CI tests. 🤔

Tests are also passing locally on my end.

@parkr

This comment has been minimized.

Member

parkr commented Sep 7, 2018

Looks like Checks API is waiting for Utterson to complete before launching Travis CI tests. 🤔

Where do you see this?

@DirtyF

This comment has been minimized.

Member

DirtyF commented Sep 7, 2018

@parkr It's just a guess based on what is displayed on https://github.com/jekyll/jekyll/pull/7224/checks if Utterson is queued (and is blocked because of EC2), I conclude that Travis tests will not start until first job is finished.

@ashmaroli

This comment has been minimized.

Member

ashmaroli commented Sep 7, 2018

@parkr Thank you for addressing my concerns..
I have 1 final request..: Can you please change the base branch to jekyll:master and backport the commit to 3.7-stable after its merged..?
Thanks once again..

@parkr

This comment has been minimized.

Member

parkr commented Sep 7, 2018

@ashmaroli I'll make a new PR to Jekyll:master after this one is approved! The 3.7.x series is what GitHub runs and was thus my first priority. After this, I plan to issue a PR to master then backport it to 3.8-stable, and 3.6-stable.

parkr added some commits Sep 7, 2018

Revert "Run this branch."
This reverts commit f5cd15c.

@parkr parkr merged commit 4108ddb into 3.7-stable Sep 7, 2018

1 check passed

WIP ready for review
Details

@parkr parkr deleted the 3.7-entryfilter-symlink-fix branch Sep 7, 2018

sjockers added a commit to datenguide/datenguide that referenced this pull request Oct 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment