有没有办法限制Liquid渲染可以渲染/包含的文件?

huangapple go评论70阅读模式
英文:

Is there a way to limit which files liquid render can render / include

问题

我想创建一个Ruby on Rails应用程序,允许最终用户上传他们自己的Liquid主题,类似于Shopify。

我想将文件存储在各自的主题文件夹中,并允许使用"render"和"include"来引入其他文件/组件。

在渲染Liquid文件时,是否有一种方法可以限制渲染的Liquid文件访问哪些文件,例如限制它只能访问所在目录及其子目录,以防止某人猜测文件夹路径并跳出他们的主题目录,进入另一个主题目录?

英文:

I want to build a ruby on rails app where I allow end users to upload their own liquid themes, similar to shopify.

I want to store the files in themes in their own folder and allow the use of render and include to pull in other files/components.

Is there a way when rendering the liquid files to limit what files the rendered liquid file has access to e.g. limit it to the directory it's in and any subdirectories. To stop the edge case where someone can guess a folder path and go up outside their theme directory and into another theme directory?

答案1

得分: 1

我以前没有使用过liquid,但在代码中有这个部分:

https://github.com/Shopify/liquid/blob/v5.4.0/lib/liquid/file_system.rb#L46

以下是一个包含ab文件夹的快速示例:

require 'liquid'

template = Liquid::Template.new

file_system = Liquid::LocalFileSystem.new('a/')

template.registers[:file_system] = file_system
template.parse(file_system.read_template_file('foo'))

puts template.render
.
├── Gemfile
├── Gemfile.lock
├── a
│   ├── _bar.liquid
│   └── _foo.liquid
├── b
│   └── _other.liquid
└── script.rb
➜ cat a/_foo.liquid
<h1>foo</h1> {% for i in (1..3) %} {{ i }} {% endfor %}

{% render 'bar' %}

{% render '../b/other' %}
➜ ruby script.rb
<h1>foo</h1>  1  2  3

<h1>bar</h1>  1  2  3


Liquid error: Illegal template name '../b/other'
英文:

I haven't used liquid before but there is this in the code:

https://github.com/Shopify/liquid/blob/v5.4.0/lib/liquid/file_system.rb#L46

Here is a quick sample with a and b folders:

require &#39;liquid&#39;

template = Liquid::Template.new

file_system = Liquid::LocalFileSystem.new(&#39;a/&#39;)

template.registers[:file_system] = file_system
template.parse(file_system.read_template_file(&#39;foo&#39;))

puts template.render
.
├── Gemfile
├── Gemfile.lock
├── a
│&#160;&#160; ├── _bar.liquid
│&#160;&#160; └── _foo.liquid
├── b
│&#160;&#160; └── _other.liquid
└── script.rb
➜ cat a/_foo.liquid
&lt;h1&gt;foo&lt;/h1&gt; {% for i in (1..3) %} {{ i }} {% endfor %}

{% render &#39;bar&#39; %}

{% render &#39;../b/other&#39; %}
➜ ruby script.rb
&lt;h1&gt;foo&lt;/h1&gt;  1  2  3

&lt;h1&gt;bar&lt;/h1&gt;  1  2  3


Liquid error: Illegal template name &#39;../b/other&#39;

答案2

得分: 1

你可以使用 Liquid::LocalFileSystem.new("/path/to/template/dir/for/user123", "optional_file_pattern")

它提供了一个抽象文件系统,以类似于 Rails 局部视图的方式检索属于 /path/to/template/dir/for/user123 目录的模板文件,并可以选择匹配 optional_file_pattern(如果需要)。

如果忽略文件模式参数,它将默认为 _%s.liquid,因此如果您满意可以跳过它,或者还可以基于自定义文件模式来限制匹配。

英文:

You could make use of Liquid::LocalFileSystem.new(&quot;/path/to/template/dir/for/user123&quot;, &quot;optional_file_pattern&quot;)

It provides an abstract file system that retrieves the template files named in a manner similar to Rails partials which belong to the /path/to/template/dir/for/user123 dir and also optionally match optional_file_pattern if needs be.

The file pattern parameter if ignored defaults to _%s.liquid, so it can be skipped if you are happy with that or could also restrict matching based on a custom file pattern.

huangapple
  • 本文由 发表于 2023年3月3日 19:07:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/75626297.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定