英文:
Is there a way to limit which files liquid render can render / include
问题
我想创建一个Ruby on Rails应用程序,允许最终用户上传他们自己的Liquid主题,类似于Shopify。
我想将文件存储在各自的主题文件夹中,并允许使用"render"和"include"来引入其他文件/组件。
在渲染Liquid文件时,是否有一种方法可以限制渲染的Liquid文件访问哪些文件,例如限制它只能访问所在目录及其子目录,以防止某人猜测文件夹路径并跳出他们的主题目录,进入另一个主题目录?
英文:
I want to build a ruby on rails app where I allow end users to upload their own liquid themes, similar to shopify.
I want to store the files in themes in their own folder and allow the use of render and include to pull in other files/components.
Is there a way when rendering the liquid files to limit what files the rendered liquid file has access to e.g. limit it to the directory it's in and any subdirectories. To stop the edge case where someone can guess a folder path and go up outside their theme directory and into another theme directory?
答案1
得分: 1
我以前没有使用过liquid,但在代码中有这个部分:
https://github.com/Shopify/liquid/blob/v5.4.0/lib/liquid/file_system.rb#L46
以下是一个包含a和b文件夹的快速示例:
require 'liquid'
template = Liquid::Template.new
file_system = Liquid::LocalFileSystem.new('a/')
template.registers[:file_system] = file_system
template.parse(file_system.read_template_file('foo'))
puts template.render
.
├── Gemfile
├── Gemfile.lock
├── a
│ ├── _bar.liquid
│ └── _foo.liquid
├── b
│ └── _other.liquid
└── script.rb
➜ cat a/_foo.liquid
<h1>foo</h1> {% for i in (1..3) %} {{ i }} {% endfor %}
{% render 'bar' %}
{% render '../b/other' %}
➜ ruby script.rb
<h1>foo</h1> 1 2 3
<h1>bar</h1> 1 2 3
Liquid error: Illegal template name '../b/other'
英文:
I haven't used liquid before but there is this in the code:
https://github.com/Shopify/liquid/blob/v5.4.0/lib/liquid/file_system.rb#L46
Here is a quick sample with a and b folders:
require 'liquid'
template = Liquid::Template.new
file_system = Liquid::LocalFileSystem.new('a/')
template.registers[:file_system] = file_system
template.parse(file_system.read_template_file('foo'))
puts template.render
.
├── Gemfile
├── Gemfile.lock
├── a
│   ├── _bar.liquid
│   └── _foo.liquid
├── b
│   └── _other.liquid
└── script.rb
➜ cat a/_foo.liquid
<h1>foo</h1> {% for i in (1..3) %} {{ i }} {% endfor %}
{% render 'bar' %}
{% render '../b/other' %}
➜ ruby script.rb
<h1>foo</h1> 1 2 3
<h1>bar</h1> 1 2 3
Liquid error: Illegal template name '../b/other'
答案2
得分: 1
你可以使用 Liquid::LocalFileSystem.new("/path/to/template/dir/for/user123", "optional_file_pattern")。
它提供了一个抽象文件系统,以类似于 Rails 局部视图的方式检索属于 /path/to/template/dir/for/user123 目录的模板文件,并可以选择匹配 optional_file_pattern(如果需要)。
如果忽略文件模式参数,它将默认为 _%s.liquid,因此如果您满意可以跳过它,或者还可以基于自定义文件模式来限制匹配。
英文:
You could make use of Liquid::LocalFileSystem.new("/path/to/template/dir/for/user123", "optional_file_pattern")
It provides an abstract file system that retrieves the template files named in a manner similar to Rails partials which belong to the /path/to/template/dir/for/user123 dir and also optionally match optional_file_pattern if needs be.
The file pattern parameter if ignored defaults to _%s.liquid, so it can be skipped if you are happy with that or could also restrict matching based on a custom file pattern.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论