Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.7.x: EntryFilter#filter symlink fix #7224

Merged
merged 7 commits into from Sep 7, 2018
Merged

3.7.x: EntryFilter#filter symlink fix #7224

merged 7 commits into from Sep 7, 2018

Conversation

parkr
Copy link
Member

@parkr parkr commented Sep 6, 2018

In EntryFilter#filter, we check for include? before we check for symlink?, which allows symlinks to be read in a build when they shouldn't be by just including them.

I am committing a failing test in one commit, and a fix in another commit so we can demonstrate what fails.

@parkr parkr added the security label Sep 6, 2018
@parkr parkr requested a review from a team September 6, 2018 17:10
@parkr
EntryFilter#filter: reject all symlinks, even if included
a8b91de 
Previously, you could include the name of a symlinked file
and Jekyll would not filter it. This is considered a bypass
of the symlink checking, and thus a security bug.
ashmaroli
ashmaroli reviewed Sep 6, 2018
View reviewed changes
lib/jekyll/entry_filter.rb Outdated
special?(e) || backup?(e) || excluded?(e) || symlink?(e)
end
next true if symlink?(e)
next false if included?(e)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@parkr For knowledge purposes, can you pleas explain what these two lines mean..?

Thanks =)

Copy link
Member

@DirtyF DirtyF Sep 6, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We first check for symlinks and directly go to next entry if true

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a comment!

test/test_entry_filter.rb Outdated
# no support for symlinks on Windows
skip_if_windows "Jekyll does not currently support symlinks on Windows."

site = Site.new(site_configuration("safe" => true, "include" => ["symlinked-file-outside-source"]))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a helper for this.. fixture_site

site = fixture_site(
  :safe => true,
  :include => ["filename"]
)

test/test_layout_reader.rb Outdated
should "only read the layouts which are in the site" do
layouts = LayoutReader.new(@site).read

refute layouts.keys.include?("symlink"), "Should not read the symlinked layout"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer using Hash#include? or Hash#key?` instead..?

DirtyF
DirtyF reviewed Sep 6, 2018
View reviewed changes
Copy link
Member

@DirtyF DirtyF left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @parkr ❤️

@DirtyF
Copy link
Member

DirtyF commented Sep 6, 2018

@pathawks is Utterson preventing Travis from running tests here?

@pathawks
Copy link
Member

pathawks commented Sep 6, 2018

@DirtyF I can't imagine why that would be the case 🤷‍♂️

@parkr
Copy link
Member Author

parkr commented Sep 7, 2018
edited

I don't see why Travis / AppVeyor aren't working... I ran script/cibuild locally and the tests pass.

@parkr parkr self-assigned this Sep 7, 2018
@DirtyF
Copy link
Member

DirtyF commented Sep 7, 2018
edited

Looks like Checks API is waiting for Utterson to complete before launching Travis CI tests. 🤔

Tests are also passing locally on my end.

@parkr
Copy link
Member Author

parkr commented Sep 7, 2018

Looks like Checks API is waiting for Utterson to complete before launching Travis CI tests. 🤔

Where do you see this?

@DirtyF
Copy link
Member

DirtyF commented Sep 7, 2018

@parkr It's just a guess based on what is displayed on https://github.com/jekyll/jekyll/pull/7224/checks if Utterson is queued (and is blocked because of EC2), I conclude that Travis tests will not start until first job is finished.

@ashmaroli
Copy link
Member

@parkr Thank you for addressing my concerns..
I have 1 final request..: Can you please change the base branch to jekyll:master and backport the commit to 3.7-stable after its merged..?
Thanks once again..

@parkr
Copy link
Member Author

parkr commented Sep 7, 2018

@ashmaroli I'll make a new PR to Jekyll:master after this one is approved! The 3.7.x series is what GitHub runs and was thus my first priority. After this, I plan to issue a PR to master then backport it to 3.8-stable, and 3.6-stable.

@parkr parkr merged commit 4108ddb into 3.7-stable Sep 7, 2018
@parkr parkr deleted the 3.7-entryfilter-symlink-fix branch September 7, 2018 17:28
@parkr parkr mentioned this pull request Sep 7, 2018
Merged
@mnyrop mnyrop mentioned this pull request Sep 17, 2018
Closed
18 tasks
sjockers added a commit to datenguide/datenguide that referenced this pull request Oct 9, 2018
@sjockers
Update Jekyll with security patch (jekyll/jekyll#7224)
e8c8ba7
@rschultheis rschultheis mentioned this pull request Jun 18, 2019
Merged
@jekyll jekyll locked and limited conversation to collaborators Jan 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@DirtyF DirtyF DirtyF left review comments

@ashmaroli ashmaroli ashmaroli left review comments

Assignees

@parkr parkr

Labels
frozen-due-to-age security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@parkr @DirtyF @pathawks @ashmaroli @jekyllbot