blacklist inspect et al from being called on drops

2026-01-02 08:15:41 +03:00 · 2012-12-18 13:50:02 -05:00
14 changed files with 80 additions and 181 deletions
--- a/History.md
+++ b/History.md
@@ -1,13 +1,5 @@
 # Liquid Version History

-## 2.5.0 / 2013-03-06
-
-* Prevent Object methods from being called on drops
-* Avoid symbol injection from liquid
-* Added break and continue statements
-* Fix filter parser for args without space separators
-* Add support for filter keyword arguments
-
 ## 2.4.0 / 2012-08-03

 * Performance improvements
--- a/lib/liquid/context.rb
+++ b/lib/liquid/context.rb
@@ -39,7 +39,6 @@ module Liquid

      filters.each do |f|
        raise ArgumentError, "Expected module but got: #{f.class}" unless f.is_a?(Module)
-        Strainer.add_known_filter(f)
        strainer.extend(f)
      end
    end
@@ -72,7 +71,11 @@ module Liquid
    end

    def invoke(method, *args)
-      strainer.invoke(method, *args)
+      if strainer.respond_to?(method)
+        strainer.__send__(method, *args)
+      else
+        args.first
+      end
    end

    # Push new local scope on the stack. use <tt>Context#stack</tt> instead
--- a/lib/liquid/drop.rb
+++ b/lib/liquid/drop.rb
@@ -1,5 +1,3 @@
-require 'set'
-
 module Liquid

  # A drop in liquid is a class which allows you to export DOM like things to liquid.
@@ -22,9 +20,10 @@ module Liquid
  # Your drop can either implement the methods sans any parameters or implement the before_method(name) method which is a
  # catch all.
  class Drop
-    attr_writer :context
-
    EMPTY_STRING = ''.freeze
+    METHOD_BLACKLIST = [:dup, :clone, :singleton_class, :eval, :class_eval, :`, :inspect]
+
+    attr_writer :context

    # Catch all for the method
    def before_method(method)
@@ -33,8 +32,8 @@ module Liquid

    # called by liquid to invoke a drop
    def invoke_drop(method_or_key)
-      if method_or_key && method_or_key != EMPTY_STRING && self.class.invokable?(method_or_key)
-        send(method_or_key)
+      if method_or_key && method_or_key != EMPTY_STRING && self.class.public_method_defined?(method_or_key.to_s.to_sym)
+        send(method_or_key.to_s.to_sym)
      else
        before_method(method_or_key)
      end
@@ -50,12 +49,8 @@ module Liquid

    alias :[] :invoke_drop

-    private
-
-    # Check for method existence without invoking respond_to?, which creates symbols
-    def self.invokable?(method_name)
-      @invokable_methods ||= Set.new((public_instance_methods - Liquid::Drop.public_instance_methods).map(&:to_s))
-      @invokable_methods.include?(method_name.to_s)
+    METHOD_BLACKLIST.each do |blacklisted|
+      define_method(blacklisted) {nil}
    end
  end
 end
--- a/lib/liquid/standardfilters.rb
+++ b/lib/liquid/standardfilters.rb
@@ -93,8 +93,10 @@ module Liquid
    # map/collect on a given property
    def map(input, property)
      ary = [input].flatten
-      ary.map do |e|
-        e.respond_to?('[]') ? e[property] : nil
+      if ary.first.respond_to?('[]') and !ary.first[property].nil?
+        ary.map {|e| e[property] }
+      elsif ary.first.respond_to?(property)
+        ary.map {|e| e.send(property) }
      end
    end

--- a/lib/liquid/strainer.rb
+++ b/lib/liquid/strainer.rb
@@ -2,15 +2,24 @@ require 'set'

 module Liquid

+  parent_object = if defined? BlankObject
+    BlankObject
+  else
+    Object
+  end
+
  # Strainer is the parent class for the filters system.
-  # New filters are mixed into the strainer class which is then instantiated for each liquid template render run.
+  # New filters are mixed into the strainer class which is then instanciated for each liquid template render run.
  #
-  # The Strainer only allows method calls defined in filters given to it via Strainer.global_filter,
-  # Context#add_filters or Template.register_filter
-  class Strainer #:nodoc:
+  # One of the strainer's responsibilities is to keep malicious method calls out
+  class Strainer < parent_object #:nodoc:
+    INTERNAL_METHOD = /^__/
+    @@required_methods = Set.new([:__id__, :__send__, :respond_to?, :kind_of?, :extend, :methods, :singleton_methods, :class, :object_id])
+
+    # Ruby 1.9.2 introduces Object#respond_to_missing?, which is invoked by Object#respond_to?
+    @@required_methods << :respond_to_missing? if Object.respond_to? :respond_to_missing?
+
    @@filters = {}
-    @@known_filters = Set.new
-    @@known_methods = Set.new

    def initialize(context)
      @context = context
@@ -18,36 +27,28 @@ module Liquid

    def self.global_filter(filter)
      raise ArgumentError, "Passed filter is not a module" unless filter.is_a?(Module)
-      add_known_filter(filter)
      @@filters[filter.name] = filter
    end

-    def self.add_known_filter(filter)
-      unless @@known_filters.include?(filter)
-        @@method_blacklist ||= Set.new(Strainer.instance_methods.map(&:to_s))
-        new_methods = filter.instance_methods.map(&:to_s)
-        new_methods.reject!{ |m| @@method_blacklist.include?(m) }
-        @@known_methods.merge(new_methods)
-        @@known_filters.add(filter)
-      end
-    end
-
    def self.create(context)
      strainer = Strainer.new(context)
      @@filters.each { |k,m| strainer.extend(m) }
      strainer
    end

-    def invoke(method, *args)
-      if invokable?(method)
-        send(method, *args)
-      else
-        args.first
-      end
+    def respond_to?(method, include_private = false)
+      method_name = method.to_s
+      return false if method_name =~ INTERNAL_METHOD
+      return false if @@required_methods.include?(method_name)
+      super
    end

-    def invokable?(method)
-      @@known_methods.include?(method.to_s) && respond_to?(method)
+    # remove all standard methods from the bucket so circumvent security
+    # problems
+    instance_methods.each do |m|
+      unless @@required_methods.include?(m.to_sym)
+        undef_method m
+      end
    end
  end
 end
--- a/lib/liquid/variable.rb
+++ b/lib/liquid/variable.rb
@@ -23,10 +23,10 @@ module Liquid
        if match[2].match(/#{FilterSeparator}\s*(.*)/o)
          filters = Regexp.last_match(1).scan(FilterParser)
          filters.each do |f|
-            if matches = f.match(/\s*(\w+)(?:\s*#{FilterArgumentSeparator}(.*))?/)
+            if matches = f.match(/\s*(\w+)/)
              filtername = matches[1]
-              filterargs = matches[2].to_s.scan(/(?:\A|#{ArgumentSeparator})\s*((?:\w+\s*\:\s*)?#{QuotedFragment})/o).flatten
-              @filters << [filtername, filterargs]
+              filterargs = f.scan(/(?:#{FilterArgumentSeparator}|#{ArgumentSeparator})\s*(#{QuotedFragment})/o).flatten
+              @filters << [filtername.to_sym, filterargs]
            end
          end
        end
@@ -36,16 +36,9 @@ module Liquid
    def render(context)
      return '' if @name.nil?
      @filters.inject(context[@name]) do |output, filter|
-        filterargs = []
-        keyword_args = {}
-        filter[1].to_a.each do |a|
-          if matches = a.match(/\A#{TagAttributes}\z/o)
-            keyword_args[matches[1]] = context[matches[2]]
-          else
-            filterargs << context[a]
-          end
+        filterargs = filter[1].to_a.collect do |a|
+          context[a]
        end
-        filterargs << keyword_args unless keyword_args.empty?
        begin
          output = context.invoke(filter[0], output, *filterargs)
        rescue FilterNotFound
--- a/liquid.gemspec
+++ b/liquid.gemspec
@@ -2,7 +2,7 @@

 Gem::Specification.new do |s|
  s.name        = "liquid"
-  s.version     = "2.5.1"
+  s.version     = "2.4.1"
  s.platform    = Gem::Platform::RUBY
  s.summary     = "A secure, non-evaling end user template engine with aesthetic markup."
  s.authors     = ["Tobias Luetke"]
--- a/test/liquid/context_test.rb
+++ b/test/liquid/context_test.rb
@@ -189,10 +189,10 @@ class ContextTest < Test::Unit::TestCase
    end

    context = Context.new
-    assert_equal "Wookie", context.invoke("hi", "Wookie")
-
+    methods_before = context.strainer.methods.map { |method| method.to_s }
    context.add_filters(filter)
-    assert_equal "Wookie hi!", context.invoke("hi", "Wookie")
+    methods_after = context.strainer.methods.map { |method| method.to_s }
+    assert_equal (methods_before + ["hi"]).sort, methods_after.sort
  end

  def test_add_item_in_outer_scope
--- a/test/liquid/drop_test.rb
+++ b/test/liquid/drop_test.rb
@@ -71,29 +71,23 @@ class DropsTest < Test::Unit::TestCase
  include Liquid

  def test_product_drop
+
    assert_nothing_raised do
      tpl = Liquid::Template.parse( '  '  )
      tpl.render('product' => ProductDrop.new)
    end
  end

-  def test_drop_does_only_respond_to_whitelisted_methods
-    assert_equal "", Liquid::Template.parse("{{ product.inspect }}").render('product' => ProductDrop.new)
-    assert_equal "", Liquid::Template.parse("{{ product.pretty_inspect }}").render('product' => ProductDrop.new)
-    assert_equal "", Liquid::Template.parse("{{ product.whatever }}").render('product' => ProductDrop.new)
-    assert_equal "", Liquid::Template.parse('{{ product | map: "inspect" }}').render('product' => ProductDrop.new)
-    assert_equal "", Liquid::Template.parse('{{ product | map: "pretty_inspect" }}').render('product' => ProductDrop.new)
-    assert_equal "", Liquid::Template.parse('{{ product | map: "whatever" }}').render('product' => ProductDrop.new)
-  end
-
  def test_text_drop
    output = Liquid::Template.parse( ' {{ product.texts.text }} '  ).render('product' => ProductDrop.new)
    assert_equal ' text1 ', output
+
  end

  def test_unknown_method
    output = Liquid::Template.parse( ' {{ product.catchall.unknown }} '  ).render('product' => ProductDrop.new)
    assert_equal ' method: unknown ', output
+
  end

  def test_integer_argument_drop
@@ -121,13 +115,6 @@ class DropsTest < Test::Unit::TestCase
    assert_equal '  ', output
  end

-  def test_object_methods_not_allowed
-    [:dup, :clone, :singleton_class, :eval, :class_eval, :inspect].each do |method|
-      output = Liquid::Template.parse(" {{ product.#{method} }} ").render('product' => ProductDrop.new)
-      assert_equal '  ', output
-    end
-  end
-
  def test_scope
    assert_equal '1', Liquid::Template.parse( '{{ context.scopes }}'  ).render('context' => ContextDrop.new)
    assert_equal '2', Liquid::Template.parse( '{%for i in dummy%}{{ context.scopes }}{%endfor%}'  ).render('context' => ContextDrop.new, 'dummy' => [1])
--- a/test/liquid/filter_test.rb
+++ b/test/liquid/filter_test.rb
@@ -16,12 +16,6 @@ module CanadianMoneyFilter
  end
 end

-module SubstituteFilter
-  def substitute(input, params={})
-    input.gsub(/%\{(\w+)\}/) { |match| params[$1] }
-  end
-end
-
 class FiltersTest < Test::Unit::TestCase
  include Liquid

@@ -98,13 +92,6 @@ class FiltersTest < Test::Unit::TestCase

    assert_equal 1000, Variable.new("var | xyzzy").render(@context)
  end
-
-  def test_filter_with_keyword_arguments
-    @context['surname'] = 'john'
-    @context.add_filters(SubstituteFilter)
-    output = Variable.new(%! 'hello %{first_name}, %{last_name}' | substitute: first_name: surname, last_name: 'doe' !).render(@context)
-    assert_equal 'hello john, doe', output
-  end
 end

 class FiltersInTemplate < Test::Unit::TestCase
--- a/test/liquid/security_test.rb
+++ b/test/liquid/security_test.rb
@@ -38,27 +38,4 @@ class SecurityTest < Test::Unit::TestCase

    assert_equal expected, Template.parse(text).render(@assigns, :filters => SecurityFilter)
  end
-
-  def test_does_not_add_filters_to_symbol_table
-    current_symbols = Symbol.all_symbols
-
-    test = %( {{ "some_string" | a_bad_filter }} )
-
-    template = Template.parse(test)
-    assert_equal [], (Symbol.all_symbols - current_symbols)
-
-    template.render
-    assert_equal [], (Symbol.all_symbols - current_symbols)
-  end
-
-  def test_does_not_add_drop_methods_to_symbol_table
-    current_symbols = Symbol.all_symbols
-
-    drop = Drop.new
-    drop.invoke_drop("custom_method_1")
-    drop.invoke_drop("custom_method_2")
-    drop.invoke_drop("custom_method_3")
-
-    assert_equal [], (Symbol.all_symbols - current_symbols)
-  end
 end # SecurityTest
--- a/test/liquid/standard_filter_test.rb
+++ b/test/liquid/standard_filter_test.rb
@@ -86,11 +86,6 @@ class StandardFiltersTest < Test::Unit::TestCase
      'ary' => [{'foo' => {'bar' => 'a'}}, {'foo' => {'bar' => 'b'}}, {'foo' => {'bar' => 'c'}}]
  end

-  def test_map_doesnt_call_arbitrary_stuff
-    assert_equal "", Liquid::Template.parse('{{ "foo" | map: "__id__" }}').render
-    assert_equal "", Liquid::Template.parse('{{ "foo" | map: "inspect" }}').render
-  end
-
  def test_date
    assert_equal 'May', @filters.date(Time.parse("2006-05-05 10:00:00"), "%B")
    assert_equal 'June', @filters.date(Time.parse("2006-06-05 10:00:00"), "%B")
--- a/test/liquid/strainer_test.rb
+++ b/test/liquid/strainer_test.rb
@@ -3,50 +3,23 @@ require 'test_helper'
 class StrainerTest < Test::Unit::TestCase
  include Liquid

-  module AccessScopeFilters
-    def public_filter
-      "public"
-    end
-
-    def private_filter
-      "private"
-    end
-    private :private_filter
-  end
-
-  Strainer.global_filter(AccessScopeFilters)
-
  def test_strainer
    strainer = Strainer.create(nil)
-    assert_equal 5, strainer.invoke('size', 'input')
-    assert_equal "public", strainer.invoke("public_filter")
+    assert_equal false, strainer.respond_to?('__test__')
+    assert_equal false, strainer.respond_to?('test')
+    assert_equal false, strainer.respond_to?('instance_eval')
+    assert_equal false, strainer.respond_to?('__send__')
+    assert_equal true, strainer.respond_to?('size') # from the standard lib
  end

-  def test_strainer_only_invokes_public_filter_methods
+  def test_should_respond_to_two_parameters
    strainer = Strainer.create(nil)
-    assert_equal false, strainer.invokable?('__test__')
-    assert_equal false, strainer.invokable?('test')
-    assert_equal false, strainer.invokable?('instance_eval')
-    assert_equal false, strainer.invokable?('__send__')
-    assert_equal true, strainer.invokable?('size') # from the standard lib
+    assert_equal true, strainer.respond_to?('size', false)
  end

-  def test_strainer_returns_nil_if_no_filter_method_found
-    strainer = Strainer.create(nil)
-    assert_nil strainer.invoke("private_filter")
-    assert_nil strainer.invoke("undef_the_filter")
+  # Asserts that Object#respond_to_missing? is not being undefined in Ruby versions where it has been implemented
+  # Currently this method is only present in Ruby v1.9.2, or higher
+  def test_object_respond_to_missing
+    assert_equal Object.respond_to?(:respond_to_missing?), Strainer.create(nil).respond_to?(:respond_to_missing?)
  end
-
-  def test_strainer_returns_first_argument_if_no_method_and_arguments_given
-    strainer = Strainer.create(nil)
-    assert_equal "password", strainer.invoke("undef_the_method", "password")
-  end
-
-  def test_strainer_only_allows_methods_defined_in_filters
-    strainer = Strainer.create(nil)
-    assert_equal "1 + 1", strainer.invoke("instance_eval", "1 + 1")
-    assert_equal "puts",  strainer.invoke("__send__", "puts", "Hi Mom")
-    assert_equal "has_method?", strainer.invoke("invoke", "has_method?", "invoke")
-  end
-
 end # StrainerTest
--- a/test/liquid/variable_test.rb
+++ b/test/liquid/variable_test.rb
@@ -11,71 +11,71 @@ class VariableTest < Test::Unit::TestCase
  def test_filters
    var = Variable.new('hello | textileze')
    assert_equal 'hello', var.name
-    assert_equal [["textileze",[]]], var.filters
+    assert_equal [[:textileze,[]]], var.filters

    var = Variable.new('hello | textileze | paragraph')
    assert_equal 'hello', var.name
-    assert_equal [["textileze",[]], ["paragraph",[]]], var.filters
+    assert_equal [[:textileze,[]], [:paragraph,[]]], var.filters

    var = Variable.new(%! hello | strftime: '%Y'!)
    assert_equal 'hello', var.name
-    assert_equal [["strftime",["'%Y'"]]], var.filters
+    assert_equal [[:strftime,["'%Y'"]]], var.filters

    var = Variable.new(%! 'typo' | link_to: 'Typo', true !)
    assert_equal %!'typo'!, var.name
-    assert_equal [["link_to",["'Typo'", "true"]]], var.filters
+    assert_equal [[:link_to,["'Typo'", "true"]]], var.filters

    var = Variable.new(%! 'typo' | link_to: 'Typo', false !)
    assert_equal %!'typo'!, var.name
-    assert_equal [["link_to",["'Typo'", "false"]]], var.filters
+    assert_equal [[:link_to,["'Typo'", "false"]]], var.filters

    var = Variable.new(%! 'foo' | repeat: 3 !)
    assert_equal %!'foo'!, var.name
-    assert_equal [["repeat",["3"]]], var.filters
+    assert_equal [[:repeat,["3"]]], var.filters

    var = Variable.new(%! 'foo' | repeat: 3, 3 !)
    assert_equal %!'foo'!, var.name
-    assert_equal [["repeat",["3","3"]]], var.filters
+    assert_equal [[:repeat,["3","3"]]], var.filters

    var = Variable.new(%! 'foo' | repeat: 3, 3, 3 !)
    assert_equal %!'foo'!, var.name
-    assert_equal [["repeat",["3","3","3"]]], var.filters
+    assert_equal [[:repeat,["3","3","3"]]], var.filters

    var = Variable.new(%! hello | strftime: '%Y, okay?'!)
    assert_equal 'hello', var.name
-    assert_equal [["strftime",["'%Y, okay?'"]]], var.filters
+    assert_equal [[:strftime,["'%Y, okay?'"]]], var.filters

    var = Variable.new(%! hello | things: "%Y, okay?", 'the other one'!)
    assert_equal 'hello', var.name
-    assert_equal [["things",["\"%Y, okay?\"","'the other one'"]]], var.filters
+    assert_equal [[:things,["\"%Y, okay?\"","'the other one'"]]], var.filters
  end

  def test_filter_with_date_parameter

    var = Variable.new(%! '2006-06-06' | date: "%m/%d/%Y"!)
    assert_equal "'2006-06-06'", var.name
-    assert_equal [["date",["\"%m/%d/%Y\""]]], var.filters
+    assert_equal [[:date,["\"%m/%d/%Y\""]]], var.filters

  end

  def test_filters_without_whitespace
    var = Variable.new('hello | textileze | paragraph')
    assert_equal 'hello', var.name
-    assert_equal [["textileze",[]], ["paragraph",[]]], var.filters
+    assert_equal [[:textileze,[]], [:paragraph,[]]], var.filters

    var = Variable.new('hello|textileze|paragraph')
    assert_equal 'hello', var.name
-    assert_equal [["textileze",[]], ["paragraph",[]]], var.filters
+    assert_equal [[:textileze,[]], [:paragraph,[]]], var.filters

    var = Variable.new("hello|replace:'foo','bar'|textileze")
    assert_equal 'hello', var.name
-    assert_equal [["replace", ["'foo'", "'bar'"]], ["textileze", []]], var.filters
+    assert_equal [[:replace, ["'foo'", "'bar'"]], [:textileze, []]], var.filters
  end

  def test_symbol
    var = Variable.new("http://disney.com/logo.gif | image: 'med' ")
    assert_equal 'http://disney.com/logo.gif', var.name
-    assert_equal [["image",["'med'"]]], var.filters
+    assert_equal [[:image,["'med'"]]], var.filters
  end

  def test_string_single_quoted
@@ -107,12 +107,6 @@ class VariableTest < Test::Unit::TestCase
    var = Variable.new(%| test.test |)
    assert_equal 'test.test', var.name
  end
-
-  def test_filter_with_keyword_arguments
-    var = Variable.new(%! hello | things: greeting: "world", farewell: 'goodbye'!)
-    assert_equal 'hello', var.name
-    assert_equal [['things',["greeting: \"world\"","farewell: 'goodbye'"]]], var.filters
-  end
 end