Release 💎 3.8.5

Backport #7250 to 3.8.x

History.markdown

@@ -1,3 +1,15 @@
+## 3.8.5 / 2018-11-04
+
+### Bug Fixes
+
+  * Re-implement handling Liquid blocks in excerpts (#7250)
+
+## 3.8.4 / 2018-09-18
+
+### Bug Fixes
+
+  * security: fix `include` bypass of `EntryFilter#filter` symlink check (#7228)
+
 ## 3.8.3 / 2018-06-05
 
 ### Bug Fixes

docs/_config.yml

@@ -1,5 +1,5 @@
 ---
-version: 3.8.3
+version: 3.8.5
 name: Jekyll • Simple, blog-aware, static sites
 description: Transform your plain text into static websites and blogs
 url: https://jekyllrb.com

docs/_docs/history.md

@@ -4,6 +4,24 @@ permalink: "/docs/history/"
 note: This file is autogenerated. Edit /History.markdown instead.
 ---
 
+## 3.8.5 / 2018-11-04
+{: #v3-8-5}
+
+### Bug Fixes
+{: #bug-fixes-v3-8-5}
+
+- Re-implement handling Liquid blocks in excerpts ([#7250]({{ site.repository }}/issues/7250))
+
+
+## 3.8.4 / 2018-09-18
+{: #v3-8-4}
+
+### Bug Fixes
+{: #bug-fixes-v3-8-4}
+
+- security: fix `include` bypass of `EntryFilter#filter` symlink check ([#7228]({{ site.repository }}/issues/7228))
+
+
 ## 3.8.3 / 2018-06-05
 {: #v3-8-3}
 

docs/latest_version.txt

@@ -1 +1 @@
-3.8.3
+3.8.5

lib/jekyll/entry_filter.rb

@@ -31,9 +31,12 @@ module Jekyll
 
     def filter(entries)
       entries.reject do |e|
-        unless included?(e)
-          special?(e) || backup?(e) || excluded?(e) || symlink?(e)
-        end
+        # Reject this entry if it is a symlink.
+        next true if symlink?(e)
+        # Do not reject this entry if it is included.
+        next false if included?(e)
+        # Reject this entry if it is special, a backup file, or excluded.
+        special?(e) || backup?(e) || excluded?(e)
       end
     end
 

lib/jekyll/excerpt.rb

@@ -128,36 +128,47 @@ module Jekyll
     #
     # Returns excerpt String
 
-    LIQUID_TAG_REGEX = %r!{%-?\s*(\w+).+\s*-?%}!m
+    LIQUID_TAG_REGEX = %r!{%-?\s*(\w+)\s*.*?-?%}!m
     MKDWN_LINK_REF_REGEX = %r!^ {0,3}\[[^\]]+\]:.+$!
 
     def extract_excerpt(doc_content)
       head, _, tail = doc_content.to_s.partition(doc.excerpt_separator)
 
-      # append appropriate closing tag (to a Liquid block), to the "head" if the
-      # partitioning resulted in leaving the closing tag somewhere in the "tail"
-      # partition.
-      if head.include?("{%")
-        head =~ LIQUID_TAG_REGEX
-        tag_name = Regexp.last_match(1)
+      # append appropriate closing tag(s) (for each Liquid block), to the `head`
+      # if the partitioning resulted in leaving the closing tag somewhere
+      # in the `tail` partition.
 
-        if liquid_block?(tag_name) && head.match(%r!{%-?\s*end#{tag_name}\s*-?%}!).nil?
-          print_build_warning
+      if head.include?("{%")
+        modified  = false
+        tag_names = head.scan(LIQUID_TAG_REGEX)
+        tag_names.flatten!
+        tag_names.reverse_each do |tag_name|
+          next unless liquid_block?(tag_name)
+          next if head =~ endtag_regex_stash(tag_name)
+
+          modified = true
           head << "\n{% end#{tag_name} %}"
         end
+        print_build_warning if modified
       end
 
-      if tail.empty?
-        head
-      else
-        head.to_s.dup << "\n\n" << tail.scan(MKDWN_LINK_REF_REGEX).join("\n")
-      end
+      return head if tail.empty?
+
+      head << "\n\n" << tail.scan(MKDWN_LINK_REF_REGEX).join("\n")
     end
 
     private
 
+    def endtag_regex_stash(tag_name)
+      @endtag_regex_stash ||= {}
+      @endtag_regex_stash[tag_name] ||= %r!{%-?\s*end#{tag_name}.*?\s*-?%}!m
+    end
+
     def liquid_block?(tag_name)
-      Liquid::Template.tags[tag_name].superclass == Liquid::Block
+      return false unless tag_name.is_a?(String)
+      return false if tag_name.start_with?("end")
+
+      Liquid::Template.tags[tag_name].ancestors.include?(Liquid::Block)
     rescue NoMethodError
       Jekyll.logger.error "Error:",
         "A Liquid tag in the excerpt of #{doc.relative_path} couldn't be " \
@@ -167,12 +178,13 @@ module Jekyll
 
     def print_build_warning
       Jekyll.logger.warn "Warning:", "Excerpt modified in #{doc.relative_path}!"
-      Jekyll.logger.warn "",
-        "Found a Liquid block containing separator '#{doc.excerpt_separator}' and has " \
-        "been modified with the appropriate closing tag."
-      Jekyll.logger.warn "",
-        "Feel free to define a custom excerpt or excerpt_separator in the document's " \
-        "Front Matter if the generated excerpt is unsatisfactory."
+      Jekyll.logger.warn "", "Found a Liquid block containing the excerpt separator" \
+                         " #{doc.excerpt_separator.inspect}. "
+      Jekyll.logger.warn "", "The block has been modified with the appropriate" \
+                         " closing tag."
+      Jekyll.logger.warn "", "Feel free to define a custom excerpt or" \
+                         " excerpt_separator in the document's front matter" \
+                         " if the generated excerpt is unsatisfactory."
     end
   end
 end

lib/jekyll/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Jekyll
-  VERSION = "3.8.3".freeze
+  VERSION = "3.8.5".freeze
 end

test/source/_posts/2018-01-28-closed-liquid-block-excerpt.markdown

@@ -2,10 +2,23 @@
 layout: post
 ---
 
-{% if
-  page.layout == "post" %}
-You’ll find this post in your `_posts` directory.
-To add new posts, simply add a file in the `_posts` directory.
-{% endif %}
+{%
+  highlight
+  ruby
+%}
+{% assign foo = 'foobar' %}
+{% raw
+%}
+def print_hi(name)
+  puts "Hi, #{name}"
+end
+print_hi('Tom')
+#=> prints 'Hi, Tom' to STDOUT.
+{%
+  endraw
+%}
+{%
+  endhighlight
+%}
 
 So let's talk business.

test/source/_posts/2018-01-28-open-liquid-block-excerpt.markdown

@@ -2,10 +2,20 @@
 layout: post
 ---
 
-{% if page.layout == "post" %}
-  You’ll find this post in your `_posts` directory.
+{%
+  highlight
+  ruby
+%}
+{% assign foo = 'foobar' %}
+{% raw
+%}
+def print_hi(name)
+  puts "Hi, #{name}"
+end
 
-{% else %}
+print_hi('Tom')
+#=> prints 'Hi, Tom' to STDOUT.
+{% endraw %}
+{% endhighlight %}
 
-  To add new posts, simply add a file in the `_posts` directory.
-{% endif %}
+So let's talk business.

test/source/symlink-test/symlinked-file-outside-source

@@ -0,0 +1 @@
+/etc/passwd

test/test_entry_filter.rb

@@ -5,7 +5,7 @@ require "helper"
 class TestEntryFilter < JekyllUnitTest
   context "Filtering entries" do
     setup do
-      @site = Site.new(site_configuration)
+      @site = fixture_site
     end
 
     should "filter entries" do
@@ -87,7 +87,7 @@ class TestEntryFilter < JekyllUnitTest
       # no support for symlinks on Windows
       skip_if_windows "Jekyll does not currently support symlinks on Windows."
 
-      site = Site.new(site_configuration("safe" => true))
+      site = fixture_site("safe" => true)
       site.reader.read_directories("symlink-test")
 
       assert_equal %w(main.scss symlinked-file).length, site.pages.length
@@ -99,11 +99,22 @@ class TestEntryFilter < JekyllUnitTest
       # no support for symlinks on Windows
       skip_if_windows "Jekyll does not currently support symlinks on Windows."
 
-      site = Site.new(site_configuration)
+      @site.reader.read_directories("symlink-test")
+      refute_equal [], @site.pages
+      refute_equal [], @site.static_files
+    end
 
+    should "include only safe symlinks in safe mode even when included" do
+      # no support for symlinks on Windows
+      skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+      site = fixture_site("safe" => true, "include" => ["symlinked-file-outside-source"])
       site.reader.read_directories("symlink-test")
-      refute_equal [], site.pages
-      refute_equal [], site.static_files
+
+      # rubocop:disable Performance/FixedSize
+      assert_equal %w(main.scss symlinked-file).length, site.pages.length
+      refute_includes site.static_files.map(&:name), "symlinked-file-outside-source"
+      # rubocop:enable Performance/FixedSize
     end
   end
 

test/test_excerpt.rb

@@ -185,12 +185,17 @@ class TestExcerpt < JekyllUnitTest
       @post = setup_post("2018-01-28-open-liquid-block-excerpt.markdown")
       @excerpt = @post.data["excerpt"]
 
-      assert_includes @post.content, "{% if"
-      refute_includes @post.content.split("\n\n")[0], "{% endif %}"
+      head = @post.content.split("\n\n")[0]
+
+      assert_includes @post.content, "{%\n  highlight\n"
+      assert_includes @post.content, "{% raw"
+      refute_includes head, "{% endraw %}"
+      refute_includes head, "{% endhighlight %}"
     end
 
     should "be appended to as necessary and generated" do
-      assert_includes @excerpt.content, "{% endif %}"
+      assert_includes @excerpt.content, "{% endraw %}"
+      assert_includes @excerpt.content, "{% endhighlight %}"
       assert_equal true, @excerpt.is_a?(Jekyll::Excerpt)
     end
   end
@@ -202,13 +207,19 @@ class TestExcerpt < JekyllUnitTest
       @post = setup_post("2018-01-28-closed-liquid-block-excerpt.markdown")
       @excerpt = @post.data["excerpt"]
 
-      assert_includes @post.content, "{% if"
-      assert_includes @post.content.split("\n\n")[0], "{% endif %}"
+      head = @post.content.split("\n\n")[0]
+
+      assert_includes @post.content, "{%\n  highlight\n"
+      assert_includes @post.content, "{% raw"
+      assert_includes head, "{%\n  endraw\n%}"
+      assert_includes head, "{%\n  endhighlight\n%}"
     end
 
     should "not be appended to but generated as is" do
-      assert_includes @excerpt.content, "{% endif %}"
-      refute_includes @excerpt.content, "{% endif %}\n\n{% endif %}"
+      assert_includes @excerpt.content, "{%\n  endraw\n%}"
+      assert_includes @excerpt.content, "{%\n  endhighlight\n%}"
+      refute_includes @excerpt.content, "{%\n  endraw\n%}\n\n{% endraw %}"
+      refute_includes @excerpt.content, "{%\n  endhighlight\n%}\n\n{% endhighlight %}"
       assert_equal true, @excerpt.is_a?(Jekyll::Excerpt)
     end
   end

test/test_layout_reader.rb

@@ -31,5 +31,51 @@ class TestLayoutReader < JekyllUnitTest
         assert_equal LayoutReader.new(@site).layout_directory, source_dir("blah/_layouts")
       end
     end
+
+    context "when a layout is a symlink" do
+      setup do
+        FileUtils.ln_sf("/etc/passwd", source_dir("_layouts", "symlink.html"))
+        @site = fixture_site(
+          "safe"    => true,
+          "include" => ["symlink.html"]
+        )
+      end
+
+      teardown do
+        FileUtils.rm(source_dir("_layouts", "symlink.html"))
+      end
+
+      should "only read the layouts which are in the site" do
+        skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+        layouts = LayoutReader.new(@site).read
+
+        refute layouts.key?("symlink"), "Should not read the symlinked layout"
+      end
+    end
+
+    context "with a theme" do
+      setup do
+        FileUtils.ln_sf("/etc/passwd", theme_dir("_layouts", "theme-symlink.html"))
+        @site = fixture_site(
+          "include" => ["theme-symlink.html"],
+          "theme"   => "test-theme",
+          "safe"    => true
+        )
+      end
+
+      teardown do
+        FileUtils.rm(theme_dir("_layouts", "theme-symlink.html"))
+      end
+
+      should "not read a symlink'd theme" do
+        skip_if_windows "Jekyll does not currently support symlinks on Windows."
+
+        layouts = LayoutReader.new(@site).read
+
+        refute layouts.key?("theme-symlink"), \
+               "Should not read symlinked layout from theme"
+      end
+    end
   end
 end