Question 11481 in Shopify Question posted in
The Shopify help center can be found here.

Is there a way to limit which files liquid render can render / include – Shopify

I want to build a ruby on rails app where I allow end users to upload their own liquid themes, similar to shopify.

I want to store the files in themes in their own folder and allow the use of render and include to pull in other files/components.

Is there a way when rendering the liquid files to limit what files the rendered liquid file has access to e.g. limit it to the directory it’s in and any subdirectories. To stop the edge case where someone can guess a folder path and go up outside their theme directory and into another theme directory?

Tags:

2

Answers


  1. 0

    I haven’t used liquid before but there is this in the code:

    https://github.com/Shopify/liquid/blob/v5.4.0/lib/liquid/file_system.rb#L46

    Here is a quick sample with a and b folders:

    require 'liquid'

template = Liquid::Template.new

file_system = Liquid::LocalFileSystem.new('a/')

template.registers[:file_system] = file_system
template.parse(file_system.read_template_file('foo'))

puts template.render

    .
├── Gemfile
├── Gemfile.lock
├── a
│   ├── _bar.liquid
│   └── _foo.liquid
├── b
│   └── _other.liquid
└── script.rb

    ➜ cat a/_foo.liquid
<h1>foo</h1> {% for i in (1..3) %} {{ i }} {% endfor %}

{% render 'bar' %}

{% render '../b/other' %}

    ➜ ruby script.rb
<h1>foo</h1>  1  2  3

<h1>bar</h1>  1  2  3


Liquid error: Illegal template name '../b/other'
    Login or Signup to reply.
  2. 0

    You could make use of Liquid::LocalFileSystem.new("/path/to/template/dir/for/user123", "optional_file_pattern")

    It provides an abstract file system that retrieves the template files named in a manner similar to Rails partials which belong to the /path/to/template/dir/for/user123 dir and also optionally match optional_file_pattern if needs be.

    The file pattern parameter if ignored defaults to _%s.liquid, so it can be skipped if you are happy with that or could also restrict matching based on a custom file pattern.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search