Lack of data validation - Path Traversal In python-liquid
Description
python-liquid: Absolute paths escape filesystem loader search path
Impact
The built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process.
Patches
The issue is fixed in version 2.2.0 with the inclusion of a template_path.is_absolute() condition in liquid/builtin/loaders/file_system_loader.py.
if os.path.pardir in template_path.parts or template_path.is_absolute(): raise TemplateNotFoundError(template_name)
Workarounds
Create a custom template loader by inheriting from FileSystemLoader and overriding resolve_path(). Use an instance of the custom loader as the loader argument when instantiating your Liquid environment.
import os from pathlib import Path from liquid import Environment from liquid import FileSystemLoader from liquid.exceptions import TemplateNotFoundError ...
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 pypi | 2.2.0 |
Aliases
References