Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit nested tags to 100 by default #50

Open
edgurgel opened this issue Nov 24, 2020 · 5 comments
Open

Limit nested tags to 100 by default #50

edgurgel opened this issue Nov 24, 2020 · 5 comments
Assignees
@edgurgel
Milestone
Solid 1.0

Comments

@edgurgel
Copy link
Owner

We want to limit how deep a liquid template can get to just like the Liquid gem does: https://github.com/Shopify/liquid/blob/efef03d944157db323f1aed5e19861bf66fe256f/test/integration/security_test.rb#L82-L88
@edgurgel edgurgel added this to the Solid 1.0 milestone Nov 24, 2020
@edgurgel edgurgel self-assigned this Nov 24, 2020
@edgurgel edgurgel mentioned this issue Nov 24, 2020
Closed
@edgurgel edgurgel removed their assignment Feb 28, 2021
@bluzky
Copy link
Contributor

bluzky commented Sep 20, 2021

@edgurgel do you have any idea on this?

When using render tag, it's hard to track nested tag. And we cannot use Context to carry nested tag level because some tag render does not pass context to inner scope.

Another thought is put nested level value in current process, but I think it's kind of hack

@edgurgel
Copy link
Owner Author

edgurgel commented Sep 21, 2021
edited
Loading

🤔
I'm wondering if something like this would work:

def eval(tag, context, options) do
   current_stack_level = context.stack_level

   context = %{context | stack_level: current_stack_level + 1}

    {result, new_context} = case do_eval(tag, context, options) do
      {text, context} -> 
        {text, context}

      text when is_binary(text) -> 
         {[text: text], context}

      text -> 
        {text, context}
    end

    new_context = %{new_context | stack_level: current_stack_level}

    {result, new_context}
end

And we just trust that tags are passing Context around?

If people add custom tags that don't pass the Context around then there is not much we can do to protect them?

And we change the render tag to pass the stack_level maybe through options? Solid.render(..., stack_level: context.stack_level)

What do you think?

The process solution could work if we maybe used the Process dictionary or something else like an ets table? But it feels hacky as you said 🤔

@Jcambass
Copy link
Contributor

Jcambass commented Sep 21, 2021
edited
Loading

If people add custom tags that don't pass the Context around then there is not much we can do to protect them?

Can't the Solig.Tag behaviour be used to at least clarify this expectation?

@edgurgel
Copy link
Owner Author

@Jcambass yeah definitely worth documenting that!

@bluzky
Copy link
Contributor

bluzky commented Sep 21, 2021

@edgurgel I think passing stack_level along with context is good idea.
Regarding custom tag, user should protect themselves 😈 . We provide document as @Jcambass said and that's enough, I think.

@edgurgel edgurgel self-assigned this Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edgurgel edgurgel

Labels
None yet
Projects
None yet
Milestone
Solid 1.0
Development

No branches or pull requests
3 participants
@edgurgel @Jcambass @bluzky