Skip to content

Commit

Permalink
Merge pull request #133 from PeaWarrior/pmdownx-snippets-security-patch
Browse files Browse the repository at this point in the history
add pymdownx snippets config override
  • Loading branch information
agentbellnorm authored Aug 16, 2023
2 parents aa04c7c + c64ce0d commit 5066537
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 1 deletion.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,9 @@ We only use `material-mkdocs` as base styles because Backstage also uses the `Ma

### Unreleased

### 1.2.2
- Added config override of `pymdownx.snippets` for [security](https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-jh85-wwv9-24hv). `restrict_base_path` will always be `true`. If you currently use snippets with files outside of the directory, those files will no longer be included.

### 1.2.1
- Use latest version of `pymdown-extensions` which contains [security fixes](https://github.com/backstage/mkdocs-techdocs-core/pull/123).

Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@

setup(
name="mkdocs-techdocs-core",
version="1.2.1",
version="1.2.2",
description="The core MkDocs plugin used by Backstage's TechDocs as a wrapper around "
"multiple MkDocs plugins and Python Markdown extensions",
long_description=long_description,
Expand Down
6 changes: 6 additions & 0 deletions src/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ def on_config(self, config):
if "mdx_configs" in config:
mdx_configs_override = config["mdx_configs"].copy()

# Pymdown snippets override to prevent legacy behavior impacting security https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-jh85-wwv9-24hv
mdx_configs_override["pymdownx.snippets"] = {
"restrict_base_path": True,
}

# Theme
if config["theme"].name != TECHDOCS_DEFAULT_THEME:
config["theme"] = Theme(name=TECHDOCS_DEFAULT_THEME)
Expand Down Expand Up @@ -103,6 +108,7 @@ def on_config(self, config):
config["markdown_extensions"].append("pymdownx.magiclink")
config["markdown_extensions"].append("pymdownx.mark")
config["markdown_extensions"].append("pymdownx.smartsymbols")
config["markdown_extensions"].append("pymdownx.snippets")
config["markdown_extensions"].append("pymdownx.superfences")
config["markdown_extensions"].append("pymdownx.highlight")
config["mdx_configs"]["pymdownx.highlight"] = {
Expand Down
12 changes: 12 additions & 0 deletions src/test_core.py
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,15 @@ def test_template_renders__multiline_value_as_valid_json(self):
rendered = template.render(config=config)
as_json = json.loads(rendered)
self.assertEquals(config, as_json)

def test_restrict_snippet_base_path(self):
self.mkdocs_yaml_config["mdx_configs"] = {
"pymdownx.snippets": {"restrict_base_path": False}
}

final_config = self.techdocscore.on_config(self.mkdocs_yaml_config)

self.assertEqual(
final_config["mdx_configs"]["pymdownx.snippets"]["restrict_base_path"],
True,
)

0 comments on commit 5066537

Please sign in to comment.