-
-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assess safety of website from liquid injections #2141
Comments
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
Progress: I've read up on how Liquid injections can occur and located files where data is read from JSONs on the site and whether they use uri_escape. I still need to look through all the JSON data and gain a clearer understanding of how it is used on the site. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
Progress: I've checked everywhere that JSON data is used on the site. Everything is covered by uri_escape except for a few spots, and it looks like those render data from an already escaped object (I plan on double-checking this because I'm a little confused right now). As far as I can tell from what I've been reading, since we're not dealing with any HTTP, there's not really any other way for an attack to get through. I'm definitely planning on doing more testing to be sure, though. |
This comment was marked as resolved.
This comment was marked as resolved.
Progress: Just need to finish my write-up. Had some interviews this week, so I didn't have as much time to work on this issue as originally anticipated. |
Good Morning @tamara-snyder Write up looks good, I really don't know much about liquid so it was cool to learn some things. I added a couple comments that might be helpful for organization / clarification but over all, great job! |
Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.
If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. You are receiving this comment because your last comment was before Tuesday, April 26, 2022 at 12:21 AM PST. |
Progress: I need to make updates according to the feedback in the Google doc. |
Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.
If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. You are receiving this comment because your last comment was before Tuesday, May 10, 2022 at 12:23 AM PST. |
@Sparky-code @JessicaLucindaCheng Thank you both for your feedback on this doc! I've edited it based on your comments and left a clarification question for Devin. Would love to get a re-review when you get the chance. |
@tamara-snyder Sounds great, I'll take a look in the timeframe below |
@Sparky-code @JessicaLucindaCheng I believe I have resolved Devin's last comment. If you get a chance, a final review of the doc would be helpful. In the meantime, I can get to work writing the issues to make these fixes. Realistically, that will probably be done next week. |
@tamara-snyder looks great! Reads very clearly now. 👍 |
@tamara-snyder Sorry for the delay in reviewing your write up again. Everything looks good now. The write up is clear and concise. Good job. |
Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.
If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. You are receiving this comment because your last comment was before Tuesday, May 31, 2022 at 12:19 AM PST. |
Progress: Just need to write the issues. Haven't had time this week and I'm traveling the next couple days, so will work on this next week. |
|
Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.
If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. You are receiving this comment because your last comment was before Tuesday, June 21, 2022 at 12:20 AM PST. |
My issue has been reviewed, edited, and approved by two people, so I am closing this issue. |
Overview
As a developer, we must investigate new potential sources of attack, so that we can defend against them.
Action Items
Resources/Instructions
Inlining JSON in a Jekyll Liquid Template
escape – Liquid template language
data directory
#2139
The text was updated successfully, but these errors were encountered: