LiquidJS Path Traversal Vulnerability Allowing Arbitrary File Access

A path traversal vulnerability has been identified in LiquidJS, a template engine compatible with Shopify and GitHub Pages. This vulnerability exists in versions prior to 10.25.0 and allows arbitrary file access through absolute paths. The issue arises in the layout, render, and include tags, which can be exploited using string literals or Liquid variables. The latter requires dynamicPartials to be enabled, which is the default setting. This vulnerability poses a security risk when users can control template content or specify file paths as Liquid variables.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files on the server, potentially allowing attackers to read sensitive information or manipulate files in a way that could compromise the application or its data.

Reproduction

To reproduce this vulnerability, create a LiquidJS template that includes a layout, render, or include tag. Set the dynamicPartials option to true, and use a Liquid variable to specify the file path, pointing to an arbitrary file on the server, such as '/etc/passwd'. When the template is rendered, the specified file will be accessed, demonstrating the path traversal vulnerability.

Remediation

Users can upgrade to LiquidJS version 10.25.0 or later, where this vulnerability has been fixed. Alternatively, the default 'fs' option can be overridden to implement custom file access controls that prevent path traversal.