LiquidJS Symlink-Based Template Root Restriction Bypass Vulnerability

A vulnerability in LiquidJS versions prior to 10.25.3 allows for a bypass of template root restrictions through the use of symlinked files. The issue arises because LiquidJS checks whether a file path is within the allowed partials or layouts directories using a path-based method that does not resolve symlinks to their actual targets. This flaw can be exploited in environments where an attacker can manipulate templates or files within a trusted template root, such as through uploaded themes or repository-controlled template directories. By placing a symlinked file that points to a location outside the permitted directory, an attacker can trick LiquidJS into rendering the external file, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows for arbitrary file reading by placing symlinks in a trusted template directory that point to files outside the allowed root. This could lead to the disclosure of sensitive information from the filesystem.

Reproduction

To reproduce this vulnerability, create a symlinked file within the allowed partials or layouts directory that points to a file outside of it. When the template engine is instructed to render the symlinked file, it will resolve the symlink and access the external file, bypassing the intended directory restrictions.

Remediation

Users can upgrade to LiquidJS version 10.25.3 or later, where this vulnerability has been fixed.