Fix code injection vulnerability in template name handling

claude · claude · commit 54e3d2328aab · 2025-12-31T15:05:20.000Z
Use .inspect for all template/partial names inserted into generated
code strings to prevent code injection via maliciously crafted
template names like: {% render "foo'); system('rm -rf /'); #" %}
diff --git a/lib/liquid/compile/ruby_compiler.rb b/lib/liquid/compile/ruby_compiler.rb
@@ -303,7 +303,7 @@ def compile_partials(code)
               compile_partial_source(source, code)
             rescue => e
               code.line "# Error compiling partial: #{e.message.inspect}"
-              code.line "__partial_output__ << '[PARTIAL ERROR: #{name}]'"
+              code.line "__partial_output__ << '[PARTIAL ERROR: ' + #{name.inspect} + ']'"
             end
 
             code.blank_line
diff --git a/lib/liquid/compile/tags/include_compiler.rb b/lib/liquid/compile/tags/include_compiler.rb
@@ -37,8 +37,8 @@ def self.compile_static_include(tag, template_name, compiler, code)
 
           if partial_source
             if compiler.debug?
-              code.line "# Inlined partial '#{template_name}' at compile time"
-              code.line "$stderr.puts '* WARN: Liquid file system access - inlined partial \\\"#{template_name}\\\" at compile time' if $VERBOSE"
+              code.line "# Inlined partial #{template_name.inspect} at compile time"
+              code.line "$stderr.puts '* WARN: Liquid file system access - inlined partial ' + #{template_name.inspect} + ' at compile time' if $VERBOSE"
             end
             # Generate a unique method name for this partial
             method_name = compiler.register_partial(template_name, partial_source)
diff --git a/lib/liquid/compile/tags/render_compiler.rb b/lib/liquid/compile/tags/render_compiler.rb
@@ -39,8 +39,8 @@ def self.compile_static_render(tag, template_name, compiler, code)
 
           if partial_source
             if compiler.debug?
-              code.line "# Inlined partial '#{template_name}' at compile time"
-              code.line "$stderr.puts '* WARN: Liquid file system access - inlined partial \\\"#{template_name}\\\" at compile time' if $VERBOSE"
+              code.line "# Inlined partial #{template_name.inspect} at compile time"
+              code.line "$stderr.puts '* WARN: Liquid file system access - inlined partial ' + #{template_name.inspect} + ' at compile time' if $VERBOSE"
             end
             # Generate a unique method name for this partial
             method_name = compiler.register_partial(template_name, partial_source)
