Skip to content

feat(filters): add sha256 and hmac_sha256 filters for cryptographic operations#889

Merged
harttle merged 1 commit into
harttle:masterfrom
VladimirFilonov:feature/884-add-sha256-and-hmac_sha256
May 3, 2026
Merged

feat(filters): add sha256 and hmac_sha256 filters for cryptographic operations#889
harttle merged 1 commit into
harttle:masterfrom
VladimirFilonov:feature/884-add-sha256-and-hmac_sha256

Conversation

@VladimirFilonov

Copy link
Copy Markdown
Contributor

Summary

Adds two Shopify filters — sha256 and hmac_sha256 to LiquidJS core. Both are part of the Shopify Liquid filter set but are not currently implemented in LiquidJS.

Closes #884.

Changes

  • New filters: sha256 and hmac_sha256, output as lowercase hex digest.
  • Platform-specific implementation (mirrors the base64 split):
    • Node: synchronous, uses node:crypto (createHash / createHmac).
    • Browser: asynchronous, uses Web Crypto (crypto.subtle.digest, crypto.subtle.importKey + crypto.subtle.sign).
  • Rollup integration: a new browserCrypto replace block swaps ./crypto-impl for ../build/crypto-impl-browser in the browser bundles, alongside the existing browserBase64 block. 'crypto' is added to the Node bundles' external list.
  • Memory accounting: input length is reported via this.context.memoryLimit.use.

Implementation details

  • src/filters/crypto.ts — filter handlers (sha256, hmac_sha256).
  • src/filters/crypto-impl.ts — Node implementation (sync).
  • src/build/crypto-impl-browser.ts — browser implementation (async, returns Promise<string>).
  • src/filters/index.ts — registers the new filter module.
  • rollup.config.mjsbrowserCrypto source replacement + crypto external.
  • test/integration/filters/crypto.spec.ts, src/build/crypto-impl-browser.spec.ts — tests.
  • docs/source/filters/{sha256,hmac_sha256}.md, docs/source/filters/overview.md — docs.

Shopify compatibility

  • Matches Shopify's exact output for sha256:
    {{ 'Polyjuice' | sha256 }}44ac1d7a2936e30a5de07082fd65d6fe9b1fb658a1a98bfe65bc5959beac5dd0
  • Matches Shopify's exact output for hmac_sha256:
    {{ 'Polyjuice' | hmac_sha256: 'Polina' }}8e0d5d65cff1242a4af66c8f4a32854fd5fb80edcc8aabe9b302b29c7c71dc20
  • Stringifies non-string input (numbers, booleans) and coerces undefined / null to the empty string, consistent with the existing base64_encode filter.

Notes

  • No new runtime dependency: node:crypto is built-in; crypto.subtle is on globalThis in supported browsers.
  • Browser bundles return a Promise<string> (Web Crypto is async-only), so synchronous rendering of these two filters is not supported in the browser. Node bundles return a string and work with parseAndRenderSync.
  • Web Crypto's importKey('raw', ...) rejects zero-length HMAC keys, so empty keys are unsupported in the browser; Node's createHmac accepts them and the Node integration test covers that edge case.

Testing

  • Unit tests for the browser implementation (Shopify reference vectors, empty string, unicode).
  • Integration tests covering the two Shopify reference outputs, undefined / null / numeric / boolean coercion, numeric HMAC keys, and empty input.

Breaking changes

None

@harttle harttle merged commit 1c816d4 into harttle:master May 3, 2026
14 checks passed
@harttle

harttle commented May 3, 2026

Copy link
Copy Markdown
Owner

@all-contributors please add @VladimirFilonov for code

@allcontributors

Copy link
Copy Markdown
Contributor

@harttle

I've put up a pull request to add @VladimirFilonov! 🎉

github-actions Bot pushed a commit that referenced this pull request May 14, 2026
# [10.26.0](v10.25.7...v10.26.0) (2026-05-14)

### Bug Fixes

* **date:** cap strftime widths and account padding in memoryLimit ([#895](#895)) ([3129d46](3129d46))
* enforce renderLimit for empty renderTemplates calls ([#894](#894)) ([5b9c346](5b9c346))
* propagate ownPropertyOnly into Context.spawn() for {% render %} ([#893](#893)) ([dbbf628](dbbf628))
* **security:** block Object.prototype filter/tag lookups (RCE) ([#897](#897)) ([457fae0](457fae0))
* strip html newline tags ([#892](#892)) ([26ea285](26ea285))
* **strip_html:** rewrite as linear single-pass scan to avoid ReDoS ([#896](#896)) ([3616a74](3616a74))

### Features

* add sha256 and hmac_sha256 filters for cryptographic operations ([#889](#889)) ([1c816d4](1c816d4))
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 10.26.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

VladimirFilonov added a commit to elastic/kibana that referenced this pull request May 21, 2026
…hmac_sha256 filters (#269989)

## Summary

Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for
Workflows by upgrading [liquidjs to
10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0)
([harttle/liquidjs#889](harttle/liquidjs#889)).
Filter behavior comes from liquidjs core—no custom server-side
implementations.

- **Execution (server):** Built-in filters work via
`createWorkflowLiquidEngine()` with existing `renderSync` /
`evalValueSync` (Node `crypto`).
- **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with
Shopify reference examples.
- **Hover preview (browser):** Switched `evaluateExpression` to async
`evalValue` so crypto filters resolve correctly in the browser bundle
(Web Crypto is async-only). Hover only shows evaluated filter output
when viewing an execution on the **Executions** tab and hovering on the
filter segment inside `{{ }}`.

## Changes

| Area | Change |
|------|--------|
| `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` |
| `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` |
| `templating_engine.test.ts` | Server tests (Shopify reference vectors)
|
| `liquid_parse_cache.test.ts` | Parse/validation tests for built-in
crypto filters |
| `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for
browser crypto |
| `unified_hover_provider.ts` | `await evaluateExpression(...)` |
| `evaluate_expression.test.ts` | Async tests + crypto filter coverage |

**Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no
`registerFilter` stubs needed for built-in filters.

## Examples:

```yaml
name: Crypto filters
enabled: true
triggers:
  - type: manual
    inputs:
      - name: message
        type: string
        default: "hello world"

consts:
  secret: "secret"

steps:
  - name: hmac_sha256
    type: console
    with:
      message: "{{ inputs.message | hmac_sha256: consts.secret }}"

  - name: sha256
    type: console
    with:
      message: "{{ inputs.message | sha256 }}"

```

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
paulinashakirova pushed a commit to paulinashakirova/kibana that referenced this pull request May 22, 2026
…hmac_sha256 filters (elastic#269989)

## Summary

Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for
Workflows by upgrading [liquidjs to
10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0)
([harttle/liquidjs#889](harttle/liquidjs#889)).
Filter behavior comes from liquidjs core—no custom server-side
implementations.

- **Execution (server):** Built-in filters work via
`createWorkflowLiquidEngine()` with existing `renderSync` /
`evalValueSync` (Node `crypto`).
- **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with
Shopify reference examples.
- **Hover preview (browser):** Switched `evaluateExpression` to async
`evalValue` so crypto filters resolve correctly in the browser bundle
(Web Crypto is async-only). Hover only shows evaluated filter output
when viewing an execution on the **Executions** tab and hovering on the
filter segment inside `{{ }}`.

## Changes

| Area | Change |
|------|--------|
| `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` |
| `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` |
| `templating_engine.test.ts` | Server tests (Shopify reference vectors)
|
| `liquid_parse_cache.test.ts` | Parse/validation tests for built-in
crypto filters |
| `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for
browser crypto |
| `unified_hover_provider.ts` | `await evaluateExpression(...)` |
| `evaluate_expression.test.ts` | Async tests + crypto filter coverage |

**Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no
`registerFilter` stubs needed for built-in filters.

## Examples:

```yaml
name: Crypto filters
enabled: true
triggers:
  - type: manual
    inputs:
      - name: message
        type: string
        default: "hello world"

consts:
  secret: "secret"

steps:
  - name: hmac_sha256
    type: console
    with:
      message: "{{ inputs.message | hmac_sha256: consts.secret }}"

  - name: sha256
    type: console
    with:
      message: "{{ inputs.message | sha256 }}"

```

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
jcger pushed a commit to elastic/kibana that referenced this pull request May 26, 2026
…hmac_sha256 filters (#269989)

## Summary

Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for
Workflows by upgrading [liquidjs to
10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0)
([harttle/liquidjs#889](harttle/liquidjs#889)).
Filter behavior comes from liquidjs core—no custom server-side
implementations.

- **Execution (server):** Built-in filters work via
`createWorkflowLiquidEngine()` with existing `renderSync` /
`evalValueSync` (Node `crypto`).
- **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with
Shopify reference examples.
- **Hover preview (browser):** Switched `evaluateExpression` to async
`evalValue` so crypto filters resolve correctly in the browser bundle
(Web Crypto is async-only). Hover only shows evaluated filter output
when viewing an execution on the **Executions** tab and hovering on the
filter segment inside `{{ }}`.

## Changes

| Area | Change |
|------|--------|
| `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` |
| `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` |
| `templating_engine.test.ts` | Server tests (Shopify reference vectors)
|
| `liquid_parse_cache.test.ts` | Parse/validation tests for built-in
crypto filters |
| `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for
browser crypto |
| `unified_hover_provider.ts` | `await evaluateExpression(...)` |
| `evaluate_expression.test.ts` | Async tests + crypto filter coverage |

**Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no
`registerFilter` stubs needed for built-in filters.

## Examples:

```yaml
name: Crypto filters
enabled: true
triggers:
  - type: manual
    inputs:
      - name: message
        type: string
        default: "hello world"

consts:
  secret: "secret"

steps:
  - name: hmac_sha256
    type: console
    with:
      message: "{{ inputs.message | hmac_sha256: consts.secret }}"

  - name: sha256
    type: console
    with:
      message: "{{ inputs.message | sha256 }}"

```

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(filter): Add Shopify filters 'sha256' and 'hmac_sha256'

2 participants