feat(filters): add sha256 and hmac_sha256 filters for cryptographic operations#889
Merged
harttle merged 1 commit intoMay 3, 2026
Conversation
Owner
|
@all-contributors please add @VladimirFilonov for code |
Contributor
|
I've put up a pull request to add @VladimirFilonov! 🎉 |
github-actions Bot
pushed a commit
that referenced
this pull request
May 14, 2026
# [10.26.0](v10.25.7...v10.26.0) (2026-05-14) ### Bug Fixes * **date:** cap strftime widths and account padding in memoryLimit ([#895](#895)) ([3129d46](3129d46)) * enforce renderLimit for empty renderTemplates calls ([#894](#894)) ([5b9c346](5b9c346)) * propagate ownPropertyOnly into Context.spawn() for {% render %} ([#893](#893)) ([dbbf628](dbbf628)) * **security:** block Object.prototype filter/tag lookups (RCE) ([#897](#897)) ([457fae0](457fae0)) * strip html newline tags ([#892](#892)) ([26ea285](26ea285)) * **strip_html:** rewrite as linear single-pass scan to avoid ReDoS ([#896](#896)) ([3616a74](3616a74)) ### Features * add sha256 and hmac_sha256 filters for cryptographic operations ([#889](#889)) ([1c816d4](1c816d4))
|
🎉 This PR is included in version 10.26.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
VladimirFilonov
added a commit
to elastic/kibana
that referenced
this pull request
May 21, 2026
…hmac_sha256 filters (#269989) ## Summary Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for Workflows by upgrading [liquidjs to 10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0) ([harttle/liquidjs#889](harttle/liquidjs#889)). Filter behavior comes from liquidjs core—no custom server-side implementations. - **Execution (server):** Built-in filters work via `createWorkflowLiquidEngine()` with existing `renderSync` / `evalValueSync` (Node `crypto`). - **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with Shopify reference examples. - **Hover preview (browser):** Switched `evaluateExpression` to async `evalValue` so crypto filters resolve correctly in the browser bundle (Web Crypto is async-only). Hover only shows evaluated filter output when viewing an execution on the **Executions** tab and hovering on the filter segment inside `{{ }}`. ## Changes | Area | Change | |------|--------| | `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` | | `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` | | `templating_engine.test.ts` | Server tests (Shopify reference vectors) | | `liquid_parse_cache.test.ts` | Parse/validation tests for built-in crypto filters | | `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for browser crypto | | `unified_hover_provider.ts` | `await evaluateExpression(...)` | | `evaluate_expression.test.ts` | Async tests + crypto filter coverage | **Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no `registerFilter` stubs needed for built-in filters. ## Examples: ```yaml name: Crypto filters enabled: true triggers: - type: manual inputs: - name: message type: string default: "hello world" consts: secret: "secret" steps: - name: hmac_sha256 type: console with: message: "{{ inputs.message | hmac_sha256: consts.secret }}" - name: sha256 type: console with: message: "{{ inputs.message | sha256 }}" ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
May 22, 2026
…hmac_sha256 filters (elastic#269989) ## Summary Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for Workflows by upgrading [liquidjs to 10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0) ([harttle/liquidjs#889](harttle/liquidjs#889)). Filter behavior comes from liquidjs core—no custom server-side implementations. - **Execution (server):** Built-in filters work via `createWorkflowLiquidEngine()` with existing `renderSync` / `evalValueSync` (Node `crypto`). - **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with Shopify reference examples. - **Hover preview (browser):** Switched `evaluateExpression` to async `evalValue` so crypto filters resolve correctly in the browser bundle (Web Crypto is async-only). Hover only shows evaluated filter output when viewing an execution on the **Executions** tab and hovering on the filter segment inside `{{ }}`. ## Changes | Area | Change | |------|--------| | `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` | | `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` | | `templating_engine.test.ts` | Server tests (Shopify reference vectors) | | `liquid_parse_cache.test.ts` | Parse/validation tests for built-in crypto filters | | `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for browser crypto | | `unified_hover_provider.ts` | `await evaluateExpression(...)` | | `evaluate_expression.test.ts` | Async tests + crypto filter coverage | **Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no `registerFilter` stubs needed for built-in filters. ## Examples: ```yaml name: Crypto filters enabled: true triggers: - type: manual inputs: - name: message type: string default: "hello world" consts: secret: "secret" steps: - name: hmac_sha256 type: console with: message: "{{ inputs.message | hmac_sha256: consts.secret }}" - name: sha256 type: console with: message: "{{ inputs.message | sha256 }}" ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
jcger
pushed a commit
to elastic/kibana
that referenced
this pull request
May 26, 2026
…hmac_sha256 filters (#269989) ## Summary Adopts Shopify-compatible `sha256` and `hmac_sha256` Liquid filters for Workflows by upgrading [liquidjs to 10.26.0](https://github.com/harttle/liquidjs/releases/tag/v10.26.0) ([harttle/liquidjs#889](harttle/liquidjs#889)). Filter behavior comes from liquidjs core—no custom server-side implementations. - **Execution (server):** Built-in filters work via `createWorkflowLiquidEngine()` with existing `renderSync` / `evalValueSync` (Node `crypto`). - **Editor autocomplete:** Added `sha256` and `hmac_sha256` entries with Shopify reference examples. - **Hover preview (browser):** Switched `evaluateExpression` to async `evalValue` so crypto filters resolve correctly in the browser bundle (Web Crypto is async-only). Hover only shows evaluated filter output when viewing an execution on the **Executions** tab and hovering on the filter segment inside `{{ }}`. ## Changes | Area | Change | |------|--------| | `package.json` / `yarn.lock` | `liquidjs` `10.25.7` → `10.26.0` | | `liquid_completions.ts` | Autocomplete for `sha256`, `hmac_sha256` | | `templating_engine.test.ts` | Server tests (Shopify reference vectors) | | `liquid_parse_cache.test.ts` | Parse/validation tests for built-in crypto filters | | `evaluate_expression.ts` | `evalValueSync` → `await evalValue` for browser crypto | | `unified_hover_provider.ts` | `await evaluateExpression(...)` | | `evaluate_expression.test.ts` | Async tests + crypto filter coverage | **Not changed:** `templating_engine.ts`, `liquid_parse_cache.ts` — no `registerFilter` stubs needed for built-in filters. ## Examples: ```yaml name: Crypto filters enabled: true triggers: - type: manual inputs: - name: message type: string default: "hello world" consts: secret: "secret" steps: - name: hmac_sha256 type: console with: message: "{{ inputs.message | hmac_sha256: consts.secret }}" - name: sha256 type: console with: message: "{{ inputs.message | sha256 }}" ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This was referenced May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two Shopify filters —
sha256andhmac_sha256to LiquidJS core. Both are part of the Shopify Liquid filter set but are not currently implemented in LiquidJS.Closes #884.
Changes
sha256andhmac_sha256, output as lowercase hex digest.base64split):node:crypto(createHash/createHmac).crypto.subtle.digest,crypto.subtle.importKey+crypto.subtle.sign).browserCryptoreplace block swaps./crypto-implfor../build/crypto-impl-browserin the browser bundles, alongside the existingbrowserBase64block.'crypto'is added to the Node bundles'externallist.this.context.memoryLimit.use.Implementation details
src/filters/crypto.ts— filter handlers (sha256,hmac_sha256).src/filters/crypto-impl.ts— Node implementation (sync).src/build/crypto-impl-browser.ts— browser implementation (async, returnsPromise<string>).src/filters/index.ts— registers the new filter module.rollup.config.mjs—browserCryptosource replacement +cryptoexternal.test/integration/filters/crypto.spec.ts,src/build/crypto-impl-browser.spec.ts— tests.docs/source/filters/{sha256,hmac_sha256}.md,docs/source/filters/overview.md— docs.Shopify compatibility
sha256:{{ 'Polyjuice' | sha256 }}→44ac1d7a2936e30a5de07082fd65d6fe9b1fb658a1a98bfe65bc5959beac5dd0hmac_sha256:{{ 'Polyjuice' | hmac_sha256: 'Polina' }}→8e0d5d65cff1242a4af66c8f4a32854fd5fb80edcc8aabe9b302b29c7c71dc20undefined/nullto the empty string, consistent with the existingbase64_encodefilter.Notes
node:cryptois built-in;crypto.subtleis onglobalThisin supported browsers.Promise<string>(Web Crypto is async-only), so synchronous rendering of these two filters is not supported in the browser. Node bundles return a string and work withparseAndRenderSync.importKey('raw', ...)rejects zero-length HMAC keys, so empty keys are unsupported in the browser; Node'screateHmacaccepts them and the Node integration test covers that edge case.Testing
undefined/null/ numeric / boolean coercion, numeric HMAC keys, and empty input.Breaking changes
None