Asciidoctor: support include directives for other asciidoc files #1095
Comments
|
I totally 👍 this request. Includes are an amazing feature of Asciidoc over Markdown and would help a lot providing users with good and up-to-date documentation. I would add image to the same bucket. I think it is not supported today, probably for the same reason includes are not. |
The image macros are supported on GitHub. You can see them in action here: https://github.com/asciidoctor/atom-asciidoc-preview |
|
If GitHub is committed to enabling includes for AsciiDoc files, I'm willing to do whatever needs to be done in Asciidoctor to make it happen. I've already added an extension point so the include directive can be handled by a custom function. That allows the GitHub code to resolve the file from the git repository instead of from the file system. |
|
Fully support this. Seems like a basic capability and we're struggling without it 👎 |
|
it will be great to use a full power of asciidoc from github frontend. |
|
This issue was an unpleasant surprise. I agree with @ericis; this is fundamental functionality which is expected by Asciidoc users. Since @mojavelinux has enabled custom handling , this seems simple:
This seems fairly solvable. Maybe I'm not seeing the full extent of it? |
|
I think it's been a solvable problem for a while now, technically-- at this point it's just someone flipping a couple switches by the looks of it. This is hands down one of the best features of AsciiDoc and it's a crying shame that there is so little support for it in git-related tooling (GH, Gollum, GitBookIO, etc.). FWIW, it's not like images are that much safer than other types of content, but for years now I could generate images of my source code and include it that way (ridiculous, as no copy/paste), or generate the content itself and include it that way (which defeats the purpose of nice rendering via GH out of the box). Someday, it would be nice to move into the brave new future and get some |
|
So it's pretty clear the reason it hasn't been implemented yet is security. I believe it is also a reason why GitHub's staff doesn't really engage with the community in order to solve that problem because it would require them to expose their threat model and pieces of their architecture which could help attackers.
You are missing the broader point. Include processing is more complex, not because the destination is dangerous, but because of the way it interacts. Just as an example: An include can include includes which could include the first top-level include. This would DoS a naive parser. Analogous to the Billion Laugh Attack and it could be done in so many ways that it's hard to prevent them all with parser restrictions. Another different, yet complex to fix, example: AsciiDoc includes can be URIs, URI includes could be used to perform SSRF attacks in order to explore GitHub's infrastructure in means that shouldn't be allowed. So I think the reason why GitHub is not doing it is because <1% of their users care and there are numerous ways to abuse the feature so doing it safely is hard. Implementing a hard feature for <1% is not worth the resources (or the risk). Don't shoot the messenger here: I want AsciiDoc includes to work on GitHub! It's just that I can see why it's a tricky one to implement. |
|
Nothing wrong with sharing how you think-- no shots here, but I disagree that it's security holding this up per se. 😃 Mainly because in the comments above, both injection attacks, and recursion have solutions (and have been solved elsewhere in github infrastructure already)... it's weird that infinite recursion is even on the list, IMHO-- same with the "naive" parser idea... anyone can write a bad parser, we can't protect against that (and I'd be scared if we could!). Same goes for the security concerns you bring up. They've been brought up, and even addressed, already. If not in this thread/ticket, than in multiple other ones, which leads me to my last refutation, that being the idea this problem affects a negligible number of people. It seems to be effecting many people (including authors of popular tools who are representing thousands of people), as you can tell by the various tickets around this issue. The same-ish issue (for MD) has the highest number of comments at the moment, and it's just a bump of several other tickets (all of which seem to have "solved" the problems raised but appear to be in a holding pattern). Plus figure a good 85% of people probably don't file a ticket when they hit a problem... I'll close by saying that security through obscurity isn't really much protection. There's a reason crypto libs have to be published to be valid, and that's because obscurity is "soft" protection at best, and a huge security concern at worst. It's cool GH is sharing the markup plugin-- tho note numbers 2-5 from the docs ("internal code") seem to be a source of bottlenecks. Pretty sure The Future will be mostly folks who put source code out so it can be verified/checked (been saying this for years, but at least it doesn't sound crazy anymore... how much does OSS power these days?), and if you don't think someone can just call up their friend who works at Large Company X to get a peek at sources... ¯_(ツ)_/¯ anyhow, at this point it's not a tech barrier as far as I can see, and it's fine if something else is holding this up, but there's been little to no feedback from project maintainers, and it's depressing to see so much input and so many orphaned/ghosted PRs going back years and whatnot (in general around this issue). But not that much. 😃 Mainly I'm just tossing in another +1, in a now age-old tradition. 😜 |
|
@obilodeau Thank you for sharing your insight on this issue. You provided a lot of context for what the security concern actually entails. I want to emphasize two things. First, Asciidoctor has from the very beginning offered up the include processor as an extension point (for GitHub, I might add). That means that GitHub could write code that takes over processing of the include, so there's 0 risk of insecure code that they themselves did not introduce. That doesn't make it easy, to be sure, but that should mitigate the third-party risk argument. Second, I'm willing to make any reasonable change in Asciidoctor that would further accommodate this feature. So far, I have heard absolutely nothing from GitHub on this issue, which doesn't bode well if we expect to make any progress. My offer stands to work with GitHub if they need me to get this feature implemented. (code, documentation, whatever)
I don't expect GitHub to use the built-in include processor, but there is protection against this scenario. An include can only go to a fixed number of levels before it's terminated. Most users would be happy with 3-5 levels, if even that.
I would not except these to work on GitHub. They don't even work on Asciidoctor without a command-line / API flag. I think includes that work within the set of repository files is already a huge boon for us AsciiDoc writers.
If they went with that argument, then I'd say they don't know the AsciiDoc community very well. AsciiDoc users are bonkers for includes, rightfully so. As Denny points out:
If you want my prediction on this issue, it will be resolved as soon as GitLab implements it. That's not trolling, that's just sound competition in the marketplace. After all, GitLab just implemented stem support (i.e, math expressions) in AsciiDoc files. |
|
Btw, here's a link to corresponding issue in the GitLab issue tracker. https://gitlab.com/gitlab-org/gitlab-ce/issues/18045 Interesting to note that @jirutka has already submitted a full patch for a custom include processor that works with a repository manager like GitHub and GitLab. So the code is there. We just need the will. |
|
I am fine with a very restrictive policy here, even restricting includes to the same repository. My issue is that I have documents that I want modularized but I also want to be able to present them on the web as complete documents and right now I can't do that. I have to kick off a separate process to generate the file then post that. Whether I do this manually or through some sort of agent is irrelevant, it is a nuisance and completely unnecessary. |
|
3-5 levels would be perfect imho. Five gives a few levels for document structure and a couple of levels for templates. Three would suffice for most use cases, but five would handle almost all of them. While I can handle all of the includes before pushing the content to github, effectively that means I'm no longer able to use github as source control (for the same reason our .gitignore files exclude /bin.) One use case I have uses include to add an svg, and the text fields of the svg are then changed via substitutions. Which really isn't that complex--an svg is just xml after all--but it's not something you can do with the standard image handler. Count me among those who are bonkers for includes. Includes really are a must have feature for asciidoc. |
|
Heck, I'd settle for even one level-- and a same-repo policy is what I'd expect off the top of my head so that'd be dandy too (though it'd be swell if they follow the standard GH route of an inter-github policy for linking to stuff in other GH user/org repos).
☝️ this! One of the main reasons I like GH is that slickly rendered README. It is powerful feature. Without includes it's hobbled in exactly the way you wouldn't want though, as outlined above (making it a non-option for folks who have organized docs in their sources ("Don't look at those, look at the generated ones! (but yes, edit those)" yuck). GH has had includes of various types (at least header/footer) for years now in the wiki section, so it's a problem that was solved for GH in some general form ages ago... |
|
I just want to mention that two workarounds are possible for this, for those needing a solution.
|
|
Unfortunately, publishing to GitHub Pages, or Netlify, or various other static web hosts, is a different solution entirely. If you use your own static site generator, you open up a whole world of possibilities. But the README and other files in a repository on GitHub are still crippled. A better workaround is to have a CI job that monitors for changes to AsciiDoc files in the repository and expands the include directives, obviously leaving behind a hint so that the region can later be updated. It's not ideal, but it at least lets you keep your documents DRY. |
|
Yeah, the closest thing to a work-around would be some type of include that works now, like images, but that's a downer for various reasons. I can whip up a PR for this project if there's even a whiff of interest from someone in powah, but this is a case where I won't be able to use my own fork, so I'm less than motivated to write it unless there's at least a chance of it getting in... there's been nothing on most these issues, and I'm, let us just say, not optimistic, about [email protected] being able to help. Maybe @MikeMcQuaid can point us in the right direction? |
|
I fully understand that publishing to a static web host is a different matter and I will be sure to take a look at jekyll-asciidoc to see if it is a potential partial solution. It doesn't change the value of rendering AsciiDoc directly through GitHub (as is done with Markdown, GeoJSON, etc.). |
@denuno This isn't something I have or do work on at GitHub. Please email [email protected] rather than @mentioning me unless it relates to my open source work. Thanks! |
|
Apologies, I grabbed the first person who looked to have some type of power to do something for the project, maybe I should have @ more prolific committer-- or it seems like maybe I have no idea how contribution works for github projects on github? 🤔 It would seem odd if, it weren't par for the course (I'm the same I reckon), that github projects don't use github, and instead have some out-of-band deal going on... seriously though? Hit up a generic 'support' addy for feedback on issues? 🙄 I sent an email. I shouldn't have bitched before trying it, but regardless-- that there is a disconnect which is worse than missing include functionality! Consider this comment a PR to address it by connecting projects to people (or at least positions beyond 'support'). 😛 |
|
I'd be remiss not to do a PR now. 😃 Is anyone else already on it? Is there anything really to do, for that matter? This stuff just calls the external tools anyhow, not sure why any special things needed to be added in the first place? I thought there was more to it, because of all the talk about security concerns being the main reason includes have not been implemented, but if there are security concerns with this set up, github is exposing that the infrastructure is way more vulnerable than it should be... Like, does this really get run on some type of master server that has write access to all github repositories or some such? Could I craft an Evil Commit that would Do Something to other repositories? Is servable content + traffic not watched to verify content isn't misbehaving? There must be a ton of stuff checking for more issues than I can think of off the top of my head... what is the real reason this hasn't been implemented in 5+ years? If it really is a security concern, please have [email protected] contact me privately, and I'll point out the attack vectors that are exposed by stating such (which are pretty obvious, and have nothing to do with includes, so I'm hoping that idea was just someone's attempt to keep things simple -- too simple, sure -- but a worthy thing to strive for... or maybe it was some misdirection... I could get behind that too 🕶️). 😆 I meant to just say I'd put my money where my mouth is, versus piling on some more, but I started really wondering mid-type. |
|
Just for some closure on this: I dropped [email protected] a line, and someone got back to me pretty quick! Includes are on "The List" (for next year), and there's nothing anyone outside GitHub itself can do or contribute to speed that up. It's a coderpower issue. To be on The List even a year out is like "yay!". 😝 For anyone looking for authoritative feedback: 🔥 Contact [email protected] to get information about issues in the GitHub issue system.We can then person-power the [shadow] issue systems on github by relaying responses, as I'm doing now.Ha! Just had the awesome idea to write a GitHub support GitHub issues integration. Once you automate a shadow system, it's technically some type of mirror, right? 🤔 |
|
Hey folks 👋. I'm a PM at GitHub working with some of our Render folk and I've found this thread via In truth, we've got some infrastructure work to pay down first before we can take a serious look at this again, but I want to let you know that it does matter to us. We're hoping to make inroads soon into that infra work – and then we can start investigating how best to address this for y'all! cc/ @mojavelinux @jexp |
|
That would be amazing, thanks so much @lukehefson Btw. I love your "small-ux-wins" (papercuts) project, that has already improved my GH experience a lot. |
|
I wonder if this would be possible now with GitHub Blocks? https://github.com/githubnext/blocks Edit: Never mind, they killed it. https://gist.github.com/idan/325676d192b32f169b032fde2d866c2c#github-next--technical-preview-sunsets |
|
This gets a +1 from me. We're using Asciidoc + Antora for a new documentation project for the Khronos group, and use includes to avoid duplicate documentation. But those includes are simply ignored when viewing files through github. |
|
On the one hand, previewing rendered Asciidoctor docs in GitHub is quite nice. But on the other hand, there is value in relying on GitHub to show me the actual contents of the file and not a preprocessed version. I can't say either choice is completely wrong. |
Hello, GitHub already provides the "raw" view to see the original content of the file as it is the case for Markdown. |
@jmeridth seems to do updates once in a while, so maybe he knows if there are anything in the roadmap regarding these longstanding issues. - (there are surely a lot of issues in this repo regarding github markdown - ( 8 years for this issue, and the original issue - #335 is celebrating a decade now:) |
@janderssonse There are discussions to get internal ownership on this repo. Myself and a few others have volunteered as tribute lately to try to address any security issues. I've filtered out spammy issues but there are a bunch of legitimate ones like this one. I will take a look but may still take a bit. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
There's still interest, despite the lack of activity |
|
There is interest, but also acknowledgement that the owners of this site are done making incremental quality of life improvements. If there is no direct impact on the bottom line, it isn't happening. They might as well close the issue as WONT FIX and let us get on with our lives. |
As of now, Github does not support include directive. To make the rendering less broken, we set a placeholder that is interpreted as a hyperlink by Github See github/markup#1095
As of now, Github does not support include directive. To make the rendering less broken, we set a link to the page instead, only on Github environment. See github/markup#1095
As of now, Github does not support include directive. To make the rendering less broken, we set a link to the page instead, only on Github environment. See github/markup#1095
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Interest remains - this was referenced just 2 hours ago in a separate issue, so ideally should be kept open. |
|
Still here, in 2014, 2017 and 2025. :) Kids grown up, moved houses, changed workplaces, turned balder and so on and during this time. :D Will check back in 2028. |
|
I would like to have include too |
and others
A lot of time has passed since latest comments from devs in #172 and #335.
I think after years things have changed in your infrastructure, why not to bring up this issue again with some more input and news?
For example, AFAIK GitHub started to use containers which could help to isolate things from unintentional access and improve security.
Also take a look at asciidoctor/asciidoctor#1088. The author of Asciidoctor is ready for a conversation about this, there is even proposed a way to implement this with custom include preprocessor. If there are still some concerns about resolving the issue, please provide a constructive feedback so both sides can collaborate.
The text was updated successfully, but these errors were encountered: