asciidoctor-include-ext 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ebb6ec82e190f28ee47dae11c6e6690ee3e8f544edf185c5c227570bf665476
-  data.tar.gz: 4eaadde9222a5d86e90544501ebcda0099ad8ee04b94fefc187502297640175b
+  metadata.gz: e351222783e131005427ad519891508168603495508299c6d71c2fb55d71a19e
+  data.tar.gz: 209424da5377db4f71f273f32413f69d083faec1ee9da79cf127d7ed55a57c62
 SHA512:
-  metadata.gz: ff4e777544c8236442d30e454cf3720360592e29fcc40d0ee974f8d0544ace610cbf3caadeee6c8712ab71e7e6ff1feae5f59a3669e7c7e8056a711e45358c3d
-  data.tar.gz: 454bdd6eef9671098f00b7bb32a67acfcbb0c5800c55eb5a805e52ff1341ed5dd0c56a36d94668777a7d613e91e1bb27592b3448509b130e469c0d80e0a16c0b
+  metadata.gz: b93df9f785ad62e1b36a8a68207f06f57578f6ee54af248596c17aa0be38c58e15175ca1cbc02bbe1a73338306959d9a99b06181948fb5743461510cfa02fb4f
+  data.tar.gz: 6ec6deec461722db7a314fb21726af6d08572690e1785865d83a0b3668df43781e9015b87966556b9b2982f434d7eda597eaedd7dcbe56af241e09e1017b8a4b

data/LICENSE

@@ -1,6 +1,6 @@
 The MIT License
 
-Copyright 2017 Jakub Jirutka <jakub@jirutka.cz>.
+Copyright 2017-present Jakub Jirutka <jakub@jirutka.cz>.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.adoc

@@ -7,7 +7,7 @@
 :codacy-id: 45320444129044688ef6553821b083f1
 
 ifdef::env-github[]
-image:https://travis-ci.org/{gh-name}.svg?branch={gh-branch}[Build Status, link="https://travis-ci.org/{gh-name}"]
+image:https://github.com/{gh-name}/workflows/CI/badge.svg[CI Status, link=https://github.com/{gh-name}/actions?query=workflow%3A%22CI%22]
 image:https://api.codacy.com/project/badge/Coverage/{codacy-id}["Test Coverage", link="https://www.codacy.com/app/{gh-name}"]
 image:https://api.codacy.com/project/badge/Grade/{codacy-id}["Codacy Code quality", link="https://www.codacy.com/app/{gh-name}"]
 image:https://img.shields.io/gem/v/{gem-name}.svg?style=flat[Gem Version, link="https://rubygems.org/gems/{gem-name}"]
@@ -49,6 +49,9 @@ or to install the latest development version:
 gem install {gem-name} --pre
 
 
+WARNING: Versions *prior 0.4.0* are vulnerable for Command Injection (see https://github.com/{gh-name}/commit/c7ea001a597c7033575342c51483dab7b87ae155[c7ea001] for more information). If you use an older version, update to 0.4.0 immediately!
+
+
 == Usage
 
 Just `require '{gem-name}'`.

data/asciidoctor-include-ext.gemspec

@@ -1,4 +1,4 @@
-require File.expand_path('../lib/asciidoctor/include_ext/version', __FILE__)
+require File.expand_path('lib/asciidoctor/include_ext/version', __dir__)
 
 Gem::Specification.new do |s|
   s.name        = 'asciidoctor-include-ext'
@@ -9,24 +9,22 @@ Gem::Specification.new do |s|
   s.license     = 'MIT'
 
   s.summary     = "Asciidoctor's standard include::[] processor reimplemented as an extension"
-  s.description = <<EOF
-This is a reimplementation of the Asciidoctor's built-in (pre)processor for the
-include::[] directive in extensible and more clean way. It provides the same
-features, but you can easily adjust it or extend for your needs. For example,
-you can change how it loads included files or add another ways how to select
-portions of the document to include.
-EOF
+  s.description = <<~EOF
+    This is a reimplementation of the Asciidoctor's built-in (pre)processor for the
+    include::[] directive in extensible and more clean way. It provides the same
+    features, but you can easily adjust it or extend for your needs. For example,
+    you can change how it loads included files or add another ways how to select
+    portions of the document to include.
+  EOF
 
   s.files       = Dir['lib/**/*', '*.gemspec', 'LICENSE*', 'README*']
-  s.has_rdoc    = 'yard'
 
-  s.required_ruby_version = '>= 2.1'
+  s.required_ruby_version = '>= 2.3'
 
   s.add_runtime_dependency 'asciidoctor', '>= 1.5.6', '< 3.0.0'
 
-  s.add_development_dependency 'corefines', '~> 1.11'
-  s.add_development_dependency 'kramdown', '~> 1.16'
-  s.add_development_dependency 'rake', '~> 12.0'
+  s.add_development_dependency 'kramdown', '~> 2.0'
+  s.add_development_dependency 'rake', '~> 13.0'
   s.add_development_dependency 'rspec', '~> 3.7'
   s.add_development_dependency 'rubocop', '~> 0.51.0'
   s.add_development_dependency 'simplecov', '~> 0.15'

data/lib/asciidoctor/include_ext/include_processor.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'logger'
 require 'open-uri'
+require 'uri'
 
 require 'asciidoctor/include_ext/version'
 require 'asciidoctor/include_ext/reader_ext'
@@ -86,7 +87,7 @@ module Asciidoctor::IncludeExt
 
       return false if doc.safe >= ::Asciidoctor::SafeMode::SECURE
       return false if doc.attributes.fetch('max-include-depth', 64).to_i < 1
-      return false if target_uri?(target) && !doc.attributes.key?('allow-uri-read')
+      return false if target_http?(target) && !doc.attributes.key?('allow-uri-read')
       true
     end
 
@@ -94,7 +95,7 @@ module Asciidoctor::IncludeExt
     # @param reader (see #process)
     # @return [String, nil] file path or URI of the *target*, or `nil` if not found.
     def resolve_target_path(target, reader)
-      return target if target_uri? target
+      return target if target_http? target
 
       # Include file is resolved relative to dir of the current include,
       # or base_dir if within original docfile.
@@ -106,16 +107,22 @@ module Asciidoctor::IncludeExt
     # Reads the specified file as individual lines, filters them using the
     # *selector* (if provided) and returns those lines in an array.
     #
-    # @param filename [String] path of the file to be read.
+    # @param path [String] URL or path of the file to be read.
     # @param selector [#to_proc, nil] predicate to filter lines that should be
     #   included in the output. It must accept two arguments: line and
     #   the line number. If `nil` is given, all lines are passed.
     # @return [Array<String>] an array of read lines.
-    def read_lines(filename, selector)
-      if selector
-        IO.foreach(filename).select.with_index(1, &selector)
-      else
-        open(filename, &:read)
+    def read_lines(path, selector)
+      # IO.open is deliberately not used directly to avoid potential security risks.
+      # TODO: Get rid of 'open-uri' (URI.open).
+      io = target_http?(path) ? URI : File
+
+      io.open(path) do |f|
+        if selector
+          f.each.select.with_index(1, &selector)
+        else
+          f.read
+        end
       end
     end
 
@@ -142,9 +149,13 @@ module Asciidoctor::IncludeExt
     private
 
     # @param target (see #process)
-    # @return [Boolean] `true` if the *target* is an URI, `false` otherwise.
-    def target_uri?(target)
-      ::Asciidoctor::Helpers.uriish?(target)
+    # @return [Boolean] `true` if the *target* is a valid HTTP(S) URI, `false` otherwise.
+    def target_http?(target)
+      # First do a fast test, then try to parse it.
+      target.downcase.start_with?('http://', 'https://') \
+        && URI.parse(target).is_a?(URI::HTTP)
+    rescue URI::InvalidURIError
+      false
     end
   end
 end

data/lib/asciidoctor/include_ext/version.rb

@@ -3,6 +3,6 @@
 module Asciidoctor
   module IncludeExt
     # Version of the asciidoctor-include-ext gem.
-    VERSION = '0.3.1'.freeze
+    VERSION = '0.4.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: asciidoctor-include-ext
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Jakub Jirutka
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-14 00:00:00.000000000 Z
+date: 2022-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: asciidoctor
@@ -30,48 +30,34 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.0.0
-- !ruby/object:Gem::Dependency
-  name: corefines
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
 - !ruby/object:Gem::Dependency
   name: kramdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -162,14 +148,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Asciidoctor's standard include::[] processor reimplemented as an extension