better_html 1.0.1 → 1.0.2

data/lib/better_html/test_helper/safe_erb_tester.rb

@@ -1,6 +1,11 @@
-require 'better_html/test_helper/ruby_expr'
-require 'better_html/test_helper/safety_error'
 require 'better_html/parser'
+require 'better_html/test_helper/safety_error'
+require 'better_html/test_helper/safe_erb/base'
+require 'better_html/test_helper/safe_erb/no_statements'
+require 'better_html/test_helper/safe_erb/allowed_script_type'
+require 'better_html/test_helper/safe_erb/no_javascript_tag_helper'
+require 'better_html/test_helper/safe_erb/tag_interpolation'
+require 'better_html/test_helper/safe_erb/script_interpolation'
 require 'better_html/tree/tag'
 
 module BetterHtml
@@ -30,292 +35,34 @@ Always use raw and to_json together within <script> tags:
 EOF
 
       def assert_erb_safety(data, **options)
-        tester = Tester.new(data, **options)
-
-        message = ""
-        tester.errors.each do |error|
-          message << <<~EOL
-            On line #{error.location.line}
-            #{error.message}
-            #{error.location.line_source_with_underline}\n
+        options = options.present? ? options.dup : {}
+        options[:template_language] ||= :html
+        parser = BetterHtml::Parser.new(data, options)
+
+        tester_classes = [
+          SafeErb::NoStatements,
+          SafeErb::AllowedScriptType,
+          SafeErb::NoJavascriptTagHelper,
+          SafeErb::TagInterpolation,
+          SafeErb::ScriptInterpolation,
+        ]
+
+        testers = tester_classes.map do |tester_klass|
+          tester = tester_klass.new(parser)
+        end
+        testers.each(&:validate)
+        errors = testers.map(&:errors).flatten
+
+        messages = errors.map do |error|
+          <<~EOL
+          On line #{error.location.line}
+          #{error.message}
+          #{error.location.line_source_with_underline}\n
           EOL
         end
+        messages << SAFETY_TIPS
 
-        message << SAFETY_TIPS
-
-        assert_predicate tester.errors, :empty?, message
-      end
-
-      private
-
-      class Tester
-        attr_reader :errors
-
-        VALID_JAVASCRIPT_TAG_TYPES = ['text/javascript', 'text/template', 'text/html']
-
-        def initialize(data, config: BetterHtml.config, **options)
-          @data = data
-          @config = config
-          @errors = Errors.new
-          @options = options.present? ? options.dup : {}
-          @options[:template_language] ||= :html
-          @parser = BetterHtml::Parser.new(data, @options.slice(:template_language))
-          validate!
-        end
-
-        def add_error(message, location:)
-          @errors.add(SafetyError.new(message, location: location))
-        end
-
-        def validate!
-          @parser.nodes_with_type(:tag).each do |tag_node|
-            tag = Tree::Tag.from_node(tag_node)
-            next if tag.closing?
-
-            validate_tag_attributes(tag)
-
-            if tag.name == 'script'
-              index = @parser.ast.to_a.find_index(tag_node)
-              next_node = @parser.ast.to_a[index + 1]
-              if next_node.type == :text
-                if (tag.attributes['type']&.value || "text/javascript") == "text/javascript"
-                  validate_script_tag_content(next_node)
-                end
-                validate_no_statements(next_node) unless tag.attributes['type']&.value == "text/html"
-              end
-
-              validate_javascript_tag_type(tag)
-            end
-          end
-
-          @parser.nodes_with_type(:text).each do |node|
-            validate_text_node(node)
-
-            if @parser.template_language == :javascript
-              validate_script_tag_content(node)
-              validate_no_statements(node)
-            else
-              validate_no_javascript_tag(node)
-            end
-          end
-
-          @parser.nodes_with_type(:cdata, :comment).each do |node|
-            validate_no_statements(node)
-          end
-        end
-
-        def erb_nodes(node)
-          Enumerator.new do |yielder|
-            next if node.nil?
-            node.descendants(:erb).each do |erb_node|
-              indicator_node, _, code_node, _ = *erb_node
-              yielder.yield(erb_node, indicator_node, code_node)
-            end
-          end
-        end
-
-        def validate_javascript_tag_type(tag)
-          return unless type_attribute = tag.attributes['type']
-          return if VALID_JAVASCRIPT_TAG_TYPES.include?(type_attribute.value)
-
-          add_error(
-            "#{type_attribute.value} is not a valid type, valid types are #{VALID_JAVASCRIPT_TAG_TYPES.join(', ')}",
-            location: type_attribute.loc
-          )
-        end
-
-        def validate_tag_attributes(tag)
-          tag.attributes.each do |attribute|
-            erb_nodes(attribute.value_node).each do |erb_node, indicator_node, code_node|
-              next if indicator_node.nil?
-
-              indicator = indicator_node.loc.source
-              source = code_node.loc.source
-
-              if indicator == '='
-                begin
-                  expr = RubyExpr.parse(source)
-                  validate_tag_expression(code_node, expr, attribute.name)
-                rescue RubyExpr::ParseError
-                  nil
-                end
-              elsif indicator == '=='
-                add_error(
-                  "erb interpolation with '<%==' inside html attribute is never safe",
-                  location: erb_node.loc
-                )
-              end
-            end
-          end
-        end
-
-        def validate_text_node(text_node)
-          erb_nodes(text_node).each do |erb_node, indicator_node, code_node|
-            indicator = indicator_node&.loc&.source
-            next if indicator == '#'
-            source = code_node.loc.source
-
-            begin
-              expr = RubyExpr.parse(source)
-              validate_ruby_helper(code_node, expr)
-            rescue RubyExpr::ParseError
-              nil
-            end
-          end
-        end
-
-        def validate_ruby_helper(parent_token, expr)
-          expr.traverse(only: [:send, :csend]) do |send_node|
-            expr.each_child_node(send_node, only: :hash) do |hash_node|
-              expr.each_child_node(hash_node, only: :pair) do |pair_node|
-                validate_ruby_helper_hash_entry(parent_token, expr, nil, *pair_node.children)
-              end
-            end
-          end
-        end
-
-        def validate_ruby_helper_hash_entry(parent_token, expr, key_prefix, key_node, value_node)
-          return unless [:sym, :str].include?(key_node.type)
-          key = [key_prefix, key_node.children.first.to_s].compact.join('-').dasherize
-          case value_node.type
-          when :dstr
-            validate_ruby_helper_hash_value(parent_token, expr, key, value_node)
-          when :hash
-            if key == 'data'
-              expr.each_child_node(value_node, only: :pair) do |pair_node|
-                validate_ruby_helper_hash_entry(parent_token, expr, key, *pair_node.children)
-              end
-            end
-          end
-        end
-
-        def validate_ruby_helper_hash_value(parent_token, expr, attr_name, hash_value)
-          expr.each_child_node(hash_value, only: :begin) do |child|
-            validate_tag_expression(parent_token, RubyExpr.new(child), attr_name)
-          end
-        end
-
-        def validate_tag_expression(parent_token, expr, attr_name)
-          return if expr.static_value?
-
-          if @config.javascript_attribute_name?(attr_name) && expr.calls.empty?
-            add_error(
-              "erb interpolation in javascript attribute must call '(...).to_json'",
-              location: Tokenizer::Location.new(
-                @data,
-                parent_token.loc.start + expr.start,
-                parent_token.loc.start + expr.end - 1
-              )
-            )
-            return
-          end
-
-          expr.calls.each do |call|
-            if call.method == :raw
-              add_error(
-                "erb interpolation with '<%= raw(...) %>' inside html attribute is never safe",
-                location: Tokenizer::Location.new(
-                  @data,
-                  parent_token.loc.start + expr.start,
-                  parent_token.loc.start + expr.end - 1
-                )
-              )
-            elsif call.method == :html_safe
-              add_error(
-                "erb interpolation with '<%= (...).html_safe %>' inside html attribute is never safe",
-                location: Tokenizer::Location.new(
-                  @data,
-                  parent_token.loc.start + expr.start,
-                  parent_token.loc.start + expr.end - 1
-                )
-              )
-            elsif @config.javascript_attribute_name?(attr_name) && !@config.javascript_safe_method?(call.method)
-              add_error(
-                "erb interpolation in javascript attribute must call '(...).to_json'",
-                location: Tokenizer::Location.new(
-                  @data,
-                  parent_token.loc.start + expr.start,
-                  parent_token.loc.start + expr.end - 1
-                )
-              )
-            end
-          end
-        end
-
-        def validate_script_tag_content(node)
-          erb_nodes(node).each do |erb_node, indicator_node, code_node|
-            next unless indicator_node.present?
-            indicator = indicator_node.loc.source
-            next if indicator == '#'
-            source = code_node.loc.source
-
-            begin
-              expr = RubyExpr.parse(source)
-              validate_script_expression(erb_node, expr)
-            rescue RubyExpr::ParseError
-            end
-          end
-        end
-
-        def validate_script_expression(parent_node, expr)
-          if expr.calls.empty?
-            add_error(
-              "erb interpolation in javascript tag must call '(...).to_json'",
-              location: parent_node.loc,
-            )
-            return
-          end
-
-          expr.calls.each do |call|
-            if call.method == :raw
-              call.arguments.each do |argument_node|
-                arguments_expr = RubyExpr.new(argument_node)
-                validate_script_expression(parent_node, arguments_expr)
-              end
-            elsif call.method == :html_safe
-              instance_expr = RubyExpr.new(call.instance)
-              validate_script_expression(parent_node, instance_expr)
-            elsif !@config.javascript_safe_method?(call.method)
-              add_error(
-                "erb interpolation in javascript tag must call '(...).to_json'",
-                location: parent_node.loc,
-              )
-            end
-          end
-        end
-
-        def validate_no_statements(node)
-          erb_nodes(node).each do |erb_node, indicator_node, code_node|
-            next unless indicator_node.nil?
-            source = code_node.loc.source
-            next if /\A\s*end/m === source
-
-            add_error(
-              "erb statement not allowed here; did you mean '<%=' ?",
-              location: erb_node.loc,
-            )
-          end
-        end
-
-        def validate_no_javascript_tag(node)
-          erb_nodes(node).each do |erb_node, indicator_node, code_node|
-            indicator = indicator_node&.loc&.source
-            next if indicator == '#'
-            source = code_node.loc.source
-
-            begin
-              expr = RubyExpr.parse(source)
-
-              if expr.calls.size == 1 && expr.calls.first.method == :javascript_tag
-                add_error(
-                  "'javascript_tag do' syntax is deprecated; use inline <script> instead",
-                  location: erb_node.loc,
-                )
-              end
-            rescue RubyExpr::ParseError
-            end
-          end
-        end
+        assert_predicate errors, :empty?, messages.join
       end
     end
   end

data/lib/better_html/tokenizer/location.rb

@@ -1,7 +1,7 @@
 module BetterHtml
   module Tokenizer
     class Location
-      attr_accessor :start, :stop
+      attr_accessor :document, :start, :stop
 
       def initialize(document, start, stop)
         raise ArgumentError, "start location #{start} is out of range for document of size #{document.size}" if start > document.size

data/lib/better_html/version.rb

@@ -1,3 +1,3 @@
 module BetterHtml
-  VERSION = "1.0.1"
+  VERSION = "1.0.2"
 end

data/test/better_html/errors_test.rb

@@ -0,0 +1,13 @@
+require 'test_helper'
+require 'better_html/errors'
+
+module BetterHtml
+  class ErrorsTest < ActiveSupport::TestCase
+    test "add" do
+      e = Errors.new
+      e.add("foo")
+      assert_equal 1, e.size
+      assert_equal "foo", e.first
+    end
+  end
+end

data/test/better_html/test_helper/ruby_node_test.rb

@@ -0,0 +1,288 @@
+require 'test_helper'
+require 'better_html/test_helper/ruby_node'
+
+module BetterHtml
+  module TestHelper
+    class RubyNodeTest < ActiveSupport::TestCase
+      include ::AST::Sexp
+
+      test "simple call" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance call" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo.bar")
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance call with arguments" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo(x).bar")
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo, s(:send, nil, :x)), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance call with parenthesis" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("(foo).bar")
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:begin,  s(:send, nil, :foo)), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance call with parenthesis 2" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("(foo)")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "command call" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo bar")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :bar)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "command call with block" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo bar do")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :bar)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "call with parameters" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo(bar)")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :bar)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance call with parameters" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo.bar(baz, x)")
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :baz), s(:send, nil, :x)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "call with parameters with if conditional modifier" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo(bar) if something?")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :bar)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "call with parameters with unless conditional modifier" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("foo(bar) unless something?")
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :foo, expr.return_values.first.method_name
+        assert_equal [s(:send, nil, :bar)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "expression call in ternary" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("something? ? foo : bar")
+        assert_equal 2, expr.return_values.count
+        refute_predicate expr, :static_return_value?
+
+        assert_nil expr.return_values.to_a[0].receiver
+        assert_equal :foo, expr.return_values.to_a[0].method_name
+        assert_equal [], expr.return_values.to_a[0].arguments
+
+        assert_nil expr.return_values.to_a[1].receiver
+        assert_equal :bar, expr.return_values.to_a[1].method_name
+        assert_equal [], expr.return_values.to_a[1].arguments
+      end
+
+      test "expression call with args in ternary" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("something? ? foo(x) : bar(x)")
+        assert_equal 2, expr.return_values.count
+
+        assert_nil expr.return_values.to_a[0].receiver
+        assert_equal :foo, expr.return_values.to_a[0].method_name
+        assert_equal [s(:send, nil, :x)], expr.return_values.to_a[0].arguments
+
+        assert_nil expr.return_values.to_a[1].receiver
+        assert_equal :bar, expr.return_values.to_a[1].method_name
+        assert_equal [s(:send, nil, :x)], expr.return_values.to_a[1].arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "string without interpolation" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('"foo"')
+        assert_equal 1, expr.return_values.count
+        assert_equal [s(:str, "foo")], expr.return_values.to_a
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "string with interpolation" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('"foo #{bar}"')
+        method_calls = expr.return_values.select(&:method_call?)
+        assert_equal 1, method_calls.count
+        assert_nil method_calls.first.receiver
+        assert_equal :bar, method_calls.first.method_name
+        assert_equal [], method_calls.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "ternary in string with interpolation" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('"foo #{foo? ? bar : baz}"')
+        method_calls = expr.return_values.select(&:method_call?)
+        assert_equal 2, method_calls.count
+
+        assert_nil method_calls.first.receiver
+        assert_equal :bar, method_calls.first.method_name
+        assert_equal [], method_calls.first.arguments
+
+        assert_nil method_calls.last.receiver
+        assert_equal :baz, method_calls.last.method_name
+        assert_equal [], method_calls.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "assignment to variable" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('x = foo.bar')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "assignment to variable with command call" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('raw x = foo.bar')
+        assert_equal 1, expr.return_values.count
+        assert_nil expr.return_values.first.receiver
+        assert_equal :raw, expr.return_values.first.method_name
+        assert_equal [s(:lvasgn, :x, s(:send, s(:send, nil, :foo), :bar))], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "assignment with instance call" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('(x = foo).bar')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:begin, s(:lvasgn, :x, s(:send, nil, :foo))), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "assignment to multiple variables" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('x, y = foo.bar')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "safe navigation operator" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('foo&.bar')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :foo), expr.return_values.to_a[0].receiver
+        assert_equal :bar, expr.return_values.to_a[0].method_name
+        assert_equal [], expr.return_values.to_a[0].arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance variable" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('@foo')
+        assert_equal 0, expr.return_values.select(&:method_call?).count
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "instance method on variable" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('@foo.bar')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:ivar, :@foo), expr.return_values.first.receiver
+        assert_equal :bar, expr.return_values.first.method_name
+        assert_equal [], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "index into array" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('local_assigns[:text_class] if local_assigns[:text_class]')
+        assert_equal 1, expr.return_values.count
+        assert_equal s(:send, nil, :local_assigns), expr.return_values.first.receiver
+        assert_equal :[], expr.return_values.first.method_name
+        assert_equal [s(:sym, :text_class)], expr.return_values.first.arguments
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for ivar" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('@foo')
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for str" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("'str'")
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for int" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("1")
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for bool" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("true")
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for nil" do
+        expr = BetterHtml::TestHelper::RubyNode.parse("nil")
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for dstr without interpolate" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('"str"')
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? for dstr with interpolate" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('"str #{foo}"')
+        refute_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? with safe ternary" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('foo ? \'a\' : \'b\'')
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? with safe conditional" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('\'foo\' if bar?')
+        assert_predicate expr, :static_return_value?
+      end
+
+      test "static_return_value? with safe assignment" do
+        expr = BetterHtml::TestHelper::RubyNode.parse('x = \'foo\'')
+        assert_predicate expr, :static_return_value?
+      end
+    end
+  end
+end