code-ruby 3.1.2 → 4.0.1

data/lib/code/parser.rb

@@ -32,37 +32,37 @@ class Code
       while
     ].freeze
 
-    MULTI_CHAR_OPERATORS = [
-      "&.",
-      "&&",
-      "&&=",
-      "**",
-      "*=",
-      "+=",
-      "-=",
-      "..",
-      "...",
-      "/=",
-      "::",
-      "<<=",
-      "<<",
-      "<=>",
-      "<=",
-      "===",
-      "==",
-      "=~",
-      ">=",
-      ">>=",
-      ">>",
-      "||=",
-      "||",
-      "|=",
-      "!==",
-      "!=",
-      "!~",
-      "%=",
-      "^=",
-      "=>"
+    MULTI_CHAR_OPERATORS = %w[
+      &.
+      &&
+      &&=
+      **
+      *=
+      +=
+      -=
+      ..
+      ...
+      /=
+      ::
+      <<=
+      <<
+      <=>
+      <=
+      ===
+      ==
+      =~
+      >=
+      >>=
+      >>
+      ||=
+      ||
+      |=
+      !==
+      !=
+      !~
+      %=
+      ^=
+      =>
     ].sort_by(&:length).reverse.freeze
     CONTINUATION_KEYWORDS = %w[or and rescue].freeze
     POSTFIX_CONTINUATIONS = %w[. :: &.].freeze
@@ -73,7 +73,7 @@ class Code
     SUFFIX_PUNCTUATION = %w[! ?].freeze
 
     ASSIGNMENT_RHS_MIN_BP = 20
-
+    MAX_NESTING = 200
     INFIX_PRECEDENCE = {
       "if" => [10, 9],
       "unless" => [10, 9],
@@ -129,6 +129,7 @@ class Code
 
     def initialize(input)
       @input = input.to_s
+      ensure_source_nesting_limit!(@input)
       @tokens = lex(@input)
       @index = 0
     end
@@ -141,6 +142,10 @@ class Code
       Node::Code.new(parse_code)
     end
 
+    def lex_source(source)
+      lex(source.to_s)
+    end
+
     private
 
     attr_reader :input, :tokens
@@ -284,7 +289,12 @@ class Code
       case current.value
       when ".", "::", "&."
         operator = advance.value
-        statement = parse_expression(151)
+        statement =
+          if current.type == :keyword
+            { call: { name: advance.value } }
+          else
+            parse_expression(151)
+          end
         append_left_operation(left, operator, statement)
       when "["
         advance
@@ -565,6 +575,19 @@ class Code
     end
 
     def parse_argument
+      if current.type == :operator && %w[* ** & && ...].include?(current.value)
+        operator = advance.value
+        value =
+          if %w[, )].include?(next_significant_token.value)
+            skip_newlines
+            nil
+          else
+            parse_code(stop_values: %w[, )])
+          end
+
+        return { operator: operator, value: value }.compact
+      end
+
       if label_name_start?(current) && next_token_value == ":"
         name = advance.value
         advance
@@ -653,10 +676,11 @@ class Code
 
       {
         name: name,
-        regular_splat: (true if prefix == "*"),
-        keyword_splat: (true if prefix == "**"),
-        block: (true if prefix == "&"),
-        spread: (true if %w[. .. ...].include?(prefix)),
+        regular_splat: (prefix if prefix == "*"),
+        keyword_splat: (prefix if prefix == "**"),
+        block: (prefix if prefix == "&"),
+        blocks: (prefix if prefix == "&&"),
+        spread: (prefix if %w[. .. ...].include?(prefix)),
         default: default
       }.compact
     end
@@ -664,7 +688,7 @@ class Code
     def parse_parameter_prefix
       return unless current.type == :operator
 
-      advance.value if %w[* ** & .. ... .].include?(current.value)
+      advance.value if %w[* ** & && .. ... .].include?(current.value)
     end
 
     def parse_optional_code(stop_values)
@@ -952,6 +976,67 @@ class Code
       raise Error, "#{message} at #{token.position}"
     end
 
+    def ensure_source_nesting_limit!(source)
+      depth = 0
+      quote = nil
+      escaped = false
+      index = 0
+
+      while index < source.length
+        char = source[index]
+        if quote
+          if escaped
+            escaped = false
+          elsif char == "\\"
+            escaped = true
+          elsif char == quote
+            quote = nil
+          end
+          index += 1
+          next
+        end
+
+        if %w[' "].include?(char)
+          quote = char
+        elsif char == "#"
+          index += 1
+          index += 1 while index < source.length &&
+            !NEWLINE_CHARACTERS.include?(source[index])
+          next
+        elsif source[index, 2] == "//"
+          index += 2
+          index += 1 while index < source.length &&
+            !NEWLINE_CHARACTERS.include?(source[index])
+          next
+        elsif source[index, 2] == "/*"
+          index += 2
+          index += 1 while index < source.length && source[index, 2] != "*/"
+          index += 2 if source[index, 2] == "*/"
+          next
+        elsif "([{".include?(char)
+          depth += 1
+          if depth > MAX_NESTING
+            raise_parse_error_at("source is too deeply nested", index)
+          end
+        elsif ")]}".include?(char)
+          depth -= 1 if depth.positive?
+        end
+        index += 1
+      end
+    end
+
+    def raise_parse_error_at(message, position)
+      token =
+        Token.new(
+          type: :unknown,
+          value: "",
+          position: position,
+          newline_before: false,
+          space_before: false
+        )
+      raise_parse_error(message, token)
+    end
+
     def lex(source)
       tokens = []
       index = 0
@@ -1200,10 +1285,16 @@ class Code
         end
 
         if char == "{"
-          parts << { type: :text, value: text } unless text.empty?
-          text = +""
-          code, i = extract_braced(source, i)
-          parts << { type: :code, value: code }
+          code, i, closed = extract_braced(source, i)
+
+          if closed
+            parts << { type: :text, value: text } unless text.empty?
+            text = +""
+            parts << { type: :code, value: code }
+          else
+            text << "{" << code
+            text << "}" if closed
+          end
           next
         end
 
@@ -1219,28 +1310,74 @@ class Code
       depth = 1
       i = index + 1
       body = +""
+      quote = nil
+      escaped = false
 
       while i < source.length
         char = source[i]
 
-        if char == "{"
+        if quote
+          body << char
+          if escaped
+            escaped = false
+          elsif char == "\\"
+            escaped = true
+          elsif char == quote
+            quote = nil
+          end
+          i += 1
+          next
+        end
+
+        if %w[' "].include?(char)
+          quote = char
+        elsif char == "#"
+          while i < source.length && !NEWLINE_CHARACTERS.include?(source[i])
+            body << source[i]
+            i += 1
+          end
+          next
+        elsif source[i, 2] == "//"
+          2.times do
+            body << source[i]
+            i += 1
+          end
+          while i < source.length && !NEWLINE_CHARACTERS.include?(source[i])
+            body << source[i]
+            i += 1
+          end
+          next
+        elsif source[i, 2] == "/*"
+          2.times do
+            body << source[i]
+            i += 1
+          end
+          while i < source.length && source[i, 2] != "*/"
+            body << source[i]
+            i += 1
+          end
+          if source[i, 2] == "*/"
+            2.times do
+              body << source[i]
+              i += 1
+            end
+          end
+          next
+        elsif char == "{"
           depth += 1
         elsif char == "}"
           depth -= 1
-          return body, i + 1 if depth.zero?
+          return body, i + 1, true if depth.zero?
         end
         body << char
         i += 1
       end
 
-      [body, i]
+      [body, i, false]
     end
 
     def scan_number(source, index)
-      rest = source[index..]
-      return unless rest
-
-      if (match = /\A0[xX][0-9a-fA-F](?:_?[0-9a-fA-F])*/.match(rest))
+      if (match = /\G0[xX][0-9a-fA-F](?:_?[0-9a-fA-F])*/.match(source, index))
         return(
           {
             raw: {
@@ -1253,7 +1390,7 @@ class Code
         )
       end
 
-      if (match = /\A0[oO][0-7](?:_?[0-7])*/.match(rest))
+      if (match = /\G0[oO][0-7](?:_?[0-7])*/.match(source, index))
         return(
           {
             raw: {
@@ -1266,7 +1403,7 @@ class Code
         )
       end
 
-      if (match = /\A0[bB][01](?:_?[01])*/.match(rest))
+      if (match = /\G0[bB][01](?:_?[01])*/.match(source, index))
         return(
           {
             raw: {
@@ -1281,8 +1418,9 @@ class Code
 
       if (
            match =
-             /\A[0-9](?:_?[0-9])*\.[0-9](?:_?[0-9])*(?:[eE][0-9](?:_?[0-9])*(?:\.[0-9](?:_?[0-9])*)?)?/.match(
-               rest
+             /\G[0-9](?:_?[0-9])*\.[0-9](?:_?[0-9])*(?:[eE][0-9](?:_?[0-9])*(?:\.[0-9](?:_?[0-9])*)?)?/.match(
+               source,
+               index
              )
          )
         decimal, exponent = match[0].split(/[eE]/, 2)
@@ -1295,8 +1433,9 @@ class Code
 
       if (
            match =
-             /\A[0-9](?:_?[0-9])*(?:[eE][0-9](?:_?[0-9])*(?:\.[0-9](?:_?[0-9])*)?)?/.match(
-               rest
+             /\G[0-9](?:_?[0-9])*(?:[eE][0-9](?:_?[0-9])*(?:\.[0-9](?:_?[0-9])*)?)?/.match(
+               source,
+               index
              )
          )
         whole, exponent = match[0].split(/[eE]/, 2)

data/lib/code-ruby.rb

@@ -8,10 +8,13 @@ require "date"
 require "did_you_mean"
 require "digest"
 require "icalendar"
+require "ipaddr"
 require "json"
 require "mail"
 require "net/http"
 require "nokogiri"
+require "openssl"
+require "resolv"
 require "stringio"
 require "timeout"
 require "uri"

data/lib/code.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
 class Code
-  GLOBALS = %i[context error input object output source].freeze
-  DEFAULT_TIMEOUT = 0
+  GLOBALS = %i[context error input object output root_object source].freeze
+  DEFAULT_TIMEOUT = 1.hour.to_f
+  MAX_INPUT_BYTES = 10.megabytes
   LOCALES = %w[en fr].freeze
 
   def initialize(
@@ -20,13 +21,18 @@ class Code
     @object = object
     @output = output
     @source = source
-    @timeout = timeout
+    @timeout = self.class.normalize_timeout!(timeout)
   end
 
   def self.parse(source, timeout: DEFAULT_TIMEOUT)
+    timeout = normalize_timeout!(timeout)
+
+    ensure_input_size!(source, label: "source")
     Timeout.timeout(timeout) { Parser.parse(source).to_raw }
   rescue Timeout::Error
     raise Error, "timeout"
+  rescue SystemStackError
+    raise Error, "source is too deeply nested"
   end
 
   def self.evaluate(...)
@@ -44,7 +50,23 @@ class Code
     Format.format(parse_tree)
   end
 
+  def self.ensure_input_size!(source, limit: MAX_INPUT_BYTES, label: "input")
+    return if source.to_s.bytesize <= limit
+
+    raise Error, "#{label} is too large"
+  end
+
+  def self.normalize_timeout!(timeout)
+    timeout = DEFAULT_TIMEOUT if timeout.nil?
+    timeout = timeout.to_f
+    raise Error, "timeout must be positive" unless timeout.positive?
+
+    timeout
+  end
+
   def evaluate
+    time_zone = ::Time.zone
+
     Timeout.timeout(timeout) do
       Node::Code.new(Code.parse(source)).evaluate(
         context: context,
@@ -53,6 +75,7 @@ class Code
         input: input,
         object: object,
         output: output,
+        root_object: object,
         source: source,
         timeout: timeout
       )
@@ -61,6 +84,10 @@ class Code
     raise Error, "timeout"
   rescue Interrupt
     raise Error, "interrupt"
+  rescue SystemStackError
+    raise Error, "source is too deeply nested"
+  ensure
+    ::Time.zone = time_zone
   end
 
   private