liquid 2.6.3 → 5.4.0

data/lib/liquid/context.rb

@@ -1,5 +1,6 @@
-module Liquid
+# frozen_string_literal: true
 
+module Liquid
   # Context keeps the variable stack and resolves variables, as well as keywords
   #
   #   context['variable'] = 'testing'
@@ -13,28 +14,53 @@ module Liquid
   #
   #   context['bob']  #=> nil  class Context
   class Context
-    attr_reader :scopes, :errors, :registers, :environments, :resource_limits
-
-    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = {})
-      @environments    = [environments].flatten
-      @scopes          = [(outer_scope || {})]
-      @registers       = registers
-      @errors          = []
-      @rethrow_errors  = rethrow_errors
-      @resource_limits = (resource_limits || {}).merge!({ :render_score_current => 0, :assign_score_current => 0 })
-      squash_instance_assigns_with_environments
+    attr_reader :scopes, :errors, :registers, :environments, :resource_limits, :static_registers, :static_environments
+    attr_accessor :exception_renderer, :template_name, :partial, :global_filter, :strict_variables, :strict_filters
+
+    # rubocop:disable Metrics/ParameterLists
+    def self.build(environments: {}, outer_scope: {}, registers: {}, rethrow_errors: false, resource_limits: nil, static_environments: {}, &block)
+      new(environments, outer_scope, registers, rethrow_errors, resource_limits, static_environments, &block)
+    end
+
+    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = nil, static_environments = {})
+      @environments = [environments]
+      @environments.flatten!
+
+      @static_environments = [static_environments].flat_map(&:freeze).freeze
+      @scopes              = [(outer_scope || {})]
+      @registers           = registers.is_a?(Registers) ? registers : Registers.new(registers)
+      @errors              = []
+      @partial             = false
+      @strict_variables    = false
+      @resource_limits     = resource_limits || ResourceLimits.new(Template.default_resource_limits)
+      @base_scope_depth    = 0
+      @interrupts          = []
+      @filters             = []
+      @global_filter       = nil
+      @disabled_tags       = {}
+
+      @registers.static[:cached_partials] ||= {}
+      @registers.static[:file_system] ||= Liquid::Template.file_system
+      @registers.static[:template_factory] ||= Liquid::TemplateFactory.new
+
+      self.exception_renderer = Template.default_exception_renderer
+      if rethrow_errors
+        self.exception_renderer = Liquid::RAISE_EXCEPTION_LAMBDA
+      end
 
-      @interrupts = []
+      yield self if block_given?
+
+      # Do this last, since it could result in this object being passed to a Proc in the environment
+      squash_instance_assigns_with_environments
     end
+    # rubocop:enable Metrics/ParameterLists
 
-    def resource_limits_reached?
-      (@resource_limits[:render_length_limit] && @resource_limits[:render_length_current] > @resource_limits[:render_length_limit]) ||
-      (@resource_limits[:render_score_limit]  && @resource_limits[:render_score_current]  > @resource_limits[:render_score_limit] ) ||
-      (@resource_limits[:assign_score_limit]  && @resource_limits[:assign_score_current]  > @resource_limits[:assign_score_limit] )
+    def warnings
+      @warnings ||= []
     end
 
     def strainer
-      @strainer ||= Strainer.create(self)
+      @strainer ||= StrainerFactory.create(self, @filters)
     end
 
     # Adds filters to this context.
@@ -43,17 +69,17 @@ module Liquid
     # for that
     def add_filters(filters)
       filters = [filters].flatten.compact
+      @filters += filters
+      @strainer = nil
+    end
 
-      filters.each do |f|
-        raise ArgumentError, "Expected module but got: #{f.class}" unless f.is_a?(Module)
-        Strainer.add_known_filter(f)
-        strainer.extend(f)
-      end
+    def apply_global_filter(obj)
+      global_filter.nil? ? obj : global_filter.call(obj)
     end
 
     # are there any not handled interrupts?
-    def has_interrupt?
-      @interrupts.any?
+    def interrupt?
+      !@interrupts.empty?
     end
 
     # push an interrupt to the stack. this interrupt is considered not handled.
@@ -66,26 +92,22 @@ module Liquid
       @interrupts.pop
     end
 
-    def handle_error(e)
+    def handle_error(e, line_number = nil)
+      e = internal_error unless e.is_a?(Liquid::Error)
+      e.template_name ||= template_name
+      e.line_number   ||= line_number
       errors.push(e)
-      raise if @rethrow_errors
-
-      case e
-      when SyntaxError
-        "Liquid syntax error: #{e.message}"
-      else
-        "Liquid error: #{e.message}"
-      end
+      exception_renderer.call(e).to_s
     end
 
     def invoke(method, *args)
-      strainer.invoke(method, *args)
+      strainer.invoke(method, *args).to_liquid
     end
 
     # Push new local scope on the stack. use <tt>Context#stack</tt> instead
-    def push(new_scope={})
+    def push(new_scope = {})
       @scopes.unshift(new_scope)
-      raise StackLevelError, "Nesting too deep" if @scopes.length > 100
+      check_overflow
     end
 
     # Merge a hash of variables in the current local scope
@@ -106,14 +128,34 @@ module Liquid
     #      context['var'] = 'hi'
     #   end
     #
-    #   context['var]  #=> nil
-    def stack(new_scope={})
+    #   context['var']  #=> nil
+    def stack(new_scope = {})
       push(new_scope)
       yield
     ensure
       pop
     end
 
+    # Creates a new context inheriting resource limits, filters, environment etc.,
+    # but with an isolated scope.
+    def new_isolated_subcontext
+      check_overflow
+
+      self.class.build(
+        resource_limits: resource_limits,
+        static_environments: static_environments,
+        registers: Registers.new(registers)
+      ).tap do |subcontext|
+        subcontext.base_scope_depth   = base_scope_depth + 1
+        subcontext.exception_renderer = exception_renderer
+        subcontext.filters  = @filters
+        subcontext.strainer = nil
+        subcontext.errors   = errors
+        subcontext.warnings = warnings
+        subcontext.disabled_tags = @disabled_tags
+      end
+    end
+
     def clear_instance_assigns
       @scopes[0] = {}
     end
@@ -123,145 +165,121 @@ module Liquid
       @scopes[0][key] = value
     end
 
-    def [](key)
-      resolve(key)
+    # Look up variable, either resolve directly after considering the name. We can directly handle
+    # Strings, digits, floats and booleans (true,false).
+    # If no match is made we lookup the variable in the current scope and
+    # later move up to the parent blocks to see if we can resolve the variable somewhere up the tree.
+    # Some special keywords return symbols. Those symbols are to be called on the rhs object in expressions
+    #
+    # Example:
+    #   products == empty #=> products.empty?
+    def [](expression)
+      evaluate(Expression.parse(expression))
     end
 
-    def has_key?(key)
-      resolve(key) != nil
+    def key?(key)
+      self[key] != nil
     end
 
-    private
-      LITERALS = {
-        nil => nil, 'nil' => nil, 'null' => nil, '' => nil,
-        'true'  => true,
-        'false' => false,
-        'blank' => :blank?,
-        'empty' => :empty?
-      }
-
-      # Look up variable, either resolve directly after considering the name. We can directly handle
-      # Strings, digits, floats and booleans (true,false).
-      # If no match is made we lookup the variable in the current scope and
-      # later move up to the parent blocks to see if we can resolve the variable somewhere up the tree.
-      # Some special keywords return symbols. Those symbols are to be called on the rhs object in expressions
-      #
-      # Example:
-      #   products == empty #=> products.empty?
-      def resolve(key)
-        if LITERALS.key?(key)
-          LITERALS[key]
-        else
-          case key
-          when /^'(.*)'$/ # Single quoted strings
-            $1
-          when /^"(.*)"$/ # Double quoted strings
-            $1
-          when /^(-?\d+)$/ # Integer and floats
-            $1.to_i
-          when /^\((\S+)\.\.(\S+)\)$/ # Ranges
-            (resolve($1).to_i..resolve($2).to_i)
-          when /^(-?\d[\d\.]+)$/ # Floats
-            $1.to_f
-          else
-            variable(key)
-          end
-        end
-      end
+    def evaluate(object)
+      object.respond_to?(:evaluate) ? object.evaluate(self) : object
+    end
 
-      # Fetches an object starting at the local scope and then moving up the hierachy
-      def find_variable(key)
-        scope = @scopes.find { |s| s.has_key?(key) }
-        variable = nil
-
-        if scope.nil?
-          @environments.each do |e|
-            if variable = lookup_and_evaluate(e, key)
-              scope = e
-              break
-            end
-          end
-        end
+    # Fetches an object starting at the local scope and then moving up the hierachy
+    def find_variable(key, raise_on_not_found: true)
+      # This was changed from find() to find_index() because this is a very hot
+      # path and find_index() is optimized in MRI to reduce object allocation
+      index = @scopes.find_index { |s| s.key?(key) }
+
+      variable = if index
+        lookup_and_evaluate(@scopes[index], key, raise_on_not_found: raise_on_not_found)
+      else
+        try_variable_find_in_environments(key, raise_on_not_found: raise_on_not_found)
+      end
 
-        scope     ||= @environments.last || @scopes.last
-        variable  ||= lookup_and_evaluate(scope, key)
+      variable         = variable.to_liquid
+      variable.context = self if variable.respond_to?(:context=)
 
-        variable = variable.to_liquid
-        variable.context = self if variable.respond_to?(:context=)
+      variable
+    end
 
-        return variable
+    def lookup_and_evaluate(obj, key, raise_on_not_found: true)
+      if @strict_variables && raise_on_not_found && obj.respond_to?(:key?) && !obj.key?(key)
+        raise Liquid::UndefinedVariable, "undefined variable #{key}"
       end
 
-      # Resolves namespaced queries gracefully.
-      #
-      # Example
-      #  @context['hash'] = {"name" => 'tobi'}
-      #  assert_equal 'tobi', @context['hash.name']
-      #  assert_equal 'tobi', @context['hash["name"]']
-      def variable(markup)
-        parts = markup.scan(VariableParser)
-        square_bracketed = /^\[(.*)\]$/
+      value = obj[key]
 
-        first_part = parts.shift
+      if value.is_a?(Proc) && obj.respond_to?(:[]=)
+        obj[key] = value.arity == 0 ? value.call : value.call(self)
+      else
+        value
+      end
+    end
 
-        if first_part =~ square_bracketed
-          first_part = resolve($1)
-        end
+    def with_disabled_tags(tag_names)
+      tag_names.each do |name|
+        @disabled_tags[name] = @disabled_tags.fetch(name, 0) + 1
+      end
+      yield
+    ensure
+      tag_names.each do |name|
+        @disabled_tags[name] -= 1
+      end
+    end
 
-        if object = find_variable(first_part)
+    def tag_disabled?(tag_name)
+      @disabled_tags.fetch(tag_name, 0) > 0
+    end
 
-          parts.each do |part|
-            part = resolve($1) if part_resolved = (part =~ square_bracketed)
+    protected
 
-            # If object is a hash- or array-like object we look for the
-            # presence of the key and if its available we return it
-            if object.respond_to?(:[]) and
-              ((object.respond_to?(:has_key?) and object.has_key?(part)) or
-               (object.respond_to?(:fetch) and part.is_a?(Integer)))
+    attr_writer :base_scope_depth, :warnings, :errors, :strainer, :filters, :disabled_tags
 
-              # if its a proc we will replace the entry with the proc
-              res = lookup_and_evaluate(object, part)
-              object = res.to_liquid
+    private
 
-              # Some special cases. If the part wasn't in square brackets and
-              # no key with the same name was found we interpret following calls
-              # as commands and call them on the current object
-            elsif !part_resolved and object.respond_to?(part) and ['size', 'first', 'last'].include?(part)
+    attr_reader :base_scope_depth
 
-              object = object.send(part.intern).to_liquid
+    def try_variable_find_in_environments(key, raise_on_not_found:)
+      @environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      @static_environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      nil
+    end
 
-              # No key was present with the desired value and it wasn't one of the directly supported
-              # keywords either. The only thing we got left is to return nil
-            else
-              return nil
-            end
+    def check_overflow
+      raise StackLevelError, "Nesting too deep" if overflow?
+    end
 
-            # If we are dealing with a drop here we have to
-            object.context = self if object.respond_to?(:context=)
-          end
-        end
+    def overflow?
+      base_scope_depth + @scopes.length > Block::MAX_DEPTH
+    end
 
-        object
-      end # variable
+    def internal_error
+      # raise and catch to set backtrace and cause on exception
+      raise Liquid::InternalError, 'internal'
+    rescue Liquid::InternalError => exc
+      exc
+    end
 
-      def lookup_and_evaluate(obj, key)
-        if (value = obj[key]).is_a?(Proc) && obj.respond_to?(:[]=)
-          obj[key] = (value.arity == 0) ? value.call : value.call(self)
-        else
-          value
-        end
-      end # lookup_and_evaluate
-
-      def squash_instance_assigns_with_environments
-        @scopes.last.each_key do |k|
-          @environments.each do |env|
-            if env.has_key?(k)
-              scopes.last[k] = lookup_and_evaluate(env, k)
-              break
-            end
+    def squash_instance_assigns_with_environments
+      @scopes.last.each_key do |k|
+        @environments.each do |env|
+          if env.key?(k)
+            scopes.last[k] = lookup_and_evaluate(env, k)
+            break
           end
         end
-      end # squash_instance_assigns_with_environments
+      end
+    end # squash_instance_assigns_with_environments
   end # Context
-
 end # Liquid

data/lib/liquid/document.rb

@@ -1,17 +1,65 @@
+# frozen_string_literal: true
+
 module Liquid
-  class Document < Block
-    # we don't need markup to open this block
-    def initialize(tokens)
-      parse(tokens)
+  class Document
+    def self.parse(tokens, parse_context)
+      doc = new(parse_context)
+      doc.parse(tokens, parse_context)
+      doc
+    end
+
+    attr_reader :parse_context, :body
+
+    def initialize(parse_context)
+      @parse_context = parse_context
+      @body = new_body
+    end
+
+    def nodelist
+      @body.nodelist
+    end
+
+    def parse(tokenizer, parse_context)
+      while parse_body(tokenizer)
+      end
+      @body.freeze
+    rescue SyntaxError => e
+      e.line_number ||= parse_context.line_number
+      raise
     end
 
-    # There isn't a real delimiter
-    def block_delimiter
-      []
+    def unknown_tag(tag, _markup, _tokenizer)
+      case tag
+      when 'else', 'end'
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unexpected_outer_tag", tag: tag)
+      else
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unknown_tag", tag: tag)
+      end
+    end
+
+    def render_to_output_buffer(context, output)
+      @body.render_to_output_buffer(context, output)
+    end
+
+    def render(context)
+      render_to_output_buffer(context, +'')
+    end
+
+    private
+
+    def new_body
+      parse_context.new_block_body
     end
 
-    # Document blocks don't need to be terminated since they are not actually opened
-    def assert_missing_delimitation!
+    def parse_body(tokenizer)
+      @body.parse(tokenizer, parse_context) do |unknown_tag_name, unknown_tag_markup|
+        if unknown_tag_name
+          unknown_tag(unknown_tag_name, unknown_tag_markup, tokenizer)
+          true
+        else
+          false
+        end
+      end
     end
   end
 end

data/lib/liquid/drop.rb

@@ -1,7 +1,8 @@
+# frozen_string_literal: true
+
 require 'set'
 
 module Liquid
-
   # A drop in liquid is a class which allows you to export DOM like things to liquid.
   # Methods of drops are callable.
   # The main use for liquid drops is to implement lazy loaded objects.
@@ -19,43 +20,61 @@ module Liquid
   #   tmpl = Liquid::Template.parse( ' {% for product in product.top_sales %} {{ product.name }} {%endfor%} '  )
   #   tmpl.render('product' => ProductDrop.new ) # will invoke top_sales query.
   #
-  # Your drop can either implement the methods sans any parameters or implement the before_method(name) method which is a
-  # catch all.
+  # Your drop can either implement the methods sans any parameters
+  # or implement the liquid_method_missing(name) method which is a catch all.
   class Drop
     attr_writer :context
 
-    EMPTY_STRING = ''.freeze
-
     # Catch all for the method
-    def before_method(method)
-      nil
+    def liquid_method_missing(method)
+      return nil unless @context&.strict_variables
+      raise Liquid::UndefinedDropMethod, "undefined method #{method}"
     end
 
     # called by liquid to invoke a drop
     def invoke_drop(method_or_key)
-      if method_or_key && method_or_key != EMPTY_STRING && self.class.invokable?(method_or_key)
+      if self.class.invokable?(method_or_key)
         send(method_or_key)
       else
-        before_method(method_or_key)
+        liquid_method_missing(method_or_key)
       end
     end
 
-    def has_key?(name)
+    def key?(_name)
       true
     end
 
+    def inspect
+      self.class.to_s
+    end
+
     def to_liquid
       self
     end
 
-    alias :[] :invoke_drop
+    def to_s
+      self.class.name
+    end
 
-    private
+    alias_method :[], :invoke_drop
 
     # Check for method existence without invoking respond_to?, which creates symbols
     def self.invokable?(method_name)
-      @invokable_methods ||= Set.new(["to_liquid"] + (public_instance_methods - Liquid::Drop.public_instance_methods).map(&:to_s))
-      @invokable_methods.include?(method_name.to_s)
+      invokable_methods.include?(method_name.to_s)
+    end
+
+    def self.invokable_methods
+      @invokable_methods ||= begin
+        blacklist = Liquid::Drop.public_instance_methods + [:each]
+
+        if include?(Enumerable)
+          blacklist += Enumerable.public_instance_methods
+          blacklist -= [:sort, :count, :first, :min, :max]
+        end
+
+        whitelist = [:to_liquid] + (public_instance_methods - blacklist)
+        Set.new(whitelist.map(&:to_s))
+      end
     end
   end
 end

data/lib/liquid/errors.rb

@@ -1,12 +1,58 @@
+# frozen_string_literal: true
+
 module Liquid
-  class Error < ::StandardError; end
-
-  class ArgumentError < Error; end
-  class ContextError < Error; end
-  class FilterNotFound < Error; end
-  class FileSystemError < Error; end
-  class StandardError < Error; end
-  class SyntaxError < Error; end
-  class StackLevelError < Error; end
-  class MemoryError < Error; end
+  class Error < ::StandardError
+    attr_accessor :line_number
+    attr_accessor :template_name
+    attr_accessor :markup_context
+
+    def to_s(with_prefix = true)
+      str = +""
+      str << message_prefix if with_prefix
+      str << super()
+
+      if markup_context
+        str << " "
+        str << markup_context
+      end
+
+      str
+    end
+
+    private
+
+    def message_prefix
+      str = +""
+      str << if is_a?(SyntaxError)
+        "Liquid syntax error"
+      else
+        "Liquid error"
+      end
+
+      if line_number
+        str << " ("
+        str << template_name << " " if template_name
+        str << "line " << line_number.to_s << ")"
+      end
+
+      str << ": "
+      str
+    end
+  end
+
+  ArgumentError       = Class.new(Error)
+  ContextError        = Class.new(Error)
+  FileSystemError     = Class.new(Error)
+  StandardError       = Class.new(Error)
+  SyntaxError         = Class.new(Error)
+  StackLevelError     = Class.new(Error)
+  MemoryError         = Class.new(Error)
+  ZeroDivisionError   = Class.new(Error)
+  FloatDomainError    = Class.new(Error)
+  UndefinedVariable   = Class.new(Error)
+  UndefinedDropMethod = Class.new(Error)
+  UndefinedFilter     = Class.new(Error)
+  MethodOverrideError = Class.new(Error)
+  DisabledError       = Class.new(Error)
+  InternalError       = Class.new(Error)
 end

data/lib/liquid/expression.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Liquid
+  class Expression
+    LITERALS = {
+      nil => nil, 'nil' => nil, 'null' => nil, '' => nil,
+      'true' => true,
+      'false' => false,
+      'blank' => '',
+      'empty' => ''
+    }.freeze
+
+    INTEGERS_REGEX       = /\A(-?\d+)\z/
+    FLOATS_REGEX         = /\A(-?\d[\d\.]+)\z/
+
+    # Use an atomic group (?>...) to avoid pathological backtracing from
+    # malicious input as described in https://github.com/Shopify/liquid/issues/1357
+    RANGES_REGEX         = /\A\(\s*(?>(\S+)\s*\.\.)\s*(\S+)\s*\)\z/
+
+    def self.parse(markup)
+      return nil unless markup
+
+      markup = markup.strip
+      if (markup.start_with?('"') && markup.end_with?('"')) ||
+         (markup.start_with?("'") && markup.end_with?("'"))
+        return markup[1..-2]
+      end
+
+      case markup
+      when INTEGERS_REGEX
+        Regexp.last_match(1).to_i
+      when RANGES_REGEX
+        RangeLookup.parse(Regexp.last_match(1), Regexp.last_match(2))
+      when FLOATS_REGEX
+        Regexp.last_match(1).to_f
+      else
+        if LITERALS.key?(markup)
+          LITERALS[markup]
+        else
+          VariableLookup.parse(markup)
+        end
+      end
+    end
+  end
+end