liquid 4.0.1 → 5.4.0

data/lib/liquid/condition.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   # Container for liquid nodes which conveniently wraps decision making logic
   #
@@ -6,41 +8,60 @@ module Liquid
   #   c = Condition.new(1, '==', 1)
   #   c.evaluate #=> true
   #
-  class Condition #:nodoc:
+  class Condition # :nodoc:
     @@operators = {
-      '=='.freeze => ->(cond, left, right) {  cond.send(:equal_variables, left, right) },
-      '!='.freeze => ->(cond, left, right) { !cond.send(:equal_variables, left, right) },
-      '<>'.freeze => ->(cond, left, right) { !cond.send(:equal_variables, left, right) },
-      '<'.freeze  => :<,
-      '>'.freeze  => :>,
-      '>='.freeze => :>=,
-      '<='.freeze => :<=,
-      'contains'.freeze => lambda do |cond, left, right|
+      '==' => ->(cond, left, right) {  cond.send(:equal_variables, left, right) },
+      '!=' => ->(cond, left, right) { !cond.send(:equal_variables, left, right) },
+      '<>' => ->(cond, left, right) { !cond.send(:equal_variables, left, right) },
+      '<' => :<,
+      '>' => :>,
+      '>=' => :>=,
+      '<=' => :<=,
+      'contains' => lambda do |_cond, left, right|
         if left && right && left.respond_to?(:include?)
           right = right.to_s if left.is_a?(String)
           left.include?(right)
         else
           false
         end
+      end,
+    }
+
+    class MethodLiteral
+      attr_reader :method_name, :to_s
+
+      def initialize(method_name, to_s)
+        @method_name = method_name
+        @to_s = to_s
       end
+    end
+
+    @@method_literals = {
+      'blank' => MethodLiteral.new(:blank?, '').freeze,
+      'empty' => MethodLiteral.new(:empty?, '').freeze,
     }
 
     def self.operators
       @@operators
     end
 
-    attr_reader :attachment
+    def self.parse_expression(parse_context, markup)
+      @@method_literals[markup] || parse_context.parse_expression(markup)
+    end
+
+    attr_reader :attachment, :child_condition
     attr_accessor :left, :operator, :right
 
     def initialize(left = nil, operator = nil, right = nil)
-      @left = left
+      @left     = left
       @operator = operator
-      @right = right
+      @right    = right
+
       @child_relation  = nil
       @child_condition = nil
     end
 
-    def evaluate(context = Context.new)
+    def evaluate(context = deprecated_default_context)
       condition = self
       result = nil
       loop do
@@ -60,12 +81,12 @@ module Liquid
     end
 
     def or(condition)
-      @child_relation = :or
+      @child_relation  = :or
       @child_condition = condition
     end
 
     def and(condition)
-      @child_relation = :and
+      @child_relation  = :and
       @child_condition = condition
     end
 
@@ -78,17 +99,17 @@ module Liquid
     end
 
     def inspect
-      "#<Condition #{[@left, @operator, @right].compact.join(' '.freeze)}>"
+      "#<Condition #{[@left, @operator, @right].compact.join(' ')}>"
     end
 
     protected
 
-    attr_reader :child_relation, :child_condition
+    attr_reader :child_relation
 
     private
 
     def equal_variables(left, right)
-      if left.is_a?(Liquid::Expression::MethodLiteral)
+      if left.is_a?(MethodLiteral)
         if right.respond_to?(left.method_name)
           return right.send(left.method_name)
         else
@@ -96,7 +117,7 @@ module Liquid
         end
       end
 
-      if right.is_a?(Liquid::Expression::MethodLiteral)
+      if right.is_a?(MethodLiteral)
         if left.respond_to?(right.method_name)
           return left.send(right.method_name)
         else
@@ -113,10 +134,10 @@ module Liquid
       # return this as the result.
       return context.evaluate(left) if op.nil?
 
-      left = context.evaluate(left)
-      right = context.evaluate(right)
+      left  = Liquid::Utils.to_liquid_value(context.evaluate(left))
+      right = Liquid::Utils.to_liquid_value(context.evaluate(right))
 
-      operation = self.class.operators[op] || raise(Liquid::ArgumentError.new("Unknown operator #{op}"))
+      operation = self.class.operators[op] || raise(Liquid::ArgumentError, "Unknown operator #{op}")
 
       if operation.respond_to?(:call)
         operation.call(self, left, right)
@@ -124,10 +145,25 @@ module Liquid
         begin
           left.send(operation, right)
         rescue ::ArgumentError => e
-          raise Liquid::ArgumentError.new(e.message)
+          raise Liquid::ArgumentError, e.message
         end
       end
     end
+
+    def deprecated_default_context
+      warn("DEPRECATION WARNING: Condition#evaluate without a context argument is deprecated" \
+        " and will be removed from Liquid 6.0.0.")
+      Context.new
+    end
+
+    class ParseTreeVisitor < Liquid::ParseTreeVisitor
+      def children
+        [
+          @node.left, @node.right,
+          @node.child_condition, @node.attachment
+        ].compact
+      end
+    end
   end
 
   class ElseCondition < Condition

data/lib/liquid/context.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   # Context keeps the variable stack and resolves variables, as well as keywords
   #
@@ -12,37 +14,53 @@ module Liquid
   #
   #   context['bob']  #=> nil  class Context
   class Context
-    attr_reader :scopes, :errors, :registers, :environments, :resource_limits
+    attr_reader :scopes, :errors, :registers, :environments, :resource_limits, :static_registers, :static_environments
     attr_accessor :exception_renderer, :template_name, :partial, :global_filter, :strict_variables, :strict_filters
 
-    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = nil)
-      @environments     = [environments].flatten
-      @scopes           = [(outer_scope || {})]
-      @registers        = registers
-      @errors           = []
-      @partial          = false
-      @strict_variables = false
-      @resource_limits  = resource_limits || ResourceLimits.new(Template.default_resource_limits)
-      squash_instance_assigns_with_environments
+    # rubocop:disable Metrics/ParameterLists
+    def self.build(environments: {}, outer_scope: {}, registers: {}, rethrow_errors: false, resource_limits: nil, static_environments: {}, &block)
+      new(environments, outer_scope, registers, rethrow_errors, resource_limits, static_environments, &block)
+    end
 
-      @this_stack_used = false
+    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = nil, static_environments = {})
+      @environments = [environments]
+      @environments.flatten!
+
+      @static_environments = [static_environments].flat_map(&:freeze).freeze
+      @scopes              = [(outer_scope || {})]
+      @registers           = registers.is_a?(Registers) ? registers : Registers.new(registers)
+      @errors              = []
+      @partial             = false
+      @strict_variables    = false
+      @resource_limits     = resource_limits || ResourceLimits.new(Template.default_resource_limits)
+      @base_scope_depth    = 0
+      @interrupts          = []
+      @filters             = []
+      @global_filter       = nil
+      @disabled_tags       = {}
+
+      @registers.static[:cached_partials] ||= {}
+      @registers.static[:file_system] ||= Liquid::Template.file_system
+      @registers.static[:template_factory] ||= Liquid::TemplateFactory.new
 
       self.exception_renderer = Template.default_exception_renderer
       if rethrow_errors
-        self.exception_renderer = ->(e) { raise }
+        self.exception_renderer = Liquid::RAISE_EXCEPTION_LAMBDA
       end
 
-      @interrupts = []
-      @filters = []
-      @global_filter = nil
+      yield self if block_given?
+
+      # Do this last, since it could result in this object being passed to a Proc in the environment
+      squash_instance_assigns_with_environments
     end
+    # rubocop:enable Metrics/ParameterLists
 
     def warnings
       @warnings ||= []
     end
 
     def strainer
-      @strainer ||= Strainer.create(self, @filters)
+      @strainer ||= StrainerFactory.create(self, @filters)
     end
 
     # Adds filters to this context.
@@ -77,7 +95,7 @@ module Liquid
     def handle_error(e, line_number = nil)
       e = internal_error unless e.is_a?(Liquid::Error)
       e.template_name ||= template_name
-      e.line_number ||= line_number
+      e.line_number   ||= line_number
       errors.push(e)
       exception_renderer.call(e).to_s
     end
@@ -89,7 +107,7 @@ module Liquid
     # Push new local scope on the stack. use <tt>Context#stack</tt> instead
     def push(new_scope = {})
       @scopes.unshift(new_scope)
-      raise StackLevelError, "Nesting too deep".freeze if @scopes.length > Block::MAX_DEPTH
+      check_overflow
     end
 
     # Merge a hash of variables in the current local scope
@@ -110,20 +128,32 @@ module Liquid
     #      context['var'] = 'hi'
     #   end
     #
-    #   context['var]  #=> nil
-    def stack(new_scope = nil)
-      old_stack_used = @this_stack_used
-      if new_scope
-        push(new_scope)
-        @this_stack_used = true
-      else
-        @this_stack_used = false
-      end
-
+    #   context['var']  #=> nil
+    def stack(new_scope = {})
+      push(new_scope)
       yield
     ensure
-      pop if @this_stack_used
-      @this_stack_used = old_stack_used
+      pop
+    end
+
+    # Creates a new context inheriting resource limits, filters, environment etc.,
+    # but with an isolated scope.
+    def new_isolated_subcontext
+      check_overflow
+
+      self.class.build(
+        resource_limits: resource_limits,
+        static_environments: static_environments,
+        registers: Registers.new(registers)
+      ).tap do |subcontext|
+        subcontext.base_scope_depth   = base_scope_depth + 1
+        subcontext.exception_renderer = exception_renderer
+        subcontext.filters  = @filters
+        subcontext.strainer = nil
+        subcontext.errors   = errors
+        subcontext.warnings = warnings
+        subcontext.disabled_tags = @disabled_tags
+      end
     end
 
     def clear_instance_assigns
@@ -132,10 +162,6 @@ module Liquid
 
     # Only allow String, Numeric, Hash, Array, Proc, Boolean or <tt>Liquid::Drop</tt>
     def []=(key, value)
-      unless @this_stack_used
-        @this_stack_used = true
-        push({})
-      end
       @scopes[0][key] = value
     end
 
@@ -164,26 +190,14 @@ module Liquid
       # This was changed from find() to find_index() because this is a very hot
       # path and find_index() is optimized in MRI to reduce object allocation
       index = @scopes.find_index { |s| s.key?(key) }
-      scope = @scopes[index] if index
-
-      variable = nil
 
-      if scope.nil?
-        @environments.each do |e|
-          variable = lookup_and_evaluate(e, key, raise_on_not_found: raise_on_not_found)
-          # When lookup returned a value OR there is no value but the lookup also did not raise
-          # then it is the value we are looking for.
-          if !variable.nil? || @strict_variables && raise_on_not_found
-            scope = e
-            break
-          end
-        end
+      variable = if index
+        lookup_and_evaluate(@scopes[index], key, raise_on_not_found: raise_on_not_found)
+      else
+        try_variable_find_in_environments(key, raise_on_not_found: raise_on_not_found)
       end
 
-      scope ||= @environments.last || @scopes.last
-      variable ||= lookup_and_evaluate(scope, key, raise_on_not_found: raise_on_not_found)
-
-      variable = variable.to_liquid
+      variable         = variable.to_liquid
       variable.context = self if variable.respond_to?(:context=)
 
       variable
@@ -197,14 +211,59 @@ module Liquid
       value = obj[key]
 
       if value.is_a?(Proc) && obj.respond_to?(:[]=)
-        obj[key] = (value.arity == 0) ? value.call : value.call(self)
+        obj[key] = value.arity == 0 ? value.call : value.call(self)
       else
         value
       end
     end
 
+    def with_disabled_tags(tag_names)
+      tag_names.each do |name|
+        @disabled_tags[name] = @disabled_tags.fetch(name, 0) + 1
+      end
+      yield
+    ensure
+      tag_names.each do |name|
+        @disabled_tags[name] -= 1
+      end
+    end
+
+    def tag_disabled?(tag_name)
+      @disabled_tags.fetch(tag_name, 0) > 0
+    end
+
+    protected
+
+    attr_writer :base_scope_depth, :warnings, :errors, :strainer, :filters, :disabled_tags
+
     private
 
+    attr_reader :base_scope_depth
+
+    def try_variable_find_in_environments(key, raise_on_not_found:)
+      @environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      @static_environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      nil
+    end
+
+    def check_overflow
+      raise StackLevelError, "Nesting too deep" if overflow?
+    end
+
+    def overflow?
+      base_scope_depth + @scopes.length > Block::MAX_DEPTH
+    end
+
     def internal_error
       # raise and catch to set backtrace and cause on exception
       raise Liquid::InternalError, 'internal'

data/lib/liquid/document.rb

@@ -1,26 +1,64 @@
+# frozen_string_literal: true
+
 module Liquid
-  class Document < BlockBody
+  class Document
     def self.parse(tokens, parse_context)
-      doc = new
+      doc = new(parse_context)
       doc.parse(tokens, parse_context)
       doc
     end
 
-    def parse(tokens, parse_context)
-      super do |end_tag_name, end_tag_params|
-        unknown_tag(end_tag_name, parse_context) if end_tag_name
+    attr_reader :parse_context, :body
+
+    def initialize(parse_context)
+      @parse_context = parse_context
+      @body = new_body
+    end
+
+    def nodelist
+      @body.nodelist
+    end
+
+    def parse(tokenizer, parse_context)
+      while parse_body(tokenizer)
       end
+      @body.freeze
     rescue SyntaxError => e
       e.line_number ||= parse_context.line_number
       raise
     end
 
-    def unknown_tag(tag, parse_context)
+    def unknown_tag(tag, _markup, _tokenizer)
       case tag
-      when 'else'.freeze, 'end'.freeze
-        raise SyntaxError.new(parse_context.locale.t("errors.syntax.unexpected_outer_tag".freeze, tag: tag))
+      when 'else', 'end'
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unexpected_outer_tag", tag: tag)
       else
-        raise SyntaxError.new(parse_context.locale.t("errors.syntax.unknown_tag".freeze, tag: tag))
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unknown_tag", tag: tag)
+      end
+    end
+
+    def render_to_output_buffer(context, output)
+      @body.render_to_output_buffer(context, output)
+    end
+
+    def render(context)
+      render_to_output_buffer(context, +'')
+    end
+
+    private
+
+    def new_body
+      parse_context.new_block_body
+    end
+
+    def parse_body(tokenizer)
+      @body.parse(tokenizer, parse_context) do |unknown_tag_name, unknown_tag_markup|
+        if unknown_tag_name
+          unknown_tag(unknown_tag_name, unknown_tag_markup, tokenizer)
+          true
+        else
+          false
+        end
       end
     end
   end

data/lib/liquid/drop.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'set'
 
 module Liquid
@@ -25,7 +27,7 @@ module Liquid
 
     # Catch all for the method
     def liquid_method_missing(method)
-      return nil unless @context && @context.strict_variables
+      return nil unless @context&.strict_variables
       raise Liquid::UndefinedDropMethod, "undefined method #{method}"
     end
 
@@ -67,7 +69,7 @@ module Liquid
 
         if include?(Enumerable)
           blacklist += Enumerable.public_instance_methods
-          blacklist -= [:sort, :count, :first, :min, :max, :include?]
+          blacklist -= [:sort, :count, :first, :min, :max]
         end
 
         whitelist = [:to_liquid] + (public_instance_methods - blacklist)

data/lib/liquid/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   class Error < ::StandardError
     attr_accessor :line_number
@@ -5,7 +7,7 @@ module Liquid
     attr_accessor :markup_context
 
     def to_s(with_prefix = true)
-      str = ""
+      str = +""
       str << message_prefix if with_prefix
       str << super()
 
@@ -20,11 +22,11 @@ module Liquid
     private
 
     def message_prefix
-      str = ""
-      if is_a?(SyntaxError)
-        str << "Liquid syntax error"
+      str = +""
+      str << if is_a?(SyntaxError)
+        "Liquid syntax error"
       else
-        str << "Liquid error"
+        "Liquid error"
       end
 
       if line_number
@@ -38,19 +40,19 @@ module Liquid
     end
   end
 
-  ArgumentError = Class.new(Error)
-  ContextError = Class.new(Error)
-  FileSystemError = Class.new(Error)
-  StandardError = Class.new(Error)
-  SyntaxError = Class.new(Error)
-  StackLevelError = Class.new(Error)
-  TaintedError = Class.new(Error)
-  MemoryError = Class.new(Error)
-  ZeroDivisionError = Class.new(Error)
-  FloatDomainError = Class.new(Error)
-  UndefinedVariable = Class.new(Error)
+  ArgumentError       = Class.new(Error)
+  ContextError        = Class.new(Error)
+  FileSystemError     = Class.new(Error)
+  StandardError       = Class.new(Error)
+  SyntaxError         = Class.new(Error)
+  StackLevelError     = Class.new(Error)
+  MemoryError         = Class.new(Error)
+  ZeroDivisionError   = Class.new(Error)
+  FloatDomainError    = Class.new(Error)
+  UndefinedVariable   = Class.new(Error)
   UndefinedDropMethod = Class.new(Error)
-  UndefinedFilter = Class.new(Error)
+  UndefinedFilter     = Class.new(Error)
   MethodOverrideError = Class.new(Error)
-  InternalError = Class.new(Error)
+  DisabledError       = Class.new(Error)
+  InternalError       = Class.new(Error)
 end

data/lib/liquid/expression.rb

@@ -1,45 +1,41 @@
+# frozen_string_literal: true
+
 module Liquid
   class Expression
-    class MethodLiteral
-      attr_reader :method_name, :to_s
-
-      def initialize(method_name, to_s)
-        @method_name = method_name
-        @to_s = to_s
-      end
-
-      def to_liquid
-        to_s
-      end
-    end
-
     LITERALS = {
-      nil => nil, 'nil'.freeze => nil, 'null'.freeze => nil, ''.freeze => nil,
-      'true'.freeze  => true,
-      'false'.freeze => false,
-      'blank'.freeze => MethodLiteral.new(:blank?, '').freeze,
-      'empty'.freeze => MethodLiteral.new(:empty?, '').freeze
-    }
+      nil => nil, 'nil' => nil, 'null' => nil, '' => nil,
+      'true' => true,
+      'false' => false,
+      'blank' => '',
+      'empty' => ''
+    }.freeze
 
-    SINGLE_QUOTED_STRING = /\A'(.*)'\z/m
-    DOUBLE_QUOTED_STRING = /\A"(.*)"\z/m
     INTEGERS_REGEX       = /\A(-?\d+)\z/
     FLOATS_REGEX         = /\A(-?\d[\d\.]+)\z/
-    RANGES_REGEX         = /\A\((\S+)\.\.(\S+)\)\z/
+
+    # Use an atomic group (?>...) to avoid pathological backtracing from
+    # malicious input as described in https://github.com/Shopify/liquid/issues/1357
+    RANGES_REGEX         = /\A\(\s*(?>(\S+)\s*\.\.)\s*(\S+)\s*\)\z/
 
     def self.parse(markup)
-      if LITERALS.key?(markup)
-        LITERALS[markup]
+      return nil unless markup
+
+      markup = markup.strip
+      if (markup.start_with?('"') && markup.end_with?('"')) ||
+         (markup.start_with?("'") && markup.end_with?("'"))
+        return markup[1..-2]
+      end
+
+      case markup
+      when INTEGERS_REGEX
+        Regexp.last_match(1).to_i
+      when RANGES_REGEX
+        RangeLookup.parse(Regexp.last_match(1), Regexp.last_match(2))
+      when FLOATS_REGEX
+        Regexp.last_match(1).to_f
       else
-        case markup
-        when SINGLE_QUOTED_STRING, DOUBLE_QUOTED_STRING
-          $1
-        when INTEGERS_REGEX
-          $1.to_i
-        when RANGES_REGEX
-          RangeLookup.parse($1, $2)
-        when FLOATS_REGEX
-          $1.to_f
+        if LITERALS.key?(markup)
+          LITERALS[markup]
         else
           VariableLookup.parse(markup)
         end

data/lib/liquid/extensions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'time'
 require 'date'
 

data/lib/liquid/file_system.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   # A Liquid file system is a way to let your templates retrieve other templates for use with the include tag.
   #
@@ -44,8 +46,8 @@ module Liquid
   class LocalFileSystem
     attr_accessor :root
 
-    def initialize(root, pattern = "_%s.liquid".freeze)
-      @root = root
+    def initialize(root, pattern = "_%s.liquid")
+      @root    = root
       @pattern = pattern
     end
 
@@ -57,9 +59,9 @@ module Liquid
     end
 
     def full_path(template_path)
-      raise FileSystemError, "Illegal template name '#{template_path}'" unless template_path =~ /\A[^.\/][a-zA-Z0-9_\/]+\z/
+      raise FileSystemError, "Illegal template name '#{template_path}'" unless %r{\A[^./][a-zA-Z0-9_/]+\z}.match?(template_path)
 
-      full_path = if template_path.include?('/'.freeze)
+      full_path = if template_path.include?('/')
         File.join(root, File.dirname(template_path), @pattern % File.basename(template_path))
       else
         File.join(root, @pattern % template_path)