liquid 4.0.3 → 5.1.0

data/lib/liquid/context.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   # Context keeps the variable stack and resolves variables, as well as keywords
   #
@@ -12,37 +14,49 @@ module Liquid
   #
   #   context['bob']  #=> nil  class Context
   class Context
-    attr_reader :scopes, :errors, :registers, :environments, :resource_limits
+    attr_reader :scopes, :errors, :registers, :environments, :resource_limits, :static_registers, :static_environments
     attr_accessor :exception_renderer, :template_name, :partial, :global_filter, :strict_variables, :strict_filters
 
-    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = nil)
-      @environments     = [environments].flatten
-      @scopes           = [(outer_scope || {})]
-      @registers        = registers
-      @errors           = []
-      @partial          = false
-      @strict_variables = false
-      @resource_limits  = resource_limits || ResourceLimits.new(Template.default_resource_limits)
-      squash_instance_assigns_with_environments
+    # rubocop:disable Metrics/ParameterLists
+    def self.build(environments: {}, outer_scope: {}, registers: {}, rethrow_errors: false, resource_limits: nil, static_environments: {}, &block)
+      new(environments, outer_scope, registers, rethrow_errors, resource_limits, static_environments, &block)
+    end
 
-      @this_stack_used = false
+    def initialize(environments = {}, outer_scope = {}, registers = {}, rethrow_errors = false, resource_limits = nil, static_environments = {})
+      @environments = [environments]
+      @environments.flatten!
+
+      @static_environments = [static_environments].flat_map(&:freeze).freeze
+      @scopes              = [(outer_scope || {})]
+      @registers           = registers
+      @errors              = []
+      @partial             = false
+      @strict_variables    = false
+      @resource_limits     = resource_limits || ResourceLimits.new(Template.default_resource_limits)
+      @base_scope_depth    = 0
+      @interrupts          = []
+      @filters             = []
+      @global_filter       = nil
+      @disabled_tags       = {}
 
       self.exception_renderer = Template.default_exception_renderer
       if rethrow_errors
-        self.exception_renderer = ->(e) { raise }
+        self.exception_renderer = Liquid::RAISE_EXCEPTION_LAMBDA
       end
 
-      @interrupts = []
-      @filters = []
-      @global_filter = nil
+      yield self if block_given?
+
+      # Do this last, since it could result in this object being passed to a Proc in the environment
+      squash_instance_assigns_with_environments
     end
+    # rubocop:enable Metrics/ParameterLists
 
     def warnings
       @warnings ||= []
     end
 
     def strainer
-      @strainer ||= Strainer.create(self, @filters)
+      @strainer ||= StrainerFactory.create(self, @filters)
     end
 
     # Adds filters to this context.
@@ -77,7 +91,7 @@ module Liquid
     def handle_error(e, line_number = nil)
       e = internal_error unless e.is_a?(Liquid::Error)
       e.template_name ||= template_name
-      e.line_number ||= line_number
+      e.line_number   ||= line_number
       errors.push(e)
       exception_renderer.call(e).to_s
     end
@@ -89,7 +103,7 @@ module Liquid
     # Push new local scope on the stack. use <tt>Context#stack</tt> instead
     def push(new_scope = {})
       @scopes.unshift(new_scope)
-      raise StackLevelError, "Nesting too deep".freeze if @scopes.length > Block::MAX_DEPTH
+      check_overflow
     end
 
     # Merge a hash of variables in the current local scope
@@ -110,20 +124,32 @@ module Liquid
     #      context['var'] = 'hi'
     #   end
     #
-    #   context['var]  #=> nil
-    def stack(new_scope = nil)
-      old_stack_used = @this_stack_used
-      if new_scope
-        push(new_scope)
-        @this_stack_used = true
-      else
-        @this_stack_used = false
-      end
-
+    #   context['var']  #=> nil
+    def stack(new_scope = {})
+      push(new_scope)
       yield
     ensure
-      pop if @this_stack_used
-      @this_stack_used = old_stack_used
+      pop
+    end
+
+    # Creates a new context inheriting resource limits, filters, environment etc.,
+    # but with an isolated scope.
+    def new_isolated_subcontext
+      check_overflow
+
+      self.class.build(
+        resource_limits: resource_limits,
+        static_environments: static_environments,
+        registers: StaticRegisters.new(registers)
+      ).tap do |subcontext|
+        subcontext.base_scope_depth   = base_scope_depth + 1
+        subcontext.exception_renderer = exception_renderer
+        subcontext.filters  = @filters
+        subcontext.strainer = nil
+        subcontext.errors   = errors
+        subcontext.warnings = warnings
+        subcontext.disabled_tags = @disabled_tags
+      end
     end
 
     def clear_instance_assigns
@@ -132,10 +158,6 @@ module Liquid
 
     # Only allow String, Numeric, Hash, Array, Proc, Boolean or <tt>Liquid::Drop</tt>
     def []=(key, value)
-      unless @this_stack_used
-        @this_stack_used = true
-        push({})
-      end
       @scopes[0][key] = value
     end
 
@@ -164,26 +186,14 @@ module Liquid
       # This was changed from find() to find_index() because this is a very hot
       # path and find_index() is optimized in MRI to reduce object allocation
       index = @scopes.find_index { |s| s.key?(key) }
-      scope = @scopes[index] if index
-
-      variable = nil
 
-      if scope.nil?
-        @environments.each do |e|
-          variable = lookup_and_evaluate(e, key, raise_on_not_found: raise_on_not_found)
-          # When lookup returned a value OR there is no value but the lookup also did not raise
-          # then it is the value we are looking for.
-          if !variable.nil? || @strict_variables && raise_on_not_found
-            scope = e
-            break
-          end
-        end
+      variable = if index
+        lookup_and_evaluate(@scopes[index], key, raise_on_not_found: raise_on_not_found)
+      else
+        try_variable_find_in_environments(key, raise_on_not_found: raise_on_not_found)
       end
 
-      scope ||= @environments.last || @scopes.last
-      variable ||= lookup_and_evaluate(scope, key, raise_on_not_found: raise_on_not_found)
-
-      variable = variable.to_liquid
+      variable         = variable.to_liquid
       variable.context = self if variable.respond_to?(:context=)
 
       variable
@@ -197,14 +207,59 @@ module Liquid
       value = obj[key]
 
       if value.is_a?(Proc) && obj.respond_to?(:[]=)
-        obj[key] = (value.arity == 0) ? value.call : value.call(self)
+        obj[key] = value.arity == 0 ? value.call : value.call(self)
       else
         value
       end
     end
 
+    def with_disabled_tags(tag_names)
+      tag_names.each do |name|
+        @disabled_tags[name] = @disabled_tags.fetch(name, 0) + 1
+      end
+      yield
+    ensure
+      tag_names.each do |name|
+        @disabled_tags[name] -= 1
+      end
+    end
+
+    def tag_disabled?(tag_name)
+      @disabled_tags.fetch(tag_name, 0) > 0
+    end
+
+    protected
+
+    attr_writer :base_scope_depth, :warnings, :errors, :strainer, :filters, :disabled_tags
+
     private
 
+    attr_reader :base_scope_depth
+
+    def try_variable_find_in_environments(key, raise_on_not_found:)
+      @environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      @static_environments.each do |environment|
+        found_variable = lookup_and_evaluate(environment, key, raise_on_not_found: raise_on_not_found)
+        if !found_variable.nil? || @strict_variables && raise_on_not_found
+          return found_variable
+        end
+      end
+      nil
+    end
+
+    def check_overflow
+      raise StackLevelError, "Nesting too deep" if overflow?
+    end
+
+    def overflow?
+      base_scope_depth + @scopes.length > Block::MAX_DEPTH
+    end
+
     def internal_error
       # raise and catch to set backtrace and cause on exception
       raise Liquid::InternalError, 'internal'

data/lib/liquid/document.rb

@@ -1,26 +1,64 @@
+# frozen_string_literal: true
+
 module Liquid
-  class Document < BlockBody
+  class Document
     def self.parse(tokens, parse_context)
-      doc = new
+      doc = new(parse_context)
       doc.parse(tokens, parse_context)
       doc
     end
 
-    def parse(tokens, parse_context)
-      super do |end_tag_name, end_tag_params|
-        unknown_tag(end_tag_name, parse_context) if end_tag_name
+    attr_reader :parse_context, :body
+
+    def initialize(parse_context)
+      @parse_context = parse_context
+      @body = new_body
+    end
+
+    def nodelist
+      @body.nodelist
+    end
+
+    def parse(tokenizer, parse_context)
+      while parse_body(tokenizer)
       end
+      @body.freeze
     rescue SyntaxError => e
       e.line_number ||= parse_context.line_number
       raise
     end
 
-    def unknown_tag(tag, parse_context)
+    def unknown_tag(tag, _markup, _tokenizer)
       case tag
-      when 'else'.freeze, 'end'.freeze
-        raise SyntaxError.new(parse_context.locale.t("errors.syntax.unexpected_outer_tag".freeze, tag: tag))
+      when 'else', 'end'
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unexpected_outer_tag", tag: tag)
       else
-        raise SyntaxError.new(parse_context.locale.t("errors.syntax.unknown_tag".freeze, tag: tag))
+        raise SyntaxError, parse_context.locale.t("errors.syntax.unknown_tag", tag: tag)
+      end
+    end
+
+    def render_to_output_buffer(context, output)
+      @body.render_to_output_buffer(context, output)
+    end
+
+    def render(context)
+      render_to_output_buffer(context, +'')
+    end
+
+    private
+
+    def new_body
+      parse_context.new_block_body
+    end
+
+    def parse_body(tokenizer)
+      @body.parse(tokenizer, parse_context) do |unknown_tag_name, unknown_tag_markup|
+        if unknown_tag_name
+          unknown_tag(unknown_tag_name, unknown_tag_markup, tokenizer)
+          true
+        else
+          false
+        end
       end
     end
   end

data/lib/liquid/drop.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'set'
 
 module Liquid
@@ -25,7 +27,7 @@ module Liquid
 
     # Catch all for the method
     def liquid_method_missing(method)
-      return nil unless @context && @context.strict_variables
+      return nil unless @context&.strict_variables
       raise Liquid::UndefinedDropMethod, "undefined method #{method}"
     end
 
@@ -67,7 +69,7 @@ module Liquid
 
         if include?(Enumerable)
           blacklist += Enumerable.public_instance_methods
-          blacklist -= [:sort, :count, :first, :min, :max, :include?]
+          blacklist -= [:sort, :count, :first, :min, :max]
         end
 
         whitelist = [:to_liquid] + (public_instance_methods - blacklist)

data/lib/liquid/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   class Error < ::StandardError
     attr_accessor :line_number
@@ -5,7 +7,7 @@ module Liquid
     attr_accessor :markup_context
 
     def to_s(with_prefix = true)
-      str = ""
+      str = +""
       str << message_prefix if with_prefix
       str << super()
 
@@ -20,11 +22,11 @@ module Liquid
     private
 
     def message_prefix
-      str = ""
-      if is_a?(SyntaxError)
-        str << "Liquid syntax error"
+      str = +""
+      str << if is_a?(SyntaxError)
+        "Liquid syntax error"
       else
-        str << "Liquid error"
+        "Liquid error"
       end
 
       if line_number
@@ -38,19 +40,19 @@ module Liquid
     end
   end
 
-  ArgumentError = Class.new(Error)
-  ContextError = Class.new(Error)
-  FileSystemError = Class.new(Error)
-  StandardError = Class.new(Error)
-  SyntaxError = Class.new(Error)
-  StackLevelError = Class.new(Error)
-  TaintedError = Class.new(Error)
-  MemoryError = Class.new(Error)
-  ZeroDivisionError = Class.new(Error)
-  FloatDomainError = Class.new(Error)
-  UndefinedVariable = Class.new(Error)
+  ArgumentError       = Class.new(Error)
+  ContextError        = Class.new(Error)
+  FileSystemError     = Class.new(Error)
+  StandardError       = Class.new(Error)
+  SyntaxError         = Class.new(Error)
+  StackLevelError     = Class.new(Error)
+  MemoryError         = Class.new(Error)
+  ZeroDivisionError   = Class.new(Error)
+  FloatDomainError    = Class.new(Error)
+  UndefinedVariable   = Class.new(Error)
   UndefinedDropMethod = Class.new(Error)
-  UndefinedFilter = Class.new(Error)
+  UndefinedFilter     = Class.new(Error)
   MethodOverrideError = Class.new(Error)
-  InternalError = Class.new(Error)
+  DisabledError       = Class.new(Error)
+  InternalError       = Class.new(Error)
 end

data/lib/liquid/expression.rb

@@ -1,45 +1,40 @@
+# frozen_string_literal: true
+
 module Liquid
   class Expression
-    class MethodLiteral
-      attr_reader :method_name, :to_s
-
-      def initialize(method_name, to_s)
-        @method_name = method_name
-        @to_s = to_s
-      end
-
-      def to_liquid
-        to_s
-      end
-    end
-
     LITERALS = {
-      nil => nil, 'nil'.freeze => nil, 'null'.freeze => nil, ''.freeze => nil,
-      'true'.freeze  => true,
-      'false'.freeze => false,
-      'blank'.freeze => MethodLiteral.new(:blank?, '').freeze,
-      'empty'.freeze => MethodLiteral.new(:empty?, '').freeze
+      nil => nil, 'nil' => nil, 'null' => nil, '' => nil,
+      'true' => true,
+      'false' => false,
+      'blank' => '',
+      'empty' => ''
     }.freeze
 
-    SINGLE_QUOTED_STRING = /\A'(.*)'\z/m
-    DOUBLE_QUOTED_STRING = /\A"(.*)"\z/m
-    INTEGERS_REGEX       = /\A(-?\d+)\z/
-    FLOATS_REGEX         = /\A(-?\d[\d\.]+)\z/
-    RANGES_REGEX         = /\A\((\S+)\.\.(\S+)\)\z/
+    SINGLE_QUOTED_STRING = /\A\s*'(.*)'\s*\z/m
+    DOUBLE_QUOTED_STRING = /\A\s*"(.*)"\s*\z/m
+    INTEGERS_REGEX       = /\A\s*(-?\d+)\s*\z/
+    FLOATS_REGEX         = /\A\s*(-?\d[\d\.]+)\s*\z/
+
+    # Use an atomic group (?>...) to avoid pathological backtracing from
+    # malicious input as described in https://github.com/Shopify/liquid/issues/1357
+    RANGES_REGEX         = /\A\s*\(\s*(?>(\S+)\s*\.\.)\s*(\S+)\s*\)\s*\z/
 
     def self.parse(markup)
-      if LITERALS.key?(markup)
-        LITERALS[markup]
+      case markup
+      when nil
+        nil
+      when SINGLE_QUOTED_STRING, DOUBLE_QUOTED_STRING
+        Regexp.last_match(1)
+      when INTEGERS_REGEX
+        Regexp.last_match(1).to_i
+      when RANGES_REGEX
+        RangeLookup.parse(Regexp.last_match(1), Regexp.last_match(2))
+      when FLOATS_REGEX
+        Regexp.last_match(1).to_f
       else
-        case markup
-        when SINGLE_QUOTED_STRING, DOUBLE_QUOTED_STRING
-          $1
-        when INTEGERS_REGEX
-          $1.to_i
-        when RANGES_REGEX
-          RangeLookup.parse($1, $2)
-        when FLOATS_REGEX
-          $1.to_f
+        markup = markup.strip
+        if LITERALS.key?(markup)
+          LITERALS[markup]
         else
           VariableLookup.parse(markup)
         end

data/lib/liquid/extensions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'time'
 require 'date'
 

data/lib/liquid/file_system.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Liquid
   # A Liquid file system is a way to let your templates retrieve other templates for use with the include tag.
   #
@@ -44,8 +46,8 @@ module Liquid
   class LocalFileSystem
     attr_accessor :root
 
-    def initialize(root, pattern = "_%s.liquid".freeze)
-      @root = root
+    def initialize(root, pattern = "_%s.liquid")
+      @root    = root
       @pattern = pattern
     end
 
@@ -57,9 +59,9 @@ module Liquid
     end
 
     def full_path(template_path)
-      raise FileSystemError, "Illegal template name '#{template_path}'" unless template_path =~ /\A[^.\/][a-zA-Z0-9_\/]+\z/
+      raise FileSystemError, "Illegal template name '#{template_path}'" unless %r{\A[^./][a-zA-Z0-9_/]+\z}.match?(template_path)
 
-      full_path = if template_path.include?('/'.freeze)
+      full_path = if template_path.include?('/')
         File.join(root, File.dirname(template_path), @pattern % File.basename(template_path))
       else
         File.join(root, @pattern % template_path)

data/lib/liquid/forloop_drop.rb

@@ -1,13 +1,20 @@
+# frozen_string_literal: true
+
 module Liquid
   class ForloopDrop < Drop
     def initialize(name, length, parentloop)
-      @name = name
-      @length = length
+      @name       = name
+      @length     = length
       @parentloop = parentloop
-      @index = 0
+      @index      = 0
     end
 
-    attr_reader :name, :length, :parentloop
+    attr_reader :length, :parentloop
+
+    def name
+      Usage.increment('forloop_drop_name')
+      @name
+    end
 
     def index
       @index + 1

data/lib/liquid/i18n.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'yaml'
 
 module Liquid
@@ -26,13 +28,13 @@ module Liquid
     def interpolate(name, vars)
       name.gsub(/%\{(\w+)\}/) do
         # raise TranslationError, "Undefined key #{$1} for interpolation in translation #{name}"  unless vars[$1.to_sym]
-        (vars[$1.to_sym]).to_s
+        (vars[Regexp.last_match(1).to_sym]).to_s
       end
     end
 
     def deep_fetch_translation(name)
-      name.split('.'.freeze).reduce(locale) do |level, cur|
-        level[cur] or raise TranslationError, "Translation for #{name} does not exist in locale #{path}"
+      name.split('.').reduce(locale) do |level, cur|
+        level[cur] || raise(TranslationError, "Translation for #{name} does not exist in locale #{path}")
       end
     end
   end

data/lib/liquid/interrupts.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 module Liquid
   # An interrupt is any command that breaks processing of a block (ex: a for loop).
   class Interrupt
     attr_reader :message
 
     def initialize(message = nil)
-      @message = message || "interrupt".freeze
+      @message = message || "interrupt"
     end
   end
 

data/lib/liquid/lexer.rb

@@ -1,24 +1,26 @@
+# frozen_string_literal: true
+
 require "strscan"
 module Liquid
   class Lexer
     SPECIALS = {
-      '|'.freeze => :pipe,
-      '.'.freeze => :dot,
-      ':'.freeze => :colon,
-      ','.freeze => :comma,
-      '['.freeze => :open_square,
-      ']'.freeze => :close_square,
-      '('.freeze => :open_round,
-      ')'.freeze => :close_round,
-      '?'.freeze => :question,
-      '-'.freeze => :dash
+      '|' => :pipe,
+      '.' => :dot,
+      ':' => :colon,
+      ',' => :comma,
+      '[' => :open_square,
+      ']' => :close_square,
+      '(' => :open_round,
+      ')' => :close_round,
+      '?' => :question,
+      '-' => :dash,
     }.freeze
-    IDENTIFIER = /[a-zA-Z_][\w-]*\??/
+    IDENTIFIER            = /[a-zA-Z_][\w-]*\??/
     SINGLE_STRING_LITERAL = /'[^\']*'/
     DOUBLE_STRING_LITERAL = /"[^\"]*"/
-    NUMBER_LITERAL = /-?\d+(\.\d+)?/
-    DOTDOT = /\.\./
-    COMPARISON_OPERATOR = /==|!=|<>|<=?|>=?|contains(?=\s)/
+    NUMBER_LITERAL        = /-?\d+(\.\d+)?/
+    DOTDOT                = /\.\./
+    COMPARISON_OPERATOR   = /==|!=|<>|<=?|>=?|contains(?=\s)/
     WHITESPACE_OR_NOTHING = /\s*/
 
     def initialize(input)
@@ -31,16 +33,21 @@ module Liquid
       until @ss.eos?
         @ss.skip(WHITESPACE_OR_NOTHING)
         break if @ss.eos?
-        tok = case
-        when t = @ss.scan(COMPARISON_OPERATOR) then [:comparison, t]
-        when t = @ss.scan(SINGLE_STRING_LITERAL) then [:string, t]
-        when t = @ss.scan(DOUBLE_STRING_LITERAL) then [:string, t]
-        when t = @ss.scan(NUMBER_LITERAL) then [:number, t]
-        when t = @ss.scan(IDENTIFIER) then [:id, t]
-        when t = @ss.scan(DOTDOT) then [:dotdot, t]
+        tok      = if (t = @ss.scan(COMPARISON_OPERATOR))
+          [:comparison, t]
+        elsif (t = @ss.scan(SINGLE_STRING_LITERAL))
+          [:string, t]
+        elsif (t = @ss.scan(DOUBLE_STRING_LITERAL))
+          [:string, t]
+        elsif (t = @ss.scan(NUMBER_LITERAL))
+          [:number, t]
+        elsif (t = @ss.scan(IDENTIFIER))
+          [:id, t]
+        elsif (t = @ss.scan(DOTDOT))
+          [:dotdot, t]
         else
-          c = @ss.getch
-          if s = SPECIALS[c]
+          c     = @ss.getch
+          if (s = SPECIALS[c])
             [s, c]
           else
             raise SyntaxError, "Unexpected character #{c}"

data/lib/liquid/locales/en.yml

@@ -20,7 +20,9 @@
       tag_termination: "Tag '%{token}' was not properly terminated with regexp: %{tag_end}"
       variable_termination: "Variable '%{token}' was not properly terminated with regexp: %{tag_end}"
       tag_never_closed: "'%{block_name}' tag was never closed"
-      meta_syntax_error: "Liquid syntax error: #{e.message}"
       table_row: "Syntax Error in 'table_row loop' - Valid syntax: table_row [item] in [collection] cols=3"
+      render: "Syntax error in tag 'render' - Template name must be a quoted string"
     argument:
       include: "Argument error in tag 'include' - Illegal template name"
+    disabled:
+      tag: "usage is not allowed in this context"