orb_template 0.1.3 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f1c41f096022c85642d784cf67913242d442b713ea80a785d7376fd46e0adda9
-  data.tar.gz: a33ad24ce2430324227c420f96621567a1dd8c26edd7af19756cc46d7c154fbd
+  metadata.gz: 0231005def8767c0efd2cb24b0efcb03b83b469f4760c5e3fcbaf262344c296e
+  data.tar.gz: c086ac14ba16300c36f7f0d39f02c426ca4ff568ef61cde48dfa91df3b433391
 SHA512:
-  metadata.gz: 1545224be64f1acd55ab9b027831197828cca8bf39e9c5de03b0b50b5fd80ebc85595a27519ec365ac206b7413cba293455f0335735fe20c1ef35c4b1db4deda
-  data.tar.gz: c8021731696a98c2737dc8e62903b5fefefb1f6b837109165a02500ae0a42cfa0a675849837fe2ebdfe43defee1b543510b0489aa38eb7a52438e44a2548f7c2
+  metadata.gz: 168996b1d44310ecffbf9ecb8e24b1a550b45b13b8110e80060b164d7175b2ecf623aa2e7d4b9da550378f7fb39f0862b85593844c9e8dff5936344dc376b9eb
+  data.tar.gz: 826c5078e0941e8874f1c70527b0ee967c900be19d1e520d4768601f5086b1d107b7655ec9d534868aa4e11abb488b5cfce7a2f9cc7b1506561849bca53ab19f

data/CHANGELOG.md

@@ -1,5 +1,75 @@
 ## [Unreleased]
 
+## [0.2.2] - 2026-03-13
+
+### Fixed
+
+- Tuple destructuring in `:for` expressions now works correctly (e.g., `{#for name, spec in @tokens}`)
+
+### Performance
+
+- **33% faster** compilation pipeline for realistic templates, up to **52% faster** for expression-heavy templates
+- Removed Temple `StaticAnalyzer` filter from engine pipeline -- ORB never emits static expressions as `:dynamic` nodes, so Ripper lexing/parsing on every dynamic node was pure overhead
+- Boolean attributes now emit `[:static, ""]` directly instead of `[:dynamic, "nil"]`, avoiding unnecessary Ripper analysis
+- Cached `block?`/`end?` regex results in expression node constructors (computed once instead of on every call)
+- Optimized `Identity.generate` with direct string interpolation instead of array/compact/join
+- Lazy-initialized `@errors` on AST nodes, saving one array allocation per node
+- Removed unused `context={}` parameter from all compiler transform methods, eliminating hash allocation per recursive call
+- Added single-pass `compile_captures_and_args` to `AttributesCompiler`, reducing double iteration over attributes
+- Optimized `Token` constructor to avoid `method_missing` overhead and skip hash merge for common no-meta case
+- Tokenizer: replaced per-call `StringScanner` allocation in `move_by` with `String#count`/`rindex`
+- Tokenizer: switched from `StringIO` to `String` buffer with swap-on-consume pattern
+- Tokenizer: added greedy multi-character scanning patterns for bulk text consumption in 9 tokenizer states
+
+### Added
+
+- Benchmark test suite (`test/benchmark_test.rb`) with 8 template categories, per-template regression thresholds, stage-level profiling, and Temple IR node count tracking
+
+## [0.2.0] - 2026-03-12
+
+### Security
+
+- **CRITICAL**: Prevent code injection via `:for` directive by validating enumerator as a Ruby identifier and rejecting semicolons in collection expressions (`lib/orb/temple/filters.rb`)
+- **HIGH**: Escape dynamic attribute expressions to prevent XSS via unescaped attribute values (`lib/orb/temple/attributes_compiler.rb`)
+- **HIGH**: Validate `:with` directive values as valid Ruby identifiers to prevent code injection in component and slot blocks (`lib/orb/temple/filters.rb`)
+- **HIGH**: Validate dynamic HTML tag names against a strict pattern to prevent code injection through crafted tag names (`lib/orb/temple/filters.rb`)
+- **HIGH**: Validate component names as valid Ruby constant paths before interpolation into generated code (`lib/orb/temple/filters.rb`)
+- **HIGH**: Validate slot names as valid Ruby identifiers before interpolation into `with_` method calls (`lib/orb/temple/filters.rb`)
+- **MEDIUM**: Add maximum brace nesting depth (100) in tokenizer to prevent stack overflow / memory exhaustion from deeply nested expressions (`lib/orb/tokenizer2.rb`)
+- **MEDIUM**: Use `String#inspect` instead of `%q[]` for error message interpolation to prevent delimiter escape attacks (`lib/orb/temple/compiler.rb`)
+- **MEDIUM**: Restrict attribute name pattern to valid HTML attribute characters, preventing injection via malformed attribute names (`lib/orb/patterns.rb`)
+- **LOW**: Add maximum template size limit (2MB) to prevent denial-of-service via oversized templates (`lib/orb/tokenizer2.rb`)
+
+### Breaking Changes
+
+- Component names are now validated against `VALID_COMPONENT_NAME` (`/\A[A-Z]\w*(::[A-Z]\w*)*\z/`). Components with non-standard names will raise `ORB::SyntaxError`.
+
+### Documentation
+
+- Added security analysis report (`docs/2026-03-12-security-analysis.md`)
+- Updated README with security information
+
+## [0.1.3] - 2026-02-06
+
+### Fixed
+
+- Components with splat attributes incorrectly rendering as plain HTML tags instead of the component
+
+## [0.1.2] - 2026-01-30
+
+### Added
+
+- Support for splat expressions on HTML elements and components
+
+### Changed
+
+- Improved error display in the Rails web console
+
+### Documentation
+
+- Spelling and wording corrections in README
+- Fixed code examples in README
+
 ## [0.1.1] - 2025-11-28
 
 ### Changed

data/README.md

@@ -389,6 +389,7 @@ To enable `Tailwindcss` support for ORB, add this to your `settings.json`:
   - [x] `:for` directive
   - [x] verbatim tags
   - [x] ensure output safety and proper escaping of output
+  - [x] security review and hardening of compilation pipeline
   - [x] track locations (start_line, start_col, end_line, end_col) for Tokens and AST Nodes to support better error output
   - [x] make Lexer, Parser, Compiler robust to malformed input (e.g., unclosed tags)
   - [ ] emit an warning/error when void tags contain children
@@ -406,16 +407,31 @@ To enable `Tailwindcss` support for ORB, add this to your `settings.json`:
   - [ ] full YARD-compatible documentation of the library
 - [ ] **Step 3: Make it fast**
   - [x] convert Lexer code to `StringScanner`
-  - [ ] create benchmark suite to establish baseline
+  - [x] create benchmark suite to establish baseline
   - [ ] possibly merge lexer states through more intelligent look-ahead
-  - [ ] optimize AST Parser
-  - [ ] optimize Compiler
+  - [x] optimize AST Parser
+  - [x] optimize Compiler
 - [ ] **Step 4: Evolve**
   - [ ] support additional directives, for instance, `Turbo` or `Stimulus` specific directives
   - [ ] support additional block constructs
   - [ ] support additional language constructs
+  - [ ] replace `OpenStruct`-based `RenderContext` with a `BasicObject` subclass to reduce attack surface
+  - [ ] fuzz testing of tokenizer and parser for edge case discovery
+  - [ ] Brakeman integration with custom rules to flag unsafe ORB patterns
+  - [ ] tighten `TAG_NAME` pattern at the tokenizer level as defense-in-depth
 
-> This library is in beta stage and demonstrates the technical aspects of a custom DSL for rendering ViewComponent objects in an HTML-like manner. It is meant as a kick-off point for further discussion on the definition and implementation of the template language. It may contain critical bugs that could compromise the security and integrity of your application. Additionally, the API and DSL are likely to change as the library evolves to a stable state. Don't say we didn't warn you!
+## Security
+
+ORB follows the same trust model as ERB, HAML, and SLIM: templates are developer-authored and loaded from the filesystem. **Never construct ORB templates from user input.**
+
+The compilation pipeline has been hardened against code injection, XSS, and denial-of-service attacks:
+
+- All values interpolated into generated Ruby code (`:for` expressions, `:with` directives, tag names, component names, slot names) are validated against strict patterns before interpolation.
+- Dynamic attribute values (`class={expr}`) are HTML-escaped at render time, matching the escaping behavior of printing expressions (`{{expr}}`).
+- Attribute names are restricted to valid HTML spec characters.
+- Resource limits are enforced: maximum brace nesting depth (100) and maximum template size (2MB).
+
+For details, see [`docs/2026-03-12-security-analysis.md`](docs/2026-03-12-security-analysis.md).
 
 ## Development