tiny_template 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e5ede3dedd284a99cf689b33fd15498ba93343b3
4
- data.tar.gz: 0193eb19023980520cad7bd2e0c817ee5217c3d6
3
+ metadata.gz: 02066fa4c22f30cfd0587243bfb37df1a265571e
4
+ data.tar.gz: 1fea1f8d41621846a5b7be46899fd75aac65a917
5
5
  SHA512:
6
- metadata.gz: 9909cd0fd8bb5ca4c44ae0db9d39405d467eeb18fa1f3c94c48c8bb7d5678b1488a947df4ffd925ed52bb79b6d0bfe70bd08d4e0f45f966ecb2b9c943a256fd3
7
- data.tar.gz: d2d80338256cc5a0b041b5d4c69210c4fb040739c5bc7c6c02c8168aa1bf61a210d2b6b5f27b84027b2395980e1ea8cb9e37fa44593467586f489548ee499607
6
+ metadata.gz: bcd96966ba3c89772805d322df18d4ccc925140106830981ac6634d73152f2b79ec7148fabe6e8c5790ca8a8746968eab438d75f07512c4b77986ea8a849c075
7
+ data.tar.gz: 474f0d7f682c7413d794ae67120820419f465c7808c976c9dcfee27556d891266e3d6eebc07122faeff9b4ed8af689db73d3d2c09de1315a933ad74fb655f4f0
data/README.md CHANGED
@@ -54,6 +54,15 @@ template = "Hello {{client.name.upcase}} and welcome to {{configuration.title.ca
54
54
  TinyTemplate.parse(template, self)
55
55
  ````
56
56
 
57
+ If your interpreted string comes from a non-trusted source (user inpur for instance), you can secure it by providing a white list of method chains.
58
+
59
+ ```ruby
60
+ TinyTemplate.secure(['client.name', 'configuration.email']) do
61
+ ~my\_template
62
+ TinyTemplate.parse(my\_template)
63
+ end
64
+ ````
65
+
57
66
  ## Contributing
58
67
 
59
68
  1. Fork it ( https://github.com/[my-github-username]/tiny_template/fork )
data/lib/tiny_template.rb CHANGED
@@ -22,14 +22,31 @@ class TinyTemplate
22
22
  new(str).parse(context)
23
23
  end
24
24
 
25
+ def self.secure(allowed_keys, &block)
26
+ previous_keys = @allowed_keys
27
+ @allowed_keys = allowed_keys
28
+ yield.tap do
29
+ @allowed_keys = previous_keys
30
+ end
31
+ end
32
+
33
+ def self.allowed_keys
34
+ @allowed_keys
35
+ end
36
+
25
37
  private
26
38
  attr_accessor :str
27
39
 
28
40
  # Private method used to interpolate one single expression at a time
29
41
  def interpolate(match, context)
30
- match.gsub(/\{|\}/, '')
31
- .split('.')
32
- .inject(context){ |result, e| result.public_send(e) }
42
+ cleaned = match.gsub(/\{|\}/, '')
43
+
44
+ if !self.class.allowed_keys || self.class.allowed_keys.include?(cleaned)
45
+ cleaned.split('.')
46
+ .inject(context){ |result, e| result.public_send(e) }
47
+ else
48
+ ""
49
+ end
33
50
 
34
51
  rescue
35
52
  match
@@ -1,3 +1,3 @@
1
1
  class TinyTemplate
2
- VERSION = "0.0.1"
2
+ VERSION = "0.0.2"
3
3
  end
data/spec/spec_helper.rb CHANGED
@@ -1,5 +1,4 @@
1
1
  require 'rubygems'
2
- require 'active_record'
3
2
  require 'tiny_template'
4
3
 
5
4
  RSpec.configure do |config|
@@ -53,5 +53,40 @@ RSpec.describe TinyTemplate do
53
53
 
54
54
  expect(result).to match(/JOHN DOE/)
55
55
  end
56
+
57
+ it 'should not interpolate not authorized actions' do
58
+ @klass2 = Class.new do
59
+ def hello
60
+ TinyTemplate.parse(template, self)
61
+ end
62
+
63
+ def hello_secured
64
+ TinyTemplate.secure(['client.name', 'client.email']) do
65
+ TinyTemplate.parse(template, self)
66
+ end
67
+ end
68
+
69
+ attr_accessor :template
70
+
71
+ def client
72
+ OpenStruct.new(name: 'John Doe', email: ' John@doe.com ')
73
+ end
74
+
75
+ def configuration
76
+ OpenStruct.new(title: 'my Fancy website')
77
+ end
78
+
79
+ def destroy
80
+ "Dangerous action triggered"
81
+ end
82
+ end
83
+
84
+ instance = @klass2.new
85
+ instance.template = "This is a malecious {{client.name}} template that can harm: {{destroy}} "
86
+ expect(instance.hello).to include('Dangerous action triggered')
87
+
88
+ expect(instance.hello_secured).not_to include('Dangerous action triggered')
89
+ expect(instance.hello_secured).to include('John Doe')
90
+ end
56
91
  end
57
92
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tiny_template
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.1
4
+ version: 0.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ihcène Medjber (ihcene)
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-03-22 00:00:00.000000000 Z
11
+ date: 2017-11-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: debug_inspector
@@ -117,7 +117,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
117
117
  version: '0'
118
118
  requirements: []
119
119
  rubyforge_project:
120
- rubygems_version: 2.2.2
120
+ rubygems_version: 2.6.12
121
121
  signing_key:
122
122
  specification_version: 4
123
123
  summary: Magical and secure string interpolation.