tiny_template 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/lib/tiny_template.rb +20 -3
- data/lib/tiny_template/version.rb +1 -1
- data/spec/spec_helper.rb +0 -1
- data/spec/tiny_template_spec.rb +35 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 02066fa4c22f30cfd0587243bfb37df1a265571e
|
4
|
+
data.tar.gz: 1fea1f8d41621846a5b7be46899fd75aac65a917
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bcd96966ba3c89772805d322df18d4ccc925140106830981ac6634d73152f2b79ec7148fabe6e8c5790ca8a8746968eab438d75f07512c4b77986ea8a849c075
|
7
|
+
data.tar.gz: 474f0d7f682c7413d794ae67120820419f465c7808c976c9dcfee27556d891266e3d6eebc07122faeff9b4ed8af689db73d3d2c09de1315a933ad74fb655f4f0
|
data/README.md
CHANGED
@@ -54,6 +54,15 @@ template = "Hello {{client.name.upcase}} and welcome to {{configuration.title.ca
|
|
54
54
|
TinyTemplate.parse(template, self)
|
55
55
|
````
|
56
56
|
|
57
|
+
If your interpreted string comes from a non-trusted source (user inpur for instance), you can secure it by providing a white list of method chains.
|
58
|
+
|
59
|
+
```ruby
|
60
|
+
TinyTemplate.secure(['client.name', 'configuration.email']) do
|
61
|
+
~my\_template
|
62
|
+
TinyTemplate.parse(my\_template)
|
63
|
+
end
|
64
|
+
````
|
65
|
+
|
57
66
|
## Contributing
|
58
67
|
|
59
68
|
1. Fork it ( https://github.com/[my-github-username]/tiny_template/fork )
|
data/lib/tiny_template.rb
CHANGED
@@ -22,14 +22,31 @@ class TinyTemplate
|
|
22
22
|
new(str).parse(context)
|
23
23
|
end
|
24
24
|
|
25
|
+
def self.secure(allowed_keys, &block)
|
26
|
+
previous_keys = @allowed_keys
|
27
|
+
@allowed_keys = allowed_keys
|
28
|
+
yield.tap do
|
29
|
+
@allowed_keys = previous_keys
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.allowed_keys
|
34
|
+
@allowed_keys
|
35
|
+
end
|
36
|
+
|
25
37
|
private
|
26
38
|
attr_accessor :str
|
27
39
|
|
28
40
|
# Private method used to interpolate one single expression at a time
|
29
41
|
def interpolate(match, context)
|
30
|
-
match.gsub(/\{|\}/, '')
|
31
|
-
|
32
|
-
|
42
|
+
cleaned = match.gsub(/\{|\}/, '')
|
43
|
+
|
44
|
+
if !self.class.allowed_keys || self.class.allowed_keys.include?(cleaned)
|
45
|
+
cleaned.split('.')
|
46
|
+
.inject(context){ |result, e| result.public_send(e) }
|
47
|
+
else
|
48
|
+
""
|
49
|
+
end
|
33
50
|
|
34
51
|
rescue
|
35
52
|
match
|
data/spec/spec_helper.rb
CHANGED
data/spec/tiny_template_spec.rb
CHANGED
@@ -53,5 +53,40 @@ RSpec.describe TinyTemplate do
|
|
53
53
|
|
54
54
|
expect(result).to match(/JOHN DOE/)
|
55
55
|
end
|
56
|
+
|
57
|
+
it 'should not interpolate not authorized actions' do
|
58
|
+
@klass2 = Class.new do
|
59
|
+
def hello
|
60
|
+
TinyTemplate.parse(template, self)
|
61
|
+
end
|
62
|
+
|
63
|
+
def hello_secured
|
64
|
+
TinyTemplate.secure(['client.name', 'client.email']) do
|
65
|
+
TinyTemplate.parse(template, self)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
attr_accessor :template
|
70
|
+
|
71
|
+
def client
|
72
|
+
OpenStruct.new(name: 'John Doe', email: ' John@doe.com ')
|
73
|
+
end
|
74
|
+
|
75
|
+
def configuration
|
76
|
+
OpenStruct.new(title: 'my Fancy website')
|
77
|
+
end
|
78
|
+
|
79
|
+
def destroy
|
80
|
+
"Dangerous action triggered"
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
instance = @klass2.new
|
85
|
+
instance.template = "This is a malecious {{client.name}} template that can harm: {{destroy}} "
|
86
|
+
expect(instance.hello).to include('Dangerous action triggered')
|
87
|
+
|
88
|
+
expect(instance.hello_secured).not_to include('Dangerous action triggered')
|
89
|
+
expect(instance.hello_secured).to include('John Doe')
|
90
|
+
end
|
56
91
|
end
|
57
92
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tiny_template
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ihcène Medjber (ihcene)
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-11-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: debug_inspector
|
@@ -117,7 +117,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
117
117
|
version: '0'
|
118
118
|
requirements: []
|
119
119
|
rubyforge_project:
|
120
|
-
rubygems_version: 2.
|
120
|
+
rubygems_version: 2.6.12
|
121
121
|
signing_key:
|
122
122
|
specification_version: 4
|
123
123
|
summary: Magical and secure string interpolation.
|