tiny_template 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/lib/tiny_template.rb +20 -3
- data/lib/tiny_template/version.rb +1 -1
- data/spec/spec_helper.rb +0 -1
- data/spec/tiny_template_spec.rb +35 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 02066fa4c22f30cfd0587243bfb37df1a265571e
|
4
|
+
data.tar.gz: 1fea1f8d41621846a5b7be46899fd75aac65a917
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bcd96966ba3c89772805d322df18d4ccc925140106830981ac6634d73152f2b79ec7148fabe6e8c5790ca8a8746968eab438d75f07512c4b77986ea8a849c075
|
7
|
+
data.tar.gz: 474f0d7f682c7413d794ae67120820419f465c7808c976c9dcfee27556d891266e3d6eebc07122faeff9b4ed8af689db73d3d2c09de1315a933ad74fb655f4f0
|
data/README.md
CHANGED
@@ -54,6 +54,15 @@ template = "Hello {{client.name.upcase}} and welcome to {{configuration.title.ca
|
|
54
54
|
TinyTemplate.parse(template, self)
|
55
55
|
````
|
56
56
|
|
57
|
+
If your interpreted string comes from a non-trusted source (user inpur for instance), you can secure it by providing a white list of method chains.
|
58
|
+
|
59
|
+
```ruby
|
60
|
+
TinyTemplate.secure(['client.name', 'configuration.email']) do
|
61
|
+
~my\_template
|
62
|
+
TinyTemplate.parse(my\_template)
|
63
|
+
end
|
64
|
+
````
|
65
|
+
|
57
66
|
## Contributing
|
58
67
|
|
59
68
|
1. Fork it ( https://github.com/[my-github-username]/tiny_template/fork )
|
data/lib/tiny_template.rb
CHANGED
@@ -22,14 +22,31 @@ class TinyTemplate
|
|
22
22
|
new(str).parse(context)
|
23
23
|
end
|
24
24
|
|
25
|
+
def self.secure(allowed_keys, &block)
|
26
|
+
previous_keys = @allowed_keys
|
27
|
+
@allowed_keys = allowed_keys
|
28
|
+
yield.tap do
|
29
|
+
@allowed_keys = previous_keys
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.allowed_keys
|
34
|
+
@allowed_keys
|
35
|
+
end
|
36
|
+
|
25
37
|
private
|
26
38
|
attr_accessor :str
|
27
39
|
|
28
40
|
# Private method used to interpolate one single expression at a time
|
29
41
|
def interpolate(match, context)
|
30
|
-
match.gsub(/\{|\}/, '')
|
31
|
-
|
32
|
-
|
42
|
+
cleaned = match.gsub(/\{|\}/, '')
|
43
|
+
|
44
|
+
if !self.class.allowed_keys || self.class.allowed_keys.include?(cleaned)
|
45
|
+
cleaned.split('.')
|
46
|
+
.inject(context){ |result, e| result.public_send(e) }
|
47
|
+
else
|
48
|
+
""
|
49
|
+
end
|
33
50
|
|
34
51
|
rescue
|
35
52
|
match
|
data/spec/spec_helper.rb
CHANGED
data/spec/tiny_template_spec.rb
CHANGED
@@ -53,5 +53,40 @@ RSpec.describe TinyTemplate do
|
|
53
53
|
|
54
54
|
expect(result).to match(/JOHN DOE/)
|
55
55
|
end
|
56
|
+
|
57
|
+
it 'should not interpolate not authorized actions' do
|
58
|
+
@klass2 = Class.new do
|
59
|
+
def hello
|
60
|
+
TinyTemplate.parse(template, self)
|
61
|
+
end
|
62
|
+
|
63
|
+
def hello_secured
|
64
|
+
TinyTemplate.secure(['client.name', 'client.email']) do
|
65
|
+
TinyTemplate.parse(template, self)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
attr_accessor :template
|
70
|
+
|
71
|
+
def client
|
72
|
+
OpenStruct.new(name: 'John Doe', email: ' John@doe.com ')
|
73
|
+
end
|
74
|
+
|
75
|
+
def configuration
|
76
|
+
OpenStruct.new(title: 'my Fancy website')
|
77
|
+
end
|
78
|
+
|
79
|
+
def destroy
|
80
|
+
"Dangerous action triggered"
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
instance = @klass2.new
|
85
|
+
instance.template = "This is a malecious {{client.name}} template that can harm: {{destroy}} "
|
86
|
+
expect(instance.hello).to include('Dangerous action triggered')
|
87
|
+
|
88
|
+
expect(instance.hello_secured).not_to include('Dangerous action triggered')
|
89
|
+
expect(instance.hello_secured).to include('John Doe')
|
90
|
+
end
|
56
91
|
end
|
57
92
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: tiny_template
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ihcène Medjber (ihcene)
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2017-11-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: debug_inspector
|
@@ -117,7 +117,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
117
117
|
version: '0'
|
118
118
|
requirements: []
|
119
119
|
rubyforge_project:
|
120
|
-
rubygems_version: 2.
|
120
|
+
rubygems_version: 2.6.12
|
121
121
|
signing_key:
|
122
122
|
specification_version: 4
|
123
123
|
summary: Magical and secure string interpolation.
|