twig_ruby 0.0.1 → 0.0.3

data/lib/twig/node_visitor/escaper.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+module Twig
+  module NodeVisitor
+    class Escaper < Base
+      attr_reader :escaping_strategy
+
+      def initialize
+        super
+
+        @default_strategy = false
+        @status_stack = []
+        @blocks = {}
+        @safe_vars = []
+        @safe_analysis = SafeAnalysis.new
+      end
+
+      def enter_node(node, env)
+        case node
+        when Node::Module
+          if env.extension?(Extension::Escaper)
+            default_strategy = env.extension(Extension::Escaper).default_strategy(node.template_name)
+            @default_strategy = default_strategy if default_strategy
+          end
+
+          @blocks = {}
+          @safe_vars = []
+        when Node::AutoEscape
+          @status_stack << node.attributes[:value].then { |v| v.is_a?(String) ? v.to_sym : v }
+        when Node::Block
+          @status_stack << blocks.fetch(node.attributes[:name], need_escaping)
+        when Node::Import
+          @safe_vars << node.nodes[:var].nodes[:var].attributes[:name]
+        end
+
+        node
+      end
+
+      def leave_node(node, env)
+        if node.is_a?(Node::Module)
+          @default_strategy = false
+          @safe_vars = []
+          @blocks = {}
+        elsif node.is_a?(Node::Expression::Filter)
+          return pre_escape_filter_node(node, env)
+        elsif node.is_a?(Node::Print) && (type = need_escaping) != false
+          expression = node.nodes[:expr]
+
+          if expression.is_a?(Node::Expression::OperatorEscape)
+            escape_conditional(expression, env, type)
+          else
+            node.nodes[:expr] = escape_expression(expression, env, type)
+          end
+
+          return node
+        end
+
+        if node.is_a?(Node::AutoEscape) || node.is_a?(Node::Block)
+          @status_stack.pop
+        elsif node.is_a?(Node::BlockReference)
+          @blocks[node.attributes[:name]] = need_escaping
+        end
+
+        node
+      end
+
+      private
+
+      # @param [Node::Expression::Base, Node::Expression::OperatorEscape] expression
+      # @param [Environment] env
+      # @param [Symbol] type
+      def escape_conditional(expression, env, type)
+        expression.operand_names_to_escape.each do |name|
+          operand = expression.nodes[name]
+
+          if operand.is_a?(Node::Expression::OperatorEscape)
+            escape_conditional(operand, env, type)
+          else
+            expression.nodes[name] = escape_expression(operand, env, type)
+          end
+        end
+      end
+
+      # @return [SafeAnalysis]
+      attr_reader :safe_analysis
+
+      # @return [String, Boolean]
+      attr_reader :default_strategy
+
+      # @return [Hash{String => String, Boolean}]
+      attr_reader :blocks
+
+      # @return [Array]
+      attr_reader :status_stack
+
+      # @return [String, Boolean]
+      def need_escaping
+        unless status_stack.empty?
+          return status_stack.last
+        end
+
+        default_strategy || false
+      end
+
+      # @param [Node::Expression::Base] expression
+      # @param [Environment] env
+      # @param [Symbol] type
+      def escape_expression(expression, env, type)
+        safe_for?(type, expression, env) ? expression : get_escaper_filter(env, type, expression)
+      end
+
+      # @param [Node::Exression::Filter] filter
+      # @param [Environment] env
+      # @return [Node::Expression::Filter]
+      def pre_escape_filter_node(filter, env)
+        if (type = filter.attributes[:twig_callable].pre_escape).nil?
+          return filter
+        end
+
+        node = filter.nodes[:node]
+
+        if safe_for?(type, node, env)
+          return filter
+        end
+
+        filter.nodes[:node] = get_escaper_filter(env, type, node)
+
+        filter
+      end
+
+      # @param [Environment] env
+      # @param [Symbol] type
+      # @param [Node::Expression::Base] node
+      # @return [Node::Expression::Filter]
+      def get_escaper_filter(env, type, node)
+        line = node.lineno
+        filter = env.filter('escape')
+        args = Node::Nodes.new(
+          AutoHash.new.add(
+            Node::Expression::Constant.new(type, line),
+            Node::Expression::Constant.new(nil, line),
+            Node::Expression::Constant.new(true, line)
+          )
+        )
+
+        Node::Expression::Filter.new(node, filter, args, line)
+      end
+
+      def safe_for?(type, expression, env)
+        safe = safe_analysis.safe(expression)
+
+        if safe.empty?
+          @traverser ||= NodeTraverser.new(env, [safe_analysis])
+
+          safe_analysis.safe_vars = @safe_vars
+          @traverser.traverse(expression)
+
+          safe = safe_analysis.safe(expression)
+        end
+
+        safe.include?(type) || safe.include?(:all)
+      end
+    end
+  end
+end

data/lib/twig/node_visitor/safe_analysis.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module Twig
+  module NodeVisitor
+    class SafeAnalysis < Base
+      SAFE_ALL = [
+        Node::Expression::Constant,
+        Node::Expression::BlockReference,
+        Node::Expression::Parent,
+        Node::Expression::MacroReference,
+      ].freeze
+
+      def initialize
+        super
+
+        @data = {}
+        @safe_vars = []
+      end
+
+      def enter_node(node, env)
+        node
+      end
+
+      def leave_node(node, env)
+        if SAFE_ALL.any? { |klass| node.is_a?(klass) }
+          set_safe(node, [:all])
+        elsif node.is_a?(Node::Expression::OperatorEscape)
+          operands = node.operand_names_to_escape
+
+          if operands.length > 2
+            raise ArgumentError, "Operators with more than 2 operands are not supported yet, got #{operands.length}."
+          elsif operands.length == 2
+            safe = intersect_safe(safe(node.nodes[operands[0]]), safe(node.nodes[operands[1]]))
+            set_safe(node, safe)
+          end
+        elsif node.is_a?(Node::Expression::Filter)
+          # Filter expression is safe when the filter is safe
+          if node.attributes.key?(:twig_callable) && (filter = node.attributes[:twig_callable])
+            if (safe = filter.safe(node.nodes[:arguments])).empty?
+              safe = intersect_safe(safe(node.nodes[:node]), filter.preserves_safety)
+            end
+
+            set_safe(node, safe)
+          end
+        elsif node.is_a?(Node::Expression::Function)
+          # Function expression is safe when the function is safe
+          if node.attributes.key?(:twig_callable) && (function = node.attributes[:twig_callable])
+            set_safe(node, function.safe(node.nodes[:arguments]))
+          else
+            set_safe(node, [])
+          end
+        elsif node.is_a?(Node::Expression::GetAttribute) && node.nodes[:node].is_a?(Node::Expression::Variable::Context)
+          name = node.nodes[:node].attributes[:name]
+
+          if safe_vars.include?(name)
+            set_safe(node, [:all])
+          end
+        end
+
+        node
+      end
+
+      # @param [Node::Base] node
+      def safe(node)
+        hash = node.object_id
+
+        unless data.key?(hash)
+          return []
+        end
+
+        data[hash].each do |bucket|
+          next unless bucket[:key] == node
+
+          if bucket[:value].include?(:html_attr)
+            bucket[:value] << :html
+          end
+
+          return bucket[:value]
+        end
+
+        []
+      end
+
+      # @param [Array<String>] safe_vars
+      def safe_vars=(safe_vars)
+        @safe_vars = safe_vars.dup
+      end
+
+      private
+
+      # @return [Hash{Integer => Array}]
+      attr_reader :data
+
+      # @return [Array<String>]
+      attr_reader :safe_vars
+
+      # @param [Node::Base] node
+      # @param [Array] safe
+      def set_safe(node, safe)
+        hash = node.object_id
+        found = data.fetch(hash, []).detect { |bucket| bucket[:key] == node }
+
+        if found
+          found[:value] = safe
+
+          return
+        end
+
+        @data[hash] ||= []
+        @data[hash] << {
+          key: node,
+          value: safe,
+        }
+      end
+
+      # @param [Array<String>] a
+      # @param [Array<String>] b
+      def intersect_safe(a, b)
+        return [] if a.empty? || b.empty?
+        return b if a.include?(:all)
+        return a if b.include?(:all)
+
+        a & b
+      end
+    end
+  end
+end

data/lib/twig/node_visitor/spreader.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Twig
+  module NodeVisitor
+    # This visitor checks the contents of the Spread operator to see if it's a hash or array.
+    # If it is, it converts it to a HashSpread or ArraySpread node.
+    #
+    # The cases where this is not, would be some kind of variable expression which we cannot determine
+    # at compile time, and still need to be sent through the ArgumentSpreader so that they can be spread
+    # properly into the destination callable.
+    class Spreader < Base
+      def enter_node(node, env)
+        node
+      end
+
+      def leave_node(node, env)
+        unless node.is_a?(Node::Expression::Unary::Spread)
+          return node
+        end
+
+        if node.nodes[:node].instance_of?(Node::Expression::Hash)
+          return Node::Expression::Unary::HashSpread.new(
+            node.nodes[:node],
+            node.lineno
+          )
+        end
+
+        if node.nodes[:node].instance_of?(Node::Expression::Array)
+          return Node::Expression::Unary::ArraySpread.new(
+            node.nodes[:node],
+            node.lineno
+          )
+        end
+
+        node
+      end
+    end
+  end
+end

data/lib/twig/output_buffer.rb

@@ -1,29 +1,31 @@
 # frozen_string_literal: true
 
 module Twig
+  # Anything passed through the Twig OutputBuffer is already
+  # being checked for escaping issues, so we can mark everything
+  # html_safe here. When being used with Rails, we just pass everything
+  # through this buffer into the Rails safe buffer so we don't need a
+  # bunch of html_safe calls everywhere.
   class OutputBuffer
-    def initialize
+    def initialize(decorated = nil)
+      @decorated = decorated
       @buffer = +''
     end
 
     def append=(string)
-      unless string.nil?
-        string = string.to_s
-
-        @buffer << if string.html_safe?
-                     string
-                   else
-                     CGI.escapeHTML(string)
-                   end
-      end
+      self.safe_append = string
     end
 
     def safe_append=(string)
-      @buffer << string.html_safe
+      if @decorated
+        @decorated.safe_append = string
+      else
+        @buffer << string.to_s.html_safe
+      end
     end
 
     def to_s
-      @buffer
+      @decorated || @buffer
     end
   end
 end