@rhinostone/swig-core 2.0.0-alpha.3

package/lib/loaders/filesystem.js

@@ -0,0 +1,59 @@
+var fs = require('fs'),
+  path = require('path');
+
+/**
+ * Loads templates from the file system.
+ * @alias swig.loaders.fs
+ * @example
+ * swig.setDefaults({ loader: swig.loaders.fs() });
+ * @example
+ * // Load Templates from a specific directory (does not require using relative paths in your templates)
+ * swig.setDefaults({ loader: swig.loaders.fs(__dirname + '/templates' )});
+ * @param {string}   [basepath='']     Path to the templates as string. Assigning this value allows you to use semi-absolute paths to templates instead of relative paths.
+ * @param {string}   [encoding='utf8']   Template encoding
+ */
+module.exports = function (basepath, encoding) {
+  var ret = {};
+
+  encoding = encoding || 'utf8';
+  basepath = (basepath) ? path.normalize(basepath) : null;
+
+  /**
+   * Resolves <var>to</var> to an absolute path or unique identifier. This is used for building correct, normalized, and absolute paths to a given template.
+   * @alias resolve
+   * @param  {string} to        Non-absolute identifier or pathname to a file.
+   * @param  {string} [from]    If given, should attempt to find the <var>to</var> path in relation to this given, known path.
+   * @return {string}
+   */
+  ret.resolve = function (to, from) {
+    if (basepath) {
+      from = basepath;
+    } else {
+      from = (from) ? path.dirname(from) : process.cwd();
+    }
+    return path.resolve(from, to);
+  };
+
+  /**
+   * Loads a single template. Given a unique <var>identifier</var> found by the <var>resolve</var> method this should return the given template.
+   * @alias load
+   * @param  {string}   identifier  Unique identifier of a template (possibly an absolute path).
+   * @param  {function} [cb]        Asynchronous callback function. If not provided, this method should run synchronously.
+   * @return {string}               Template source string.
+   */
+  ret.load = function (identifier, cb) {
+    if (!fs || (cb && !fs.readFile) || !fs.readFileSync) {
+      throw new Error('Unable to find file ' + identifier + ' because there is no filesystem to read from.');
+    }
+
+    identifier = ret.resolve(identifier);
+
+    if (cb) {
+      fs.readFile(identifier, encoding, cb);
+      return;
+    }
+    return fs.readFileSync(identifier, encoding);
+  };
+
+  return ret;
+};

package/lib/loaders/index.js

@@ -0,0 +1,53 @@
+/**
+ * @namespace TemplateLoader
+ * @description Swig is able to accept custom template loaders written by you, so that your templates can come from your favorite storage medium without needing to be part of the core library.
+ * A template loader consists of two methods: <var>resolve</var> and <var>load</var>. Each method is used internally by Swig to find and load the source of the template before attempting to parse and compile it.
+ * @example
+ * // A theoretical memcached loader
+ * var path = require('path'),
+ *   Memcached = require('memcached');
+ * function memcachedLoader(locations, options) {
+ *   var memcached = new Memcached(locations, options);
+ *   return {
+ *     resolve: function (to, from) {
+ *       return path.resolve(from, to);
+ *     },
+ *     load: function (identifier, cb) {
+ *       memcached.get(identifier, function (err, data) {
+ *         // if (!data) { load from filesystem; }
+ *         cb(err, data);
+ *       });
+ *     }
+ *   };
+ * };
+ * // Tell swig about the loader:
+ * swig.setDefaults({ loader: memcachedLoader(['localhost:11211']) });
+ */
+
+/**
+ * @function
+ * @name resolve
+ * @memberof TemplateLoader
+ * @description
+ * Resolves <var>to</var> to an absolute path or unique identifier. This is used for building correct, normalized, and absolute paths to a given template.
+ * @param  {string} to        Non-absolute identifier or pathname to a file.
+ * @param  {string} [from]    If given, should attempt to find the <var>to</var> path in relation to this given, known path.
+ * @return {string}
+ */
+
+/**
+ * @function
+ * @name load
+ * @memberof TemplateLoader
+ * @description
+ * Loads a single template. Given a unique <var>identifier</var> found by the <var>resolve</var> method this should return the given template.
+ * @param  {string}   identifier  Unique identifier of a template (possibly an absolute path).
+ * @param  {function} [cb]        Asynchronous callback function. If not provided, this method should run synchronously.
+ * @return {string}               Template source string.
+ */
+
+/**
+ * @private
+ */
+exports.fs = require('./filesystem');
+exports.memory = require('./memory');

package/lib/loaders/memory.js

@@ -0,0 +1,63 @@
+var path = require('path'),
+  utils = require('../utils');
+
+/**
+ * Loads templates from a provided object mapping.
+ * @alias swig.loaders.memory
+ * @example
+ * var templates = {
+ *   "layout": "{% block content %}{% endblock %}",
+ *   "home.html": "{% extends 'layout.html' %}{% block content %}...{% endblock %}"
+ * };
+ * swig.setDefaults({ loader: swig.loaders.memory(templates) });
+ *
+ * @param {object} mapping Hash object with template paths as keys and template sources as values.
+ * @param {string} [basepath] Path to the templates as string. Assigning this value allows you to use semi-absolute paths to templates instead of relative paths.
+ */
+module.exports = function (mapping, basepath) {
+  var ret = {};
+
+  basepath = (basepath) ? path.normalize(basepath) : null;
+
+  /**
+   * Resolves <var>to</var> to an absolute path or unique identifier. This is used for building correct, normalized, and absolute paths to a given template.
+   * @alias resolve
+   * @param  {string} to        Non-absolute identifier or pathname to a file.
+   * @param  {string} [from]    If given, should attempt to find the <var>to</var> path in relation to this given, known path.
+   * @return {string}
+   */
+  ret.resolve = function (to, from) {
+    if (basepath) {
+      from = basepath;
+    } else {
+      from = (from) ? path.dirname(from) : '/';
+    }
+    return path.resolve(from, to);
+  };
+
+  /**
+   * Loads a single template. Given a unique <var>identifier</var> found by the <var>resolve</var> method this should return the given template.
+   * @alias load
+   * @param  {string}   identifier  Unique identifier of a template (possibly an absolute path).
+   * @param  {function} [cb]        Asynchronous callback function. If not provided, this method should run synchronously.
+   * @return {string}               Template source string.
+   */
+  ret.load = function (pathname, cb) {
+    var src, paths;
+
+    paths = [pathname, pathname.replace(/^(\/|\\)/, '')];
+
+    src = mapping[paths[0]] || mapping[paths[1]];
+    if (!src) {
+      utils.throwError('Unable to find template "' + pathname + '".');
+    }
+
+    if (cb) {
+      cb(null, src);
+      return;
+    }
+    return src;
+  };
+
+  return ret;
+};

package/lib/security.js

@@ -0,0 +1,25 @@
+/**
+ * Template-source property access blocklist for CVE-2023-25345.
+ *
+ * Any identifier that matches this list is rejected at parse time by
+ * parser.js, tags/set.js, tags/for.js, tags/macro.js, and tags/import.js.
+ * The list covers read access (`{{ __proto__ }}` / `{{ foo.__proto__ }}`
+ * / `{{ foo["__proto__"] }}`), write access (`{% set __proto__ = ... %}`
+ * / `{% set foo["__proto__"] = ... %}`), loop variables
+ * (`{% for __proto__ in items %}`), macro names (`{% macro __proto__() %}`),
+ * and import aliases (`{% import "f" as __proto__ %}`).
+ *
+ * Kept as a shared constant so any future tag that assigns to `_ctx.*`
+ * or otherwise exposes an identifier as a property key picks up the
+ * full blocklist without drift across copies.
+ *
+ * See .claude/security.md for the full attack-vector table and the
+ * tags/parser checkpoints that consume this list.
+ */
+
+/**
+ * Property names that must never reach `_ctx.<name>` or be accessed
+ * via dot / string-bracket notation from template source.
+ * @type {string[]}
+ */
+exports.dangerousProps = ['__proto__', 'constructor', 'prototype'];