@rhinostone/swig-core 2.3.0 → 2.4.1

package/lib/tokenparser.js

@@ -310,12 +310,39 @@ TokenParser.prototype = {
       self.filterApplyIdx.push(self.out.length - 1);
       break;
 
+    case _t.QMARK:
+      // Ternary `?` — emit a flat operator and mark the state stack so
+      // the matching `:` is recognised as the alternative-branch
+      // separator (not an object-literal colon). The lowerExpr ->
+      // parseExpr IR path does the real ternary codegen for built-in
+      // tags; emitting `?`/`:` flat here just keeps the legacy tag-arg
+      // walk from aborting so `args` is built for every tag.
+      self.out.push(' ? ');
+      self.state.push(token.type);
+      self.filterApplyIdx.pop();
+      break;
+
     case _t.COLON:
-      if (lastState !== _t.CURLYOPEN) {
+      if (lastState === _t.CURLYOPEN) {
+        self.state.push(token.type);
+        self.out.push(':');
+      } else if (lastState === _t.QMARK) {
+        // Ternary alternative branch. Pop the QMARK marker the QMARK
+        // case pushed. A full ternary (`a ? b : c`) has a non-empty
+        // then-branch, so the colon emits as a flat operator. The Elvis
+        // shorthand (`a ?: b`) has an empty then-branch — the `?` we
+        // emitted is still the last fragment — so rewrite it to `||`,
+        // the single-evaluation equivalent of `a ? a : b`. A bare
+        // `a ?  : b` would be invalid JS.
+        self.state.pop();
+        if (self.out[self.out.length - 1] === ' ? ') {
+          self.out[self.out.length - 1] = ' || ';
+        } else {
+          self.out.push(' : ');
+        }
+      } else {
         utils.throwError('Unexpected colon', self.line, self.filename);
       }
-      self.state.push(token.type);
-      self.out.push(':');
       self.filterApplyIdx.pop();
       break;
 
@@ -647,6 +674,37 @@ TokenParser.prototype = {
         var right = parseExpression(info.prec + 1);
         left = ir.binaryOp(info.op, left, right);
       }
+      // Ternary + Elvis — binds looser than every binary op, so it is only
+      // handled at the top-level minPrec === 0 entry. Recursive calls for a
+      // binary op's RHS run at prec + 1 >= 1 and skip this branch, which is
+      // what lets `a + b ? c : d` parse as `(a + b) ? c : d`. Recursive
+      // parseExpression(0) calls (arg-list elements, object-literal values,
+      // grouped sub-expressions) still get ternary via their own entry.
+      //
+      // Elvis shorthand `a ?: b` lowers to Conditional(a, a, b). The `a`
+      // subexpression is evaluated twice by downstream emitters — a
+      // documented consequence of the transliteration.
+      if (minPrec === 0) {
+        var qtok = peek();
+        if (qtok && qtok.type === _t.QMARK) {
+          consume();
+          var afterQ = peek();
+          var elseBranch;
+          if (afterQ && afterQ.type === _t.COLON) {
+            consume();
+            elseBranch = parseExpression(0);
+            left = ir.conditional(left, left, elseBranch);
+          } else {
+            var thenBranch = parseExpression(0);
+            var colon = consume();
+            if (!colon || colon.type !== _t.COLON) {
+              bail('Expected colon in ternary expression');
+            }
+            elseBranch = parseExpression(0);
+            left = ir.conditional(left, thenBranch, elseBranch);
+          }
+        }
+      }
       return left;
     }
 
@@ -706,6 +764,7 @@ TokenParser.prototype = {
     var depth = 0,
       hasTopOp = false,
       hasTopFilter = false,
+      hasTopTernary = false,
       firstTopFilterIdx = -1;
     for (i = 0; i < tokens.length; i += 1) {
       t = tokens[i];
@@ -718,6 +777,9 @@ TokenParser.prototype = {
           hasTopFilter = true;
           if (firstTopFilterIdx < 0) { firstTopFilterIdx = i; }
         }
+        if (t.type === _t.QMARK) {
+          hasTopTernary = true;
+        }
       }
       if (t.type === _t.PARENOPEN || t.type === _t.FUNCTION ||
           t.type === _t.BRACKETOPEN || t.type === _t.CURLYOPEN ||
@@ -779,7 +841,13 @@ TokenParser.prototype = {
       // trailing FILTER / FILTEREMPTY and wraps the atom in an
       // IRFilterCallExpr at the right tree depth. Autoescape remains
       // a top-level wrap (single `e` filterCall appended).
-      if (hasTopOp && hasTopFilter) {
+      //
+      // A top-level ternary (`{{ a ? b : c }}`) takes the same route:
+      // the prefix/filter-drain path below would slice the stream at
+      // the first top-level filter (e.g. a filter inside a branch,
+      // `{{ x ? a|upper : b }}`) and mis-parse it. Full-stream
+      // parseExpr consumes the whole ternary, branch filters included.
+      if (hasTopTernary || (hasTopOp && hasTopFilter)) {
         var exprPO = self.parseExpr(tokens);
         var fcallsPO = escape ? [ir.filterCall('e')] : [];
         return ir.output(exprPO, fcallsPO.length > 0 ? fcallsPO : undefined);
@@ -874,6 +942,12 @@ TokenParser.prototype = {
 
       return ir.output(expr, filterCalls.length > 0 ? filterCalls : undefined);
     } catch (e) {
+      // A top-level ternary cannot be expressed by the legacy parseToken
+      // path (no QMARK handling), so legacyFallback would only throw a
+      // worse error ("Unexpected colon") or emit garbage. Re-throw
+      // parseExpr's own error — including the CVE-2023-25345 guard
+      // message — instead of masking it.
+      if (hasTopTernary) { throw e; }
       return legacyFallback();
     }
   },

package/lib/tokentypes.js

@@ -73,6 +73,8 @@ module.exports = {
   /** End of a method
    * Currently unused
   METHODEND: 26, */
+  /** Ternary question mark (?) */
+  QMARK: 27,
   /** Unknown type */
   UNKNOWN: 100
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rhinostone/swig-core",
-  "version": "2.3.0",
+  "version": "2.4.1",
   "description": "Shared IR, backend, and runtime for the @rhinostone/swig family of template engines.",
   "keywords": [
     "template",