@rhinostone/swig-twig 2.0.0-alpha.3

package/lib/tags/apply.js

@@ -0,0 +1,206 @@
+/*!
+ * Phase 3 Session 11 — Twig `{% apply filter %}…{% endapply %}` tag.
+ *
+ * Twig apply syntax — pipe the captured body through one or more filters,
+ * left-to-right:
+ *
+ *   {% apply upper %}hello{% endapply %}
+ *   {% apply upper|trim %}  hi  {% endapply %}
+ *   {% apply replace({'a': 'b'}) %}banana{% endapply %}
+ *   {% apply replace({'a': 'b'})|upper %}banana{% endapply %}
+ *
+ * Emits `IRLegacyJS` rather than `IRFilter` — `IRFilter` is single-filter
+ * only (backend wraps the body in one `_filters[name](...)` call), and
+ * chains require nested `_filters["f3"](_filters["f2"](_filters["f1"](...),
+ * ...), ...)`. Keeping the chain-emission in the tag avoids growing a new
+ * IR node for what is a JS plumbing shape; consistent with `{% set %}`'s
+ * body-capture form which also emits an IIFE via `IRLegacyJS`.
+ *
+ * CVE-2023-25345 checkpoint applies to each filter name — prototype-chain
+ * names (`__proto__`, `constructor`, `prototype`) are rejected at parse
+ * time. Filter argument expressions go through `parser.parseExpr` and
+ * inherit the `_dangerousProps` guards the expression parser already
+ * applies to VAR / DOTKEY / STRING-in-bracket / FUNCTION callee.
+ */
+
+var ir = require('@rhinostone/swig-core/lib/ir');
+var utils = require('@rhinostone/swig-core/lib/utils');
+var backend = require('@rhinostone/swig-core/lib/backend');
+var _dangerousProps = require('@rhinostone/swig-core/lib/security').dangerousProps;
+
+var lexer = require('../lexer');
+var _t = require('../tokentypes');
+
+exports.ends = true;
+exports.block = false;
+
+/*!
+ * Depth-tracked COMMA-split over the token stream starting at `start`
+ * (which should be the position immediately after the FUNCTION or FILTER
+ * token's implicit open paren). Returns `{ slices, end }` where `end` is
+ * the index of the balancing PARENCLOSE (one past the last consumed arg
+ * token). Throws via `utils.throwError` on unclosed paren.
+ *
+ * Pattern mirrors `lib/tags/filter.js:lowerExpr` — paren / bracket /
+ * curly / function all bump depth; PARENCLOSE / BRACKETCLOSE /
+ * CURLYCLOSE drop it; COMMA at depth 1 is a top-level separator.
+ * @private
+ */
+function sliceCallArgs(tokens, start, line, filename) {
+  var depth = 1,
+    argStart = start,
+    slices = [],
+    j;
+  for (j = start; j < tokens.length; j += 1) {
+    var tk = tokens[j];
+    if (tk.type === _t.PARENOPEN || tk.type === _t.FUNCTION ||
+        tk.type === _t.BRACKETOPEN || tk.type === _t.CURLYOPEN) {
+      depth += 1;
+      continue;
+    }
+    if (tk.type === _t.PARENCLOSE || tk.type === _t.BRACKETCLOSE ||
+        tk.type === _t.CURLYCLOSE) {
+      depth -= 1;
+      if (depth === 0) {
+        if (j > argStart) {
+          slices.push(tokens.slice(argStart, j));
+        }
+        return { slices: slices, end: j + 1 };
+      }
+      continue;
+    }
+    if (tk.type === _t.COMMA && depth === 1) {
+      if (j > argStart) {
+        slices.push(tokens.slice(argStart, j));
+      }
+      argStart = j + 1;
+    }
+  }
+  utils.throwError('Unclosed argument list in "apply" tag', line, filename);
+}
+
+/**
+ * Parse the `{% apply filter %}` tag body. Extracts the filter chain
+ * and validates each filter name against the CVE-2023-25345 blocklist.
+ *
+ * Stashes `[{name, args: IRExpr[]}, {name, args: IRExpr[]}, ...]` on
+ * `token.args`. `args: []` means the filter takes no arguments.
+ *
+ * @param  {string} str    Tag body.
+ * @param  {number} line   Source line of the opening `{%`.
+ * @param  {object} parser The Twig parser module (exposes `parseExpr`).
+ * @param  {object} types  Twig lexer token-type enum.
+ * @param  {Array}  stack  Open-tag stack (parser.js manages push).
+ * @param  {object} opts   Per-call options (honors `opts.filename`).
+ * @param  {object} swig   Swig instance (unused).
+ * @param  {object} token  In-progress TagToken. `token.args` gets the
+ *                         filter chain descriptor array.
+ * @return {boolean}       Always `true` on success. Throws otherwise.
+ */
+exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
+  var tokens = lexer.read(utils.strip(str));
+  var pos = 0;
+
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+
+  if (pos >= tokens.length) {
+    utils.throwError('Expected filter name in "apply" tag', line, opts.filename);
+  }
+
+  function checkName(name) {
+    if (_dangerousProps.indexOf(name) !== -1) {
+      utils.throwError('Unsafe filter name "' + name + '" is not allowed (CVE-2023-25345)', line, opts.filename);
+    }
+  }
+
+  var chain = [];
+
+  // Head filter — VAR (bare name), FUNCTIONEMPTY (`name()`), or FUNCTION
+  // (`name(args...)`). Subsequent filters must come in via FILTER /
+  // FILTEREMPTY — a trailing bare VAR / FUNCTION would be a syntax error.
+  var head = tokens[pos];
+  if (head.type === types.VAR) {
+    checkName(head.match);
+    chain.push({ name: head.match, args: [] });
+    pos += 1;
+  } else if (head.type === types.FUNCTIONEMPTY) {
+    checkName(head.match);
+    chain.push({ name: head.match, args: [] });
+    pos += 1;
+  } else if (head.type === types.FUNCTION) {
+    checkName(head.match);
+    var result = sliceCallArgs(tokens, pos + 1, line, opts.filename);
+    var exprs = [];
+    for (var i = 0; i < result.slices.length; i += 1) {
+      exprs.push(parser.parseExpr(result.slices[i]));
+    }
+    chain.push({ name: head.match, args: exprs });
+    pos = result.end;
+  } else {
+    utils.throwError('Expected filter name in "apply" tag', line, opts.filename);
+  }
+
+  // Chain tail — each FILTER or FILTEREMPTY appends another filter call.
+  while (pos < tokens.length) {
+    while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+    if (pos >= tokens.length) { break; }
+
+    var tk = tokens[pos];
+    if (tk.type === types.FILTEREMPTY) {
+      checkName(tk.match);
+      chain.push({ name: tk.match, args: [] });
+      pos += 1;
+      continue;
+    }
+    if (tk.type === types.FILTER) {
+      checkName(tk.match);
+      var r = sliceCallArgs(tokens, pos + 1, line, opts.filename);
+      var e = [];
+      for (var k = 0; k < r.slices.length; k += 1) {
+        e.push(parser.parseExpr(r.slices[k]));
+      }
+      chain.push({ name: tk.match, args: e });
+      pos = r.end;
+      continue;
+    }
+    utils.throwError('Unexpected token "' + tk.match + '" in "apply" tag filter chain', line, opts.filename);
+  }
+
+  token.args = chain;
+  return true;
+};
+
+/**
+ * Emit an `IRLegacyJS` node that captures the body into a local
+ * `_output` via an IIFE and folds the filter chain left-to-right into
+ * nested `_filters["<name>"](input, ...args)` calls.
+ *
+ * For `{% apply upper|trim %}body{% endapply %}` this produces roughly:
+ *
+ *   _output += _filters["trim"](_filters["upper"](
+ *     (function () { var _output = ""; <bodyJS> return _output; })()
+ *   ));
+ *
+ * @return {object} IRLegacyJS node.
+ */
+exports.compile = function (compiler, args, content, parents, options, blockName) {
+  var chain = args;
+  var bodyJS = compiler(content, parents, options, blockName);
+  var input = '(function () {\n  var _output = "";\n' + bodyJS + '  return _output;\n})()';
+
+  var expr = input;
+  for (var i = 0; i < chain.length; i += 1) {
+    var entry = chain[i];
+    var argsJS = '';
+    if (entry.args && entry.args.length) {
+      var parts = [];
+      for (var j = 0; j < entry.args.length; j += 1) {
+        parts.push(backend.emitExpr(entry.args[j]));
+      }
+      argsJS = ', ' + parts.join(', ');
+    }
+    expr = '_filters["' + entry.name + '"](' + expr + argsJS + ')';
+  }
+
+  return ir.legacyJS('_output += ' + expr + ';\n');
+};

package/lib/tags/block.js

@@ -0,0 +1,93 @@
+/*!
+ * Phase 3 Session 9 — Twig `{% block %}` tag.
+ *
+ * Named override point for template inheritance:
+ *
+ *   {% block <name> %}…{% endblock %}
+ *
+ * The block name must be a bare identifier (dotted paths rejected) and
+ * passes the CVE-2023-25345 `_dangerousProps` guard. The parser
+ * captures the block in `template.blocks[name]` when it appears at the
+ * top level (see `packages/swig-twig/lib/parser.js` — the block-keying
+ * branch is triggered by `token.block && !stack.length`).
+ *
+ * Compile emits an `IRBlock` node with the body wrapped in IRLegacyJS.
+ * The backend's `Block` branch emits the body verbatim — block-override
+ * resolution happens at parse time via `engine.remapBlocks` /
+ * `importNonBlocks`, which substitutes the child's block content into
+ * the parent's token tree before backend emission.
+ *
+ * Native hardening gap flagged: `lib/tags/block.js` uses
+ * `parser.on('*')` and does NOT guard the block name against
+ * `_dangerousProps`. A `{% block __proto__ %}` in native Swig would
+ * key the blocks map by that name; the override path does not currently
+ * reach the prototype chain but the cross-layer invariant is to guard
+ * anyway. See .claude/architecture/multi-flavor-ir.md § Phase 3 —
+ * Session 9 native hardening follow-up.
+ */
+
+var ir = require('@rhinostone/swig-core/lib/ir');
+var utils = require('@rhinostone/swig-core/lib/utils');
+var _dangerousProps = require('@rhinostone/swig-core/lib/security').dangerousProps;
+
+var lexer = require('../lexer');
+var _t = require('../tokentypes');
+
+exports.ends = true;
+exports.block = true;
+
+/**
+ * Parse the `{% block %}` tag body. Extracts the bare-identifier name,
+ * validates it against `_dangerousProps` and the dotted-path rule, and
+ * stashes it on `token.args` so the parser's top-level block-keying
+ * branch can pick it up via `token.args.join('')`.
+ *
+ * @param  {string} str    Tag body.
+ * @param  {number} line   Source line of the opening `{%`.
+ * @param  {object} parser The Twig parser module (unused here — block
+ *                         names are plain identifiers).
+ * @param  {object} types  Twig lexer token-type enum.
+ * @param  {Array}  stack  Open-tag stack (parser.js manages the push).
+ * @param  {object} opts   Per-call options (honors `opts.filename`).
+ * @param  {object} swig   Swig instance (unused).
+ * @param  {object} token  In-progress TagToken. `token.args` gets the
+ *                         block name as its single element.
+ * @return {boolean}       Always `true` on success. Throws otherwise.
+ */
+exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
+  var tokens = lexer.read(utils.strip(str));
+  var pos = 0;
+
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+  var nameTok = pos < tokens.length ? tokens[pos] : null;
+  if (!nameTok || nameTok.type !== types.VAR) {
+    utils.throwError('Expected block name in "block" tag', line, opts.filename);
+  }
+  if (nameTok.match.indexOf('.') !== -1) {
+    utils.throwError('Block name "' + nameTok.match + '" must be a bare identifier', line, opts.filename);
+  }
+  if (_dangerousProps.indexOf(nameTok.match) !== -1) {
+    utils.throwError('Unsafe block name "' + nameTok.match + '" is not allowed (CVE-2023-25345)', line, opts.filename);
+  }
+
+  pos += 1;
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+  if (pos < tokens.length) {
+    utils.throwError('Unexpected token "' + tokens[pos].match + '" after block name', line, opts.filename);
+  }
+
+  token.args = [nameTok.match];
+  return true;
+};
+
+/**
+ * Emit an IRBlock node. Body is the recursively-compiled content
+ * wrapped in IRLegacyJS. Mirrors the native `lib/tags/block.js` compile
+ * shape so the backend's `Block` branch treats both frontends the same.
+ *
+ * @return {object} IRBlock node.
+ */
+exports.compile = function (compiler, args, content, parents, options) {
+  var name = args.join('');
+  return ir.block(name, [ir.legacyJS(compiler(content, parents, options, name))]);
+};

package/lib/tags/extends.js

@@ -0,0 +1,87 @@
+/*!
+ * Phase 3 Session 9 — Twig `{% extends %}` tag.
+ *
+ * Declares a parent template for inheritance:
+ *
+ *   {% extends "layout.twig" %}
+ *
+ * Twig supports both static string paths (handled here) and dynamic
+ * expressions (`{% extends some_var %}`, `{% extends a ? b : c %}`). This
+ * session rejects dynamic extends at parse time — the engine's parent-
+ * chain resolution (`engine.getParents` + `remapBlocks` +
+ * `importNonBlocks`) walks the chain statically at compile time, so a
+ * runtime-valued parent cannot be resolved without reworking the engine.
+ * Dynamic extends is tracked for a later session; the rejection is
+ * deliberate, not an oversight.
+ *
+ * The parser's splitter reads `token.args[0]` and stashes it on
+ * `template.parent` (see `packages/swig-twig/lib/parser.js` line 609).
+ * This tag must therefore push the *unquoted* path as the single
+ * `token.args` element.
+ *
+ * Compile emits nothing — `extends.compile` returns undefined. The
+ * backend's emit loop skips undefined returns. Extends is a parse-time
+ * declaration carried via `template.parent` metadata; no runtime code
+ * is generated for the `{% extends %}` tag itself.
+ */
+
+var utils = require('@rhinostone/swig-core/lib/utils');
+
+var lexer = require('../lexer');
+var _t = require('../tokentypes');
+
+exports.ends = false;
+exports.block = true;
+
+/**
+ * Parse the `{% extends %}` tag body. Extracts the STRING literal path,
+ * strips surrounding quotes, and stashes the result as `token.args[0]`
+ * for the parser's splitter to pick up.
+ *
+ * Rejects anything other than a single STRING token — dynamic extends
+ * (VAR, FUNCTION, expressions) is not supported in this session.
+ *
+ * @param  {string} str    Tag body.
+ * @param  {number} line   Source line of the opening `{%`.
+ * @param  {object} parser The Twig parser module (unused — path is a
+ *                         bare string literal).
+ * @param  {object} types  Twig lexer token-type enum.
+ * @param  {Array}  stack  Open-tag stack (unused — extends has no body).
+ * @param  {object} opts   Per-call options (honors `opts.filename`).
+ * @param  {object} swig   Swig instance (unused).
+ * @param  {object} token  In-progress TagToken. `token.args` gets the
+ *                         unquoted parent path as its single element.
+ * @return {boolean}       Always `true` on success. Throws otherwise.
+ */
+exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
+  var tokens = lexer.read(utils.strip(str));
+  var pos = 0;
+
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+  var pathTok = pos < tokens.length ? tokens[pos] : null;
+  if (!pathTok) {
+    utils.throwError('Expected parent template path in "extends" tag', line, opts.filename);
+  }
+  if (pathTok.type !== types.STRING) {
+    utils.throwError('Dynamic "extends" is not supported — parent path must be a string literal', line, opts.filename);
+  }
+
+  pos += 1;
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+  if (pos < tokens.length) {
+    utils.throwError('Unexpected token "' + tokens[pos].match + '" after parent path in "extends" tag', line, opts.filename);
+  }
+
+  token.args = [pathTok.match.replace(/^['"]|['"]$/g, '')];
+  return true;
+};
+
+/**
+ * No-op compile. Extends is a parse-time declaration — the parent path
+ * lives on `template.parent` (set by the parser's splitter), which the
+ * engine's `getParents` reads during compile. The `{% extends %}` tag
+ * itself emits no runtime code.
+ *
+ * @return {undefined}
+ */
+exports.compile = function () {};

package/lib/tags/for.js

@@ -0,0 +1,134 @@
+/*!
+ * Phase 3 Session 8 — Twig `{% for %}` tag.
+ *
+ * Twig iteration:
+ *   {% for <val> in <iterable> %}…{% endfor %}
+ *   {% for <key>, <val> in <iterable> %}…{% endfor %}
+ *
+ * Loop variable names must be bare identifiers — dotted paths
+ * (`foo.bar`) are rejected at parse time (not valid Twig loop-var
+ * syntax; and accepting them would let malformed templates silently
+ * through). The CVE-2023-25345 `_dangerousProps` guard runs on every
+ * bound name (key and val).
+ *
+ * The iterable is lowered through `parser.parseExpr`, so filter chains
+ * (`list|sort`), BinaryOps (`a + b`), function calls, and ternaries
+ * route through the same path as any other Twig expression — no
+ * tag-local bail conditions. The resulting IRExpr is attached to
+ * `token.irExpr`.
+ *
+ * The backend's `For` branch (packages/swig-core/lib/backend.js:187)
+ * owns the full IIFE scaffolding: `_utils.each`, `_ctx.loop.*`
+ * bookkeeping (first/last/index/index0/revindex/revindex0/length/key),
+ * and the `Math.random()`-based loopcache identifier that keeps nested
+ * loops from clobbering each other's `_ctx.loop` state (gh-433). The
+ * tag ships only semantic IR — (val, key, iterable, body).
+ */
+
+var ir = require('@rhinostone/swig-core/lib/ir');
+var utils = require('@rhinostone/swig-core/lib/utils');
+var _dangerousProps = require('@rhinostone/swig-core/lib/security').dangerousProps;
+
+var lexer = require('../lexer');
+var _t = require('../tokentypes');
+
+exports.ends = true;
+exports.block = false;
+
+/**
+ * Parse the `{% for %}` tag body. Extracts the binding names (val or
+ * key+val), validates them against `_dangerousProps` and the bare-
+ * identifier rule, then lowers the iterable expression through
+ * `parser.parseExpr`. Names are stashed on `token.args` (`[val]` or
+ * `[key, val]`); the iterable IR is stashed on `token.irExpr`.
+ *
+ * @param  {string} str    Tag body.
+ * @param  {number} line   Source line of the opening `{%`.
+ * @param  {object} parser The Twig parser module (exposes `parseExpr`).
+ * @param  {object} types  Twig lexer token-type enum.
+ * @param  {Array}  stack  Open-tag stack (parser.js manages the push
+ *                         after parse returns).
+ * @param  {object} opts   Per-call options (honors `opts.filename`).
+ * @param  {object} swig   Swig instance (unused).
+ * @param  {object} token  In-progress TagToken.
+ * @return {boolean}       Always `true` on success. Throws otherwise.
+ */
+exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
+  var tokens = lexer.read(utils.strip(str));
+  var pos = 0;
+
+  function peek() {
+    while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+    return pos < tokens.length ? tokens[pos] : null;
+  }
+  function consume() {
+    var t = peek();
+    if (t) { pos += 1; }
+    return t;
+  }
+
+  function takeName() {
+    var tok = consume();
+    if (!tok || tok.type !== types.VAR) {
+      utils.throwError('Expected loop variable in "for" tag', line, opts.filename);
+    }
+    if (tok.match.indexOf('.') !== -1) {
+      utils.throwError('Loop variable "' + tok.match + '" must be a bare identifier in "for" tag', line, opts.filename);
+    }
+    if (_dangerousProps.indexOf(tok.match) !== -1) {
+      utils.throwError('Unsafe loop variable "' + tok.match + '" is not allowed (CVE-2023-25345)', line, opts.filename);
+    }
+    return tok.match;
+  }
+
+  var first = takeName();
+  var val = first;
+  var key;
+
+  if (peek() && peek().type === types.COMMA) {
+    consume();
+    key = first;
+    val = takeName();
+  }
+
+  // NB: the Twig lexer's COMPARATOR rule is `^(=== | ... | in\s)` — the
+  // trailing `\s` is required, so `{% for x in %}` (nothing after `in`)
+  // lexes `in` as a VAR instead of a COMPARATOR. Match on the literal
+  // string so the user-facing error stays "Expected iterable" for that
+  // shape rather than "Expected in".
+  var inTok = consume();
+  if (!inTok || inTok.match !== 'in' || (inTok.type !== types.COMPARATOR && inTok.type !== types.VAR)) {
+    utils.throwError('Expected "in" in "for" tag', line, opts.filename);
+  }
+
+  while (pos < tokens.length && tokens[pos].type === types.WHITESPACE) { pos += 1; }
+
+  var iterableTokens = tokens.slice(pos);
+  if (!iterableTokens.length) {
+    utils.throwError('Expected iterable after "in" in "for" tag', line, opts.filename);
+  }
+
+  token.args = key !== undefined ? [key, val] : [val];
+  token.irExpr = parser.parseExpr(iterableTokens);
+  return true;
+};
+
+/**
+ * Emit an IRFor node. The backend's `For` branch owns the loopcache +
+ * `_utils.each` scaffolding — this returns only (val, iterable, body,
+ * key). Body is the recursively-compiled content wrapped in IRLegacyJS.
+ *
+ * @return {object} IRFor node.
+ */
+exports.compile = function (compiler, args, content, parents, options, blockName, token) {
+  var val, key;
+  if (args.length === 2) {
+    key = args[0];
+    val = args[1];
+  } else {
+    val = args[0];
+    key = '__k';
+  }
+  var bodyJS = compiler(content, parents, options, blockName);
+  return ir.forStmt(val, token.irExpr, [ir.legacyJS(bodyJS)], key);
+};