npm - @vituum/vite-plugin-latte - Versions diffs - 0.1.8 - Mend

@vituum/vite-plugin-latte 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (201) hide show

package/vendor/latte/latte/src/Latte/Sandbox/RuntimeChecker.php ADDED Viewed

@@ -0,0 +1,116 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte\Sandbox;
+use Latte;
+/** @internal */
+final class RuntimeChecker
+{
+	use Latte\Strict;
+	public function __construct(
+		public Latte\Policy $policy,
+	) {
+	}
+	public function call(mixed $callable, array $args): mixed
+	{
+		self::checkCallable($callable);
+		self::args(...$args);
+		return $callable(...$args);
+	}
+	public function callMethod(mixed $object, mixed $method, array $args, bool $nullsafe = false): mixed
+	{
+		if ($object === null) {
+			if ($nullsafe) {
+				throw new \Error("Call to a member function $method() on null");
+			}
+			return null;
+		} elseif (!is_object($object) || !is_string($method)) {
+			throw new Latte\SecurityViolationException('Invalid callable.');
+		} elseif (!$this->policy->isMethodAllowed($class = $object::class, $method)) {
+			throw new Latte\SecurityViolationException("Calling $class::$method() is not allowed.");
+		}
+		self::args(...$args);
+		return [$object, $method](...$args);
+	}
+	public function closure(mixed $callable): \Closure
+	{
+		self::checkCallable($callable);
+		return \Closure::fromCallable($callable);
+	}
+	public function args(...$args): array
+	{
+		foreach ($args as $arg) {
+			if (
+				is_array($arg)
+				&& is_callable($arg, true, $text)
+				&& !$this->policy->isMethodAllowed(is_object($arg[0]) ? $arg[0]::class : $arg[0], $arg[1])
+			) {
+				throw new Latte\SecurityViolationException("Calling $text() is not allowed.");
+			}
+		}
+		return $args;
+	}
+	public function prop(mixed $object, mixed $property): mixed
+	{
+		$class = is_object($object) ? $object::class : $object;
+		if (is_string($class) && !$this->policy->isPropertyAllowed($class, (string) $property)) {
+			throw new Latte\SecurityViolationException("Access to '$property' property on a $class object is not allowed.");
+		}
+		return $object;
+	}
+	private function checkCallable(mixed $callable): void
+	{
+		if (!is_callable($callable)) {
+			throw new Latte\SecurityViolationException('Invalid callable.');
+		} elseif (is_string($callable)) {
+			$parts = explode('::', $callable);
+			$allowed = count($parts) === 1
+				? $this->policy->isFunctionAllowed($parts[0])
+				: $this->policy->isMethodAllowed(...$parts);
+		} elseif (is_array($callable)) {
+			$allowed = $this->policy->isMethodAllowed(is_object($callable[0]) ? $callable[0]::class : $callable[0], $callable[1]);
+		} elseif (is_object($callable)) {
+			$allowed = $callable instanceof \Closure
+				? true
+				: $this->policy->isMethodAllowed($callable::class, '__invoke');
+		} else {
+			$allowed = false;
+		}
+		if (!$allowed) {
+			is_callable($callable, false, $text);
+			throw new Latte\SecurityViolationException("Calling $text() is not allowed.");
+		}
+	}
+}

package/vendor/latte/latte/src/Latte/Sandbox/SandboxExtension.php ADDED Viewed

@@ -0,0 +1,132 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte\Sandbox;
+use Latte;
+use Latte\Compiler\ExpressionBuilder;
+use Latte\Compiler\Node;
+use Latte\Compiler\Nodes\Php;
+use Latte\Compiler\Nodes\Php\Expression;
+use Latte\Compiler\Nodes\TemplateNode;
+use Latte\Compiler\NodeTraverser;
+use Latte\Engine;
+use Latte\SecurityViolationException;
+/**
+ * Security protection for the sandbox.
+ */
+final class SandboxExtension extends Latte\Extension
+{
+	use Latte\Strict;
+	private ?Latte\Policy $policy;
+	public function beforeCompile(Engine $engine): void
+	{
+		$this->policy = $engine->getPolicy(effective: true);
+	}
+	public function getTags(): array
+	{
+		return [
+			'sandbox' => [Nodes\SandboxNode::class, 'create'],
+		];
+	}
+	public function getPasses(): array
+	{
+		return $this->policy
+			? ['sandbox' => self::order([$this, 'processPass'], before: '*')]
+			: [];
+	}
+	public function beforeRender(Engine $engine): void
+	{
+		if ($policy = $engine->getPolicy()) {
+			$engine->addProvider('sandbox', new RuntimeChecker($policy));
+		}
+	}
+	public function getCacheKey(Engine $engine): mixed
+	{
+		return (bool) $engine->getPolicy(effective: true);
+	}
+	public function processPass(TemplateNode $node): void
+	{
+		(new NodeTraverser)->traverse($node, leave: \Closure::fromCallable([$this, 'sandboxVisitor']));
+	}
+	private function sandboxVisitor(Node $node): Node
+	{
+		if ($node instanceof Expression\VariableNode) {
+			if ($node->name === 'this') {
+				throw new SecurityViolationException("Forbidden variable \${$node->name}.", $node->position);
+			} elseif (!is_string($node->name)) {
+				throw new SecurityViolationException('Forbidden variable variables.', $node->position);
+			}
+			return $node;
+		} elseif ($node instanceof Expression\NewNode) {
+			throw new SecurityViolationException("Forbidden keyword 'new'", $node->position);
+		} elseif ($node instanceof Expression\FunctionCallNode
+			&& $node->name instanceof Php\NameNode
+		) {
+			if (!$this->policy->isFunctionAllowed((string) $node->name)) {
+				throw new SecurityViolationException("Function $node->name() is not allowed.", $node->position);
+			} elseif ($node->args) {
+				$arg = ExpressionBuilder::variable('$this')->property('global')->property('sandbox')->method('args', $node->args)
+					->build();
+				$node->args = [new Php\ArgumentNode($arg, unpack: true)];
+			}
+			return $node;
+		} elseif ($node instanceof Php\FilterNode) {
+			$name = (string) $node->name;
+			if (!$this->policy->isFilterAllowed($name)) {
+				throw new SecurityViolationException("Filter |$name is not allowed.", $node->position);
+			} elseif ($node->args) {
+				$arg = ExpressionBuilder::variable('$this')->property('global')->property('sandbox')->method('args', $node->args)
+					->build();
+				$node->args = [new Php\ArgumentNode($arg, unpack: true)];
+			}
+			return $node;
+		} elseif ($node instanceof Expression\PropertyFetchNode
+			|| $node instanceof Expression\StaticPropertyFetchNode
+			|| $node instanceof Expression\FunctionCallNode
+			|| $node instanceof Expression\FunctionCallableNode
+			|| $node instanceof Expression\MethodCallNode
+			|| $node instanceof Expression\MethodCallableNode
+			|| $node instanceof Expression\StaticCallNode
+			|| $node instanceof Expression\StaticCallableNode
+		) {
+			$class = namespace\Nodes::class . strrchr($node::class, '\\');
+			return new $class($node);
+		} else {
+			return $node;
+		}
+	}
+}

package/vendor/latte/latte/src/Latte/Sandbox/SecurityPolicy.php ADDED Viewed

@@ -0,0 +1,185 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte\Sandbox;
+use Latte;
+/**
+ * Default-deny policy.
+ */
+class SecurityPolicy implements Latte\Policy
+{
+	use Latte\Strict;
+	public const All = ['*'];
+	public const ALL = self::All;
+	/** @var string[] */
+	private array $tags = [];
+	/** @var string[] */
+	private array $filters = [];
+	/** @var string[] */
+	private array $functions = [];
+	/** @var string[][] */
+	private array $methods = [];
+	/** @var string[][] */
+	private array $properties = [];
+	/** @var array<string, array<string, bool>> */
+	private array $methodCache = [];
+	/** @var array<string, array<string, bool>> */
+	private array $propertyCache = [];
+	public static function createSafePolicy(): self
+	{
+		$policy = new self;
+		// does not include: contentType, debugbreak, dump, extends, import, include, layout,
+		// php (but 'do' is allowed), sandbox, snippet, snippetArea, templatePrint, varPrint, embed
+		$policy->allowTags([
+			'_', '=', 'attr', 'block', 'breakIf', 'capture', 'case', 'class', 'continueIf', 'default',
+			'define', 'do', 'else', 'elseif', 'elseifset', 'first', 'for', 'foreach', 'if', 'ifchanged',
+			'ifcontent', 'iterateWhile', 'ifset', 'l', 'last', 'r', 'rollback', 'sep', 'skipIf', 'spaceless',
+			'switch', 'templateType', 'translate', 'try', 'var', 'varType', 'while',
+		]);
+		// does not include: dataStream, noEscape, noCheck
+		$policy->allowFilters([
+			'batch', 'breaklines', 'breakLines', 'bytes', 'capitalize', 'ceil', 'clamp', 'date', 'escapeCss', 'escapeHtml',
+			'escapeHtmlComment', 'escapeICal', 'escapeJs', 'escapeUrl', 'escapeXml', 'explode', 'first',
+			'firstUpper', 'floor', 'checkUrl', 'implode', 'indent', 'join', 'last', 'length', 'lower',
+			'number', 'padLeft', 'padRight', 'query', 'random', 'repeat', 'replace', 'replaceRe', 'reverse',
+			'round', 'slice', 'sort', 'spaceless', 'split', 'strip', 'striphtml', 'stripHtml', 'striptags', 'stripTags', 'substr',
+			'trim', 'truncate', 'upper', 'webalize',
+		]);
+		$policy->allowFunctions(['clamp', 'divisibleBy', 'even', 'first', 'last', 'odd', 'slice']);
+		$policy->allowMethods(Latte\Essential\CachingIterator::class, self::All);
+		$policy->allowProperties(Latte\Essential\CachingIterator::class, self::All);
+		return $policy;
+	}
+	/**
+	 * @param  string[]  $tags
+	 */
+	public function allowTags(array $tags): self
+	{
+		$this->tags += array_flip(array_map('strtolower', $tags));
+		return $this;
+	}
+	/**
+	 * @param  string[]  $filters
+	 */
+	public function allowFilters(array $filters): self
+	{
+		$this->filters += array_flip(array_map('strtolower', $filters));
+		return $this;
+	}
+	/**
+	 * @param  string[]  $functions
+	 */
+	public function allowFunctions(array $functions): self
+	{
+		$this->functions += array_flip(array_map('strtolower', $functions));
+		return $this;
+	}
+	/**
+	 * @param  string[]  $methods
+	 */
+	public function allowMethods(string $class, array $methods): self
+	{
+		$this->methodCache = [];
+		$this->methods[$class] = array_flip(array_map('strtolower', $methods));
+		return $this;
+	}
+	/**
+	 * @param  string[]  $properties
+	 */
+	public function allowProperties(string $class, array $properties): self
+	{
+		$this->propertyCache = [];
+		$this->properties[$class] = array_flip(array_map('strtolower', $properties));
+		return $this;
+	}
+	public function isTagAllowed(string $tag): bool
+	{
+		return isset($this->tags[strtolower($tag)]) || isset($this->tags['*']);
+	}
+	public function isFilterAllowed(string $filter): bool
+	{
+		return isset($this->filters[strtolower($filter)]) || isset($this->filters['*']);
+	}
+	public function isFunctionAllowed(string $function): bool
+	{
+		return isset($this->functions[strtolower($function)]) || isset($this->functions['*']);
+	}
+	public function isMethodAllowed(string $class, string $method): bool
+	{
+		$method = strtolower($method);
+		/** @var bool|null $res */
+		$res = &$this->methodCache[$class][$method];
+		if (isset($res)) {
+			return $res;
+		}
+		foreach ($this->methods as $c => $methods) {
+			if (is_a($class, $c, true) && (isset($methods[$method]) || isset($methods['*']))) {
+				return $res = true;
+			}
+		}
+		return $res = false;
+	}
+	public function isPropertyAllowed(string $class, string $property): bool
+	{
+		$property = strtolower($property);
+		/** @var bool|null $res */
+		$res = &$this->propertyCache[$class][$property];
+		if (isset($res)) {
+			return $res;
+		}
+		foreach ($this->properties as $c => $properties) {
+			if (is_a($class, $c, true) && (isset($properties[$property]) || isset($properties['*']))) {
+				return $res = true;
+			}
+		}
+		return $res = false;
+	}
+}

package/vendor/latte/latte/src/Latte/Strict.php ADDED Viewed

@@ -0,0 +1,101 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte;
+use LogicException;
+/**
+ * Better OOP experience.
+ */
+trait Strict
+{
+	/**
+	 * Call to undefined method.
+	 * @param  mixed[]  $args
+	 * @throws LogicException
+	 */
+	public function __call(string $name, array $args): mixed
+	{
+		$class = method_exists($this, $name) ? 'parent' : static::class;
+		$items = (new \ReflectionClass($this))->getMethods(\ReflectionMethod::IS_PUBLIC);
+		$items = array_map(fn($item) => $item->getName(), $items);
+		$hint = ($t = Helpers::getSuggestion($items, $name))
+			? ", did you mean $t()?"
+			: '.';
+		throw new LogicException("Call to undefined method $class::$name()$hint");
+	}
+	/**
+	 * Call to undefined static method.
+	 * @param  mixed[]  $args
+	 * @throws LogicException
+	 */
+	public static function __callStatic(string $name, array $args): mixed
+	{
+		$rc = new \ReflectionClass(static::class);
+		$items = array_filter($rc->getMethods(\ReflectionMethod::IS_STATIC), fn($m) => $m->isPublic());
+		$items = array_map(fn($item) => $item->getName(), $items);
+		$hint = ($t = Helpers::getSuggestion($items, $name))
+			? ", did you mean $t()?"
+			: '.';
+		throw new LogicException("Call to undefined static method $rc->name::$name()$hint");
+	}
+	/**
+	 * Access to undeclared property.
+	 * @throws LogicException
+	 */
+	public function &__get(string $name): mixed
+	{
+		$rc = new \ReflectionClass($this);
+		$items = array_filter($rc->getProperties(\ReflectionProperty::IS_PUBLIC), fn($p) => !$p->isStatic());
+		$items = array_map(fn($item) => $item->getName(), $items);
+		$hint = ($t = Helpers::getSuggestion($items, $name))
+			? ", did you mean $$t?"
+			: '.';
+		throw new LogicException("Attempt to read undeclared property $rc->name::$$name$hint");
+	}
+	/**
+	 * Access to undeclared property.
+	 * @throws LogicException
+	 */
+	public function __set(string $name, mixed $value): void
+	{
+		$rc = new \ReflectionClass($this);
+		$items = array_filter($rc->getProperties(\ReflectionProperty::IS_PUBLIC), fn($p) => !$p->isStatic());
+		$items = array_map(fn($item) => $item->getName(), $items);
+		$hint = ($t = Helpers::getSuggestion($items, $name))
+			? ", did you mean $$t?"
+			: '.';
+		throw new LogicException("Attempt to write to undeclared property $rc->name::$$name$hint");
+	}
+	public function __isset(string $name): bool
+	{
+		return false;
+	}
+	/**
+	 * Access to undeclared property.
+	 * @throws LogicException
+	 */
+	public function __unset(string $name): void
+	{
+		$class = static::class;
+		throw new LogicException("Attempt to unset undeclared property $class::$$name.");
+	}
+}

package/vendor/latte/latte/src/Latte/attributes.php ADDED Viewed

@@ -0,0 +1,24 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte\Attributes;
+use Attribute;
+#[Attribute(Attribute::TARGET_METHOD)]
+class TemplateFunction
+{
+}
+#[Attribute(Attribute::TARGET_METHOD)]
+class TemplateFilter
+{
+}

package/vendor/latte/latte/src/Latte/exceptions.php ADDED Viewed

@@ -0,0 +1,69 @@
+<?php
+/**
+ * This file is part of the Latte (https://latte.nette.org)
+ * Copyright (c) 2008 David Grudl (https://davidgrudl.com)
+ */
+declare(strict_types=1);
+namespace Latte;
+interface Exception
+{
+}
+/**
+ * The exception occurred during Latte compilation.
+ */
+class CompileException extends \Exception implements Exception
+{
+	use PositionAwareException;
+	/** @deprecated */
+	public ?int $sourceLine;
+	public function __construct(string $message, ?Compiler\Position $position = null, ?\Throwable $previous = null)
+	{
+		parent::__construct($message, 0, $previous);
+		$this->position = $position;
+		$this->sourceLine = $position?->line;
+		$this->generateMessage();
+	}
+}
+/**
+ * The exception that indicates error of the last Regexp execution.
+ */
+class RegexpException extends \Exception implements Exception
+{
+	public function __construct()
+	{
+		parent::__construct(preg_last_error_msg(), preg_last_error());
+	}
+}
+/**
+ * Exception thrown when a not allowed construction is used in a template.
+ */
+class SecurityViolationException extends \Exception implements Exception
+{
+	use PositionAwareException;
+	public function __construct(string $message, ?Compiler\Position $position = null)
+	{
+		parent::__construct($message);
+		$this->position = $position;
+		$this->generateMessage();
+	}
+}
+class RuntimeException extends \RuntimeException implements Exception
+{
+}