Skip to content

Commit

Permalink
fix: parser throws on non-string input, #726
Browse files Browse the repository at this point in the history
  • Loading branch information
@harttle
harttle committed Jul 25, 2024
1 parent fce2899 commit 21a8223
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 48 deletions.
1 change: 1 addition & 0 deletions src/parser/parser.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export class Parser {
this.parseLimit = new Limiter('parse length', liquid.options.parseLimit)
}
public parse (html: string, filepath?: string): Template[] {
html = String(html)
this.parseLimit.use(html.length)
const tokenizer = new Tokenizer(html, this.liquid.options.operators, filepath)
const tokens = tokenizer.readTopLevelTokens(this.liquid.options)
Expand Down
100 changes: 52 additions & 48 deletions test/e2e/issues.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,25 @@ import { TopLevelToken, TagToken, Tokenizer, Context, Liquid, Drop, toValueSync
const LiquidUMD = require('../../dist/liquid.browser.umd.js').Liquid

describe('Issues', function () {
it('#221 unicode blanks are not properly treated', async () => {
it('unicode blanks are not properly treated #221', async () => {
const engine = new Liquid({ strictVariables: true, strictFilters: true })
const html = engine.parseAndRenderSync('{{huh | truncate: 11}}', { huh: 'fdsafdsafdsafdsaaaaa' })
expect(html).toBe('fdsafdsa...')
})
it('#252 "Not valid identifier" error for a quotes-containing identifier', async () => {
it('"Not valid identifier" error for a quotes-containing identifier #252', async () => {
const template = `{% capture "form_classes" -%}
foo
{%- endcapture %}{{form_classes}}`
const engine = new Liquid()
const html = await engine.parseAndRender(template)
expect(html).toBe('foo')
})
it('#259 complex property access with braces is not supported', async () => {
it('complex property access with braces is not supported #259', async () => {
const engine = new Liquid()
const html = engine.parseAndRenderSync('{{ ["complex key"] }}', { 'complex key': 'foo' })
expect(html).toBe('foo')
})
it('#243 Potential for ReDoS through string replace function', async () => {
it('Potential for ReDoS through string replace function #243', async () => {
const engine = new Liquid()
const INPUT = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!'
const BROKEN_REGEX = /([a-z]+)+$/
Expand All @@ -33,13 +33,13 @@ describe('Issues', function () {
// should stringify the regexp rather than execute it
expect(html).toBe(INPUT)
})
it('#263 raw/endraw block not ignoring {% characters', () => {
it('raw/endraw block not ignoring {% characters #263', () => {
const template = `{% raw %}This is a code snippet showing how {% breaks the raw block.{% endraw %}`
const engine = new Liquid()
const html = engine.parseAndRenderSync(template)
expect(html).toBe('This is a code snippet showing how {% breaks the raw block.')
})
it('#268 elsif is not supported for unless', () => {
it('elsif is not supported for unless #268', () => {
const template = `{%- unless condition1 -%}
<div>X</div>
{%- elsif condition2 -%}
Expand All @@ -51,7 +51,7 @@ describe('Issues', function () {
const html = engine.parseAndRenderSync(template, { condition1: true, condition2: true })
expect(html).toBe('<div>Y</div>')
})
it('#277 Passing liquid in FilterImpl', () => {
it('Passing liquid in FilterImpl #277', () => {
const engine = new Liquid()
engine.registerFilter('render', function (this: any, template: string, name: string) {
return this.liquid.parseAndRenderSync(decodeURIComponent(template), { name })
Expand All @@ -62,55 +62,55 @@ describe('Issues', function () {
)
expect(html).toBe('hello foo')
})
it('#288 Unexpected behavior when string literals contain }}', async () => {
it('Unexpected behavior when string literals contain }} #288', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(`{{ '{{' }}{{ '}}' }}`)
expect(html).toBe('{{}}')
})
it('#222 Support function calls', async () => {
it('Support function calls #222', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(
`{{ obj.property }}`,
{ obj: { property: () => 'BAR' } }
)
expect(html).toBe('BAR')
})
it('#313 lenientIf not working as expected in umd', async () => {
it('lenientIf not working as expected in umd #313', async () => {
const engine = new LiquidUMD({
strictVariables: true,
lenientIf: true
})
const html = await engine.parseAndRender(`{{ name | default: "default name" }}`)
expect(html).toBe('default name')
})
it('#321 comparison for empty/nil', async () => {
it('comparison for empty/nil #321', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(
'{% if empty == nil %}true{%else%}false{%endif%}' +
'{% if nil == empty %}true{%else%}false{%endif%}'
)
expect(html).toBe('falsefalse')
})
it('#320 newline_to_br filter should output <br /> instead of <br/>', async () => {
it('newline_to_br filter should output <br /> instead of <br/> #320', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(
`{{ 'a \n b \n c' | newline_to_br | split: '<br />' }}`
)
expect(html).toBe('a \n b \n c')
})
it('#342 New lines in logical operator', async () => {
it('New lines in logical operator #342', async () => {
const engine = new Liquid()
const tpl = `{%\r\nif\r\ntrue\r\nor\r\nfalse\r\n%}\r\ntrue\r\n{%\r\nendif\r\n%}`
const html = await engine.parseAndRender(tpl)
expect(html).toBe('\r\ntrue\r\n')
})
it('#401 Timezone Offset Issue', async () => {
it('Timezone Offset Issue #401', async () => {
const engine = new Liquid({ timezoneOffset: -600 })
const tpl = engine.parse('{{ date | date: "%Y-%m-%d %H:%M %p %z" }}')
const html = await engine.render(tpl, { date: '2021-10-06T15:31:00+08:00' })
expect(html).toBe('2021-10-06 17:31 PM +1000')
})
it('#412 Pass root as it is to `resolve`', async () => {
it('Pass root as it is to `resolve` #412', async () => {
const engine = new Liquid({
root: '/tmp',
relativeReference: false,
Expand All @@ -126,7 +126,7 @@ describe('Issues', function () {
const html = await engine.renderSync(tpl)
expect(html).toBe('/tmp/foo.liquid')
})
it('#416 Templates imported by {% render %} not cached for concurrent async render', async () => {
it('Templates imported by {% render %} not cached for concurrent async render #416', async () => {
const readFile = jest.fn(() => Promise.resolve('HELLO'))
const exists = jest.fn(() => 'HELLO')
const engine = new Liquid({
Expand All @@ -148,15 +148,15 @@ describe('Issues', function () {
expect(exists).toHaveBeenCalledTimes(1)
expect(readFile).toHaveBeenCalledTimes(1)
})
it('#431 Error when using Date timezoneOffset in 9.28.5', () => {
it('Error when using Date timezoneOffset in 9.28.5 #431', () => {
const engine = new Liquid({
timezoneOffset: 0,
preserveTimezones: true
})
const tpl = engine.parse('Welcome to {{ now | date: "%Y-%m-%d" }}')
return expect(engine.render(tpl, { now: new Date('2019-02-01T00:00:00.000Z') })).resolves.toBe('Welcome to 2019-02-01')
})
it('#433 Support Jekyll-like includes', async () => {
it('Support Jekyll-like includes #433', async () => {
const engine = new Liquid({
dynamicPartials: false,
relativeReference: false,
Expand All @@ -173,7 +173,7 @@ describe('Issues', function () {
const html = await engine.render(tpl, { my_variable: 'foo' })
expect(html).toBe('CONTENT for /tmp/prefix/foo-bar/suffix')
})
it('#428 Implement liquid/echo tags', () => {
it('Implement liquid/echo tags #428', () => {
const template = `{%- liquid
for value in array
assign double_value = value | times: 2
Expand All @@ -190,25 +190,25 @@ describe('Issues', function () {
const html = engine.parseAndRenderSync(template, { array: [1, 2, 3] })
expect(html).toBe('4#8#12#6')
})
it('#454 leaking JS prototype getter functions in evaluation', async () => {
it('leaking JS prototype getter functions in evaluation #454', async () => {
const engine = new Liquid({ ownPropertyOnly: true })
const html = engine.parseAndRenderSync('{{foo | size}}-{{bar.coo}}', { foo: 'foo', bar: Object.create({ coo: 'COO' }) })
expect(html).toBe('3-')
})
it('#465 Liquidjs divided_by not compatible with Ruby/Shopify Liquid', () => {
it('Liquidjs divided_by not compatible with Ruby/Shopify Liquid #465', () => {
const engine = new Liquid({ ownPropertyOnly: true })
const html = engine.parseAndRenderSync('{{ 5 | divided_by: 3, true }}')
expect(html).toBe('1')
})
it('#479 url_encode throws on undefined value', async () => {
it('url_encode throws on undefined value #479', async () => {
const engine = new Liquid({
strictVariables: false
})
const tpl = engine.parse('{{ v | url_encode }}')
const html = await engine.render(tpl, { v: undefined })
expect(html).toBe('')
})
it('#481 filters that should not throw', async () => {
it('filters that should not throw #481', async () => {
const engine = new Liquid()
const tpl = engine.parse(`
{{ foo | join }}
Expand All @@ -223,17 +223,17 @@ describe('Issues', function () {
const html = await engine.render(tpl, { foo: undefined })
expect(html.trim()).toBe('[]')
})
it('#481 concat should always return an array', async () => {
it('concat should always return an array #481', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(`{{ foo | concat | json }}`)
expect(html).toBe('[]')
})
it('#486 Access array items from the right with negative indexes', async () => {
it('Access array items from the right with negative indexes #486', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(`{% assign a = "x,y,z" | split: ',' -%}{{ a[-1] }} {{ a[-3] }} {{ a[-8] }}`)
expect(html).toBe('z x ')
})
it('#492 contains operator does not support Drop', async () => {
it('contains operator does not support Drop #492', async () => {
class TemplateDrop extends Drop {
valueOf () { return 'product' }
}
Expand All @@ -242,44 +242,44 @@ describe('Issues', function () {
const html = await engine.parseAndRender(`{% if template contains "product" %}contains{%endif%}`, ctx)
expect(html).toBe('contains')
})
it('#513 should support large number of templates [async]', async () => {
it('should support large number of templates [async] #513', async () => {
const engine = new Liquid()
const html = await engine.parseAndRender(`{% for i in (1..10000) %}{{ i }}{% endfor %}`)
expect(html).toHaveLength(38894)
})
it('#513 should support large number of templates [sync]', () => {
it('should support large number of templates [sync] #513', () => {
const engine = new Liquid()
const html = engine.parseAndRenderSync(`{% for i in (1..10000) %}{{ i }}{% endfor %}`)
expect(html).toHaveLength(38894)
})
it('#519 should throw parse error for invalid assign expression', () => {
it('should throw parse error for invalid assign expression #519', () => {
const engine = new Liquid()
expect(() => engine.parse('{% assign headshot = https://testurl.com/not_enclosed_in_quotes.jpg %}')).toThrow(/expected "|" before filter, line:1, col:27/)
})
it('#527 export Liquid Expression', () => {
it('export Liquid Expression #527', () => {
const tokenizer = new Tokenizer('a > b')
const expression = tokenizer.readExpression()
const result = toValueSync(expression.evaluate(new Context({ a: 1, b: 2 })))
expect(result).toBe(false)
})
it('#527 export Liquid Expression (evalValue)', async () => {
it('export Liquid Expression (evalValue) #527', async () => {
const liquid = new Liquid()
const result = await liquid.evalValue('a > b', { a: 1, b: 2 })
expect(result).toBe(false)
})
it('#527 export Liquid Expression (evalValueSync)', async () => {
it('export Liquid Expression (evalValueSync) #527', async () => {
const liquid = new Liquid()
const result = liquid.evalValueSync('a > b', { a: 1, b: 2 })
expect(result).toBe(false)
})
it('#276 Promise support in expressions', async () => {
it('Promise support in expressions #276', async () => {
const liquid = new Liquid()
const tpl = '{%if name == "alice" %}true{%endif%}'
const ctx = { name: Promise.resolve('alice') }
const html = await liquid.parseAndRender(tpl, ctx)
expect(html).toBe('true')
})
it('#533 Nested Promise support for scope object', async () => {
it('Nested Promise support for scope object #533', async () => {
const liquid = new Liquid()
const context = {
a: 1,
Expand Down Expand Up @@ -325,7 +325,7 @@ describe('Issues', function () {
expect(await liquid.parseAndRender('{{i.i}}', context)).toBe('1')
expect(await liquid.parseAndRender('{{j.j}}', context)).toBe('1')
})
it('#559 Case/When should evaluate multiple When statements', async () => {
it('Case/When should evaluate multiple When statements #559', async () => {
const liquid = new Liquid()
const tpl = `
{% assign tag = 'Love' %}
Expand All @@ -342,7 +342,7 @@ describe('Issues', function () {
const html = await liquid.parseAndRender(tpl)
expect(html).toMatch(/^\s*This is a love or luck potion.\s+This is a strength or health or love potion.\s*$/)
})
it('#570 tag registration compatible to v9', async () => {
it('tag registration compatible to v9 #570', async () => {
const liquid = new Liquid()
liquid.registerTag('metadata_file', {
parse (tagToken: TagToken, remainTokens: TopLevelToken[]) {
Expand All @@ -358,7 +358,7 @@ describe('Issues', function () {
const html = await liquid.parseAndRender(tpl, ctx)
expect(html).toBe('FOO')
})
it('#573 date filter should return parsed input when no format is provided', async () => {
it('date filter should return parsed input when no format is provided #573', async () => {
const liquid = new Liquid()
liquid.registerTag('metadata_file', {
parse (tagToken: TagToken, remainTokens: TopLevelToken[]) {
Expand All @@ -374,7 +374,7 @@ describe('Issues', function () {
// sample: Thursday, February 2, 2023 at 6:25 pm +0000
expect(html).toMatch(/\w+, \w+ \d+, \d\d\d\d at \d+:\d\d [ap]m [-+]\d\d\d\d/)
})
it('#575 Add support for Not operator', async () => {
it('Add support for Not operator #575', async () => {
const liquid = new Liquid()
const tpl = `
{% if link and not button %}
Expand All @@ -386,7 +386,7 @@ describe('Issues', function () {
const html = await liquid.parseAndRender(tpl, ctx)
expect(html.trim()).toBe('<a href="https://example.com">Lot more code here</a>')
})
it('#70 strip multiline content of <style>', async () => {
it('strip multiline content of <style> #70', async () => {
const str = `
<style type="text/css">
.test-one-line {display: none;}
Expand All @@ -396,7 +396,7 @@ describe('Issues', function () {
const html = await engine.parseAndRender(template, { str })
expect(html).toMatch(/^\s*$/)
})
it('#589 Arrays should compare values', async () => {
it('Arrays should compare values #589', async () => {
const engine = new Liquid()
const template = `
{% assign people1 = "alice, bob, carol" | split: ", " -%}
Expand All @@ -406,7 +406,7 @@ describe('Issues', function () {
const html = await engine.parseAndRender(template)
expect(html).toContain('true')
})
it('#604 date filter appears to add DST correction to UTC dates', () => {
it('date filter appears to add DST correction to UTC dates #604', () => {
const engine = new Liquid({
timezoneOffset: 'Etc/GMT'
})
Expand All @@ -426,12 +426,12 @@ describe('Issues', function () {
'2023-01-05T12:00:00+0000'
expect(html).toEqual(expected)
})
it('#610 should throw missing ":" after filter name', () => {
it('should throw missing ":" after filter name #610', () => {
const engine = new Liquid()
const fn = () => engine.parseAndRenderSync("{%- assign module = '' | split '' -%}")
expect(fn).toThrow(/expected ":" after filter name/)
})
it('#628 Single or double quote breaks comments', () => {
it('Single or double quote breaks comments #628', () => {
const template = `{%- liquid
# Show a message that's customized to the product type
Expand All @@ -454,7 +454,7 @@ describe('Issues', function () {
const result = engine.parseAndRenderSync(template, { product })
expect(result).toEqual('This is a love potion!')
})
it('#643 Error When Accessing Subproperty of Bracketed Reference', () => {
it('Error When Accessing Subproperty of Bracketed Reference #643', () => {
const engine = new Liquid()
const tpl = '{{ ["Key String with Spaces"].subpropertyKey }}'
const ctx = {
Expand All @@ -464,20 +464,20 @@ describe('Issues', function () {
}
expect(engine.parseAndRenderSync(tpl, ctx)).toEqual('FOO')
})
it('#655 Error in the tokenization process due to an invalid value expression', () => {
it('Error in the tokenization process due to an invalid value expression #655', () => {
const engine = new Liquid()
const result = engine.parseAndRenderSync('{{ÜLKE}}', { ÜLKE: 'Türkiye' })
expect(result).toEqual('Türkiye')
})
it('#670 Should not render anything after an else branch', () => {
it('Should not render anything after an else branch #670', () => {
const engine = new Liquid()
expect(() => engine.parseAndRenderSync('{% assign value = "this" %}{% if false %}{% else %}{% else %}{% endif %}')).toThrow('duplicated else')
})
it('#672 Should not render an elseif after an else branch', () => {
it('Should not render an elseif after an else branch #672', () => {
const engine = new Liquid()
expect(() => engine.parseAndRenderSync('{% if false %}{% else %}{% elsif true %}{% endif %}')).toThrow('unexpected elsif after else')
})
it('#675 10.10.1 Operator: contains regression', () => {
it('10.10.1 Operator: contains regression #675', () => {
const engine = new Liquid()
class StrictStringForLiquid {
constructor (private value: string) {}
Expand All @@ -491,4 +491,8 @@ describe('Issues', function () {
})
expect(result).toEqual('true')
})
it('parse length limit exceeded on versions >= 10.15.0 #726', () => {
const liquid = new Liquid()
expect(() => liquid.parse({} as any)).not.toThrow()
})
})

0 comments on commit 21a8223

Please sign in to comment.