update to mustach 1.2.7

13 files changed, 78 insertions, 23 deletions

diff --git a/src/templating/AUTHORS b/src/templating/AUTHORS
index b2042848e..fbe9e100c 100644
--- a/src/templating/AUTHORS
+++ b/src/templating/AUTHORS
@@ -27,6 +27,7 @@ Packagers:
 Thanks to issue submitters:
  Dante Torres
  @fabbe
+ Felix von Leitner
  Johann Oskarsson
  Mark Bucciarelli
  Nigel Hathaway
diff --git a/src/templating/CHANGELOG.md b/src/templating/CHANGELOG.md
index 6024189ef..003652ebf 100644
--- a/src/templating/CHANGELOG.md
+++ b/src/templating/CHANGELOG.md
@@ -1,10 +1,19 @@
-next
-----
+1.2.7 (2024-03-21)
+------------------
+
+New:
+ - fallback to default when mustach_wrap_get_partial
+   returns MUSTACH_ERROR_PARTIAL_NOT_FOUND
+ - remove at compile time the load of files for templates
+   if MUSTACH_LOAD_TEMPLATE is defined as 0
+ - add compile time flag MUSTACH_SAFE for enforcing
+   safety behaviours
 
 Fix:
  - selection of subitem by index (#47)
  - get latest iterated key when getting key name (#52)
  - allow tests without valgrind
+ - avoid recursive template expansion (#55)
 
 1.2.6 (2024-01-08)
 ------------------
@@ -20,6 +29,7 @@ Minor:
 
 1.2.5 (2023-02-18)
 ------------------
+
 Fix:
  - Don't override CFLAGS in Makefile
  - Use of $(INSTALL) in Makefile for setting options
@@ -29,6 +39,7 @@ Minor:
 
 1.2.4 (2023-01-02)
 ------------------
+
 Fix:
  - Latent SIGSEGV using cJSON
 
diff --git a/src/templating/Makefile.am b/src/templating/Makefile.am
index f74322982..c55f2964d 100644
--- a/src/templating/Makefile.am
+++ b/src/templating/Makefile.am
@@ -16,7 +16,9 @@ taler_mustach_tool_LDADD = \
   libmustach.la \
   -ljansson
 taler_mustach_tool_CFLAGS = \
-  -DTOOL=MUSTACH_TOOL_JANSSON
+  -DTOOL=MUSTACH_TOOL_JANSSON \
+  -DMUSTACH_SAFE=1 \
+  -DMUSTACH_LOAD_TEMPLATE=0
 
 lib_LTLIBRARIES = \
   libtalertemplating.la
@@ -40,7 +42,9 @@ libtalertemplating_la_LIBADD = \
 libtalertemplating_la_LDFLAGS = \
   -version-info 0:0:0 \
   -no-undefined
-
+libtalertemplating_la_CFLAGS = \
+  -DMUSTACH_SAFE=1 \
+  -DMUSTACH_LOAD_TEMPLATE=0
 
 libmustach_la_SOURCES = \
   mustach.c mustach.h \
diff --git a/src/templating/README.md b/src/templating/README.md
index 324c9a862..6e7a6c956 100644
--- a/src/templating/README.md
+++ b/src/templating/README.md
@@ -5,7 +5,7 @@ template specification.
 
 The main site for `mustach` is on [gitlab](https://gitlab.com/jobol/mustach).
 
-The simpliest way to use mustach is to copy the files **mustach.h** and **mustach.c**
+The simplest way to use mustach is to copy the files **mustach.h** and **mustach.c**
 directly into your project and use it.
 
 If you are using one of the JSON libraries listed below, you can get extended feature
@@ -85,7 +85,7 @@ It then outputs the result of applying the templates files to the JSON file.
 ### Portability
 
 Some system does not provide *open_memstream*. In that case, tell your
-prefered compiler to declare the preprocessor symbol **NO_OPEN_MEMSTREAM**.
+preferred compiler to declare the preprocessor symbol **NO_OPEN_MEMSTREAM**.
 Example:
 
 	CFLAGS=-DNO_OPEN_MEMSTREAM make
@@ -170,7 +170,7 @@ Here is the summary.
 
      Flag name                     | Description
     -------------------------------+------------------------------------------------
-     Mustach_With_Colon            | Explicit tag substition with colon
+     Mustach_With_Colon            | Explicit tag substitution with colon
      Mustach_With_EmptyTag         | Empty Tag Allowed
     -------------------------------+------------------------------------------------
      Mustach_With_Equal            | Value Testing Equality
@@ -187,7 +187,7 @@ For the details, see below.
 
 ### Explicit Tag Substitution With Colon (Mustach_With_Colon)
 
-In somecases the name of the key used for substition begins with a
+In somecases the name of the key used for substitution begins with a
 character reserved for mustach: one of `#`, `^`, `/`, `&`, `{`, `>` and `=`.
 
 This extension introduces the special character `:` to explicitly
@@ -318,4 +318,3 @@ The table below summarize the changes.
      fdmustach_json_c | mustach_json_c_fd
      mustach_json_c   | mustach_json_c_mem
      mustach_json_c   | mustach_json_c_write
-
diff --git a/src/templating/mustach-original-Makefile b/src/templating/mustach-original-Makefile
index 6d90f33d9..c1ddbe63f 100644
--- a/src/templating/mustach-original-Makefile
+++ b/src/templating/mustach-original-Makefile
@@ -1,7 +1,7 @@
 # version
 MAJOR := 1
 MINOR := 2
-REVIS := 6
+REVIS := 7
 
 # installation settings
 DESTDIR ?=
diff --git a/src/templating/mustach-tool.c b/src/templating/mustach-tool.c
index e2a5c1f40..5f28c1f58 100644
--- a/src/templating/mustach-tool.c
+++ b/src/templating/mustach-tool.c
@@ -35,7 +35,8 @@ static const char *errors[] = {
 	"invalid interface",
 	"item not found",
 	"partial not found",
-	"undefined tag"
+	"undefined tag",
+	"too much template nesting"
 };
 
 static const char *errmsg = 0;
diff --git a/src/templating/mustach-wrap.c b/src/templating/mustach-wrap.c
index 869713c86..2cd00db12 100644
--- a/src/templating/mustach-wrap.c
+++ b/src/templating/mustach-wrap.c
@@ -20,6 +20,18 @@
 #include "mustach.h"
 #include "mustach-wrap.h"
 
+/*
+* It was stated that allowing to include files
+* through template is not safe when the mustache
+* template is open to any value because it could
+* create leaks (example: {{>/etc/passwd}}).
+*/
+#if MUSTACH_SAFE
+# undef MUSTACH_LOAD_TEMPLATE
+#elif !defined(MUSTACH_LOAD_TEMPLATE)
+# define MUSTACH_LOAD_TEMPLATE 1
+#endif
+
 #if !defined(INCLUDE_PARTIAL_EXTENSION)
 # define INCLUDE_PARTIAL_EXTENSION ".mustache"
 #endif
@@ -325,6 +337,7 @@ static int get_callback(void *closure, const char *name, struct mustach_sbuf *sb
 	return MUSTACH_OK;
 }
 
+#if MUSTACH_LOAD_TEMPLATE
 static int get_partial_from_file(const char *name, struct mustach_sbuf *sbuf)
 {
 	static char extension[] = INCLUDE_PARTIAL_EXTENSION;
@@ -375,14 +388,22 @@ static int get_partial_from_file(const char *name, struct mustach_sbuf *sbuf)
 	fclose(file);
 	return MUSTACH_ERROR_SYSTEM;
 }
+#endif
 
 static int partial_callback(void *closure, const char *name, struct mustach_sbuf *sbuf)
 {
 	struct wrap *w = closure;
 	int rc;
-	if (mustach_wrap_get_partial != NULL)
+	if (mustach_wrap_get_partial != NULL) {
 		rc = mustach_wrap_get_partial(name, sbuf);
-	else if (w->flags & Mustach_With_PartialDataFirst) {
+		if (rc != MUSTACH_ERROR_PARTIAL_NOT_FOUND) {
+			if (rc != MUSTACH_OK)
+				sbuf->value = "";
+			return rc;
+		}
+	}
+#if MUSTACH_LOAD_TEMPLATE
+	if (w->flags & Mustach_With_PartialDataFirst) {
 		if (getoptional(w, name, sbuf) > 0)
 			rc = MUSTACH_OK;
 		else
@@ -393,6 +414,9 @@ static int partial_callback(void *closure, const char *name, struct mustach_sbuf
 		if (rc != MUSTACH_OK &&  getoptional(w, name, sbuf) > 0)
 			rc = MUSTACH_OK;
 	}
+#else
+	rc = getoptional(w, name, sbuf) > 0 ?  MUSTACH_OK : MUSTACH_ERROR_PARTIAL_NOT_FOUND;
+#endif
 	if (rc != MUSTACH_OK)
 		sbuf->value = "";
 	return MUSTACH_OK;
diff --git a/src/templating/mustach-wrap.h b/src/templating/mustach-wrap.h
index 37e6ff6cf..fedcb9191 100644
--- a/src/templating/mustach-wrap.h
+++ b/src/templating/mustach-wrap.h
@@ -146,7 +146,8 @@ extern const struct mustach_itf mustach_wrap_itf;
  * function replaces the default behaviour and is called to provide the partial
  * of the given 'name' in 'sbuf'.
  * The function must return MUSTACH_OK when it filled 'sbuf' with value of partial
- * or must return an error code if it failed.
+ * or must return an error code if it failed. But if MUSTACH_ERROR_PARTIAL_NOT_FOUND
+ * is returned, the default behavior is evaluated.
  */
 extern int (*mustach_wrap_get_partial)(const char *name, struct mustach_sbuf *sbuf);
 
diff --git a/src/templating/mustach.c b/src/templating/mustach.c
index 9f992c737..1bf482bce 100644
--- a/src/templating/mustach.c
+++ b/src/templating/mustach.c
@@ -33,6 +33,7 @@ struct iwrap {
 	int (*partial)(void *closure, const char *name, struct mustach_sbuf *sbuf);
 	void *closure_partial; /* closure for partial */
 	int flags;
+	int nesting;
 };
 
 struct prefix {
@@ -430,11 +431,17 @@ get_name:
 		case '>':
 			/* partials */
 			if (enabled) {
-				sbuf_reset(&sbuf);
-				rc = iwrap->partial(iwrap->closure_partial, name, &sbuf);
-				if (rc >= 0) {
-					rc = process(sbuf.value, sbuf_length(&sbuf), iwrap, file, &pref);
-					sbuf_release(&sbuf);
+				if (iwrap->nesting >= MUSTACH_MAX_NESTING)
+					rc = MUSTACH_ERROR_TOO_MUCH_NESTING;
+				else {
+					sbuf_reset(&sbuf);
+					rc = iwrap->partial(iwrap->closure_partial, name, &sbuf);
+					if (rc >= 0) {
+						iwrap->nesting++;
+						rc = process(sbuf.value, sbuf_length(&sbuf), iwrap, file, &pref);
+						sbuf_release(&sbuf);
+						iwrap->nesting--;
+					}
 				}
 				if (rc < 0)
 					return rc;
@@ -486,6 +493,7 @@ int mustach_file(const char *template, size_t length, const struct mustach_itf *
 	iwrap.leave = itf->leave;
 	iwrap.get = itf->get;
 	iwrap.flags = flags;
+	iwrap.nesting = 0;
 
 	/* process */
 	rc = itf->start ? itf->start(closure) : 0;
diff --git a/src/templating/mustach.h b/src/templating/mustach.h
index 8c4a43f10..1b44582d5 100644
--- a/src/templating/mustach.h
+++ b/src/templating/mustach.h
@@ -19,11 +19,16 @@ struct mustach_sbuf; /* see below */
 #define MUSTACH_VERSION_MINOR (MUSTACH_VERSION % 100)
 
 /**
- * Maximum nested imbrications supported
+ * Maximum nested section supported
  */
 #define MUSTACH_MAX_DEPTH  256
 
 /**
+ * Maximum nested template supported
+ */
+#define MUSTACH_MAX_NESTING  64
+
+/**
  * Maximum length of tags in mustaches {{...}}
  */
 #define MUSTACH_MAX_LENGTH 4096
@@ -57,6 +62,7 @@ struct mustach_sbuf; /* see below */
 #define MUSTACH_ERROR_ITEM_NOT_FOUND    -10
 #define MUSTACH_ERROR_PARTIAL_NOT_FOUND -11
 #define MUSTACH_ERROR_UNDEFINED_TAG     -12
+#define MUSTACH_ERROR_TOO_MUCH_NESTING  -13
 
 /*
  * You can use definition below for user specific error
diff --git a/src/templating/test-specs/test-specs-cjson.ref b/src/templating/test-specs/test-specs-cjson.ref
index 8897c66cc..41e1c8de6 100644
--- a/src/templating/test-specs/test-specs-cjson.ref
+++ b/src/templating/test-specs/test-specs-cjson.ref
@@ -52,7 +52,7 @@ processing file test-specs/spec/specs/delimiters.json
 [3] Inverted Sections
 	Delimiters set outside inverted sections should persist.
 	=> SUCCESS
-[4] Partial Inheritence
+[4] Partial Inheritance
 	Delimiters set in a parent template should not affect a partial.
 	=> SUCCESS
 [5] Post-Partial Behavior
diff --git a/src/templating/test-specs/test-specs-jansson.ref b/src/templating/test-specs/test-specs-jansson.ref
index a1cef19c1..2e1e9185b 100644
--- a/src/templating/test-specs/test-specs-jansson.ref
+++ b/src/templating/test-specs/test-specs-jansson.ref
@@ -52,7 +52,7 @@ processing file test-specs/spec/specs/delimiters.json
 [3] Inverted Sections
 	Delimiters set outside inverted sections should persist.
 	=> SUCCESS
-[4] Partial Inheritence
+[4] Partial Inheritance
 	Delimiters set in a parent template should not affect a partial.
 	=> SUCCESS
 [5] Post-Partial Behavior
diff --git a/src/templating/test-specs/test-specs-json-c.ref b/src/templating/test-specs/test-specs-json-c.ref
index 8897c66cc..41e1c8de6 100644
--- a/src/templating/test-specs/test-specs-json-c.ref
+++ b/src/templating/test-specs/test-specs-json-c.ref
@@ -52,7 +52,7 @@ processing file test-specs/spec/specs/delimiters.json
 [3] Inverted Sections
 	Delimiters set outside inverted sections should persist.
 	=> SUCCESS
-[4] Partial Inheritence
+[4] Partial Inheritance
 	Delimiters set in a parent template should not affect a partial.
 	=> SUCCESS
 [5] Post-Partial Behavior