mustach issueshttps://gitlab.com/jobol/mustach/-/issues2021-07-30T14:34:12Zhttps://gitlab.com/jobol/mustach/-/issues/23Documentation: Man Page(s)2021-07-30T14:34:12ZLucas Ramagelucas.ramage@infinite-omicron.comDocumentation: Man Page(s)Command:
- [x] `doc/man/mustach.1`
Library:
- [ ] `doc/man/mustach.3`
- [ ] `doc/man/fmustach.3`
- [ ] `doc/man/fdmustach.3`
Reference(s):
- https://www.commandlinux.com/man-pages-sectionsCommand:
- [x] `doc/man/mustach.1`
Library:
- [ ] `doc/man/mustach.3`
- [ ] `doc/man/fmustach.3`
- [ ] `doc/man/fdmustach.3`
Reference(s):
- https://www.commandlinux.com/man-pages-sectionsversion 1.22021-07-31https://gitlab.com/jobol/mustach/-/issues/53need way to disable dangerous operations2024-03-21T22:29:36ZFelix von Leitnerneed way to disable dangerous operationsHi, I have been asked to do a code audit of Mustach for a project that uses it.
I told them that Mustach is much less dangerous than the Ruby version (that allows Lambdas, i.e. code execution by design), but it is still much more dangero...Hi, I have been asked to do a code audit of Mustach for a project that uses it.
I told them that Mustach is much less dangerous than the Ruby version (that allows Lambdas, i.e. code execution by design), but it is still much more dangerous than it needs to be for their use cases.
I my estimation, the template and the json should be viewed as untrusted and attacker controlled, and running Mustach should still be safe.
However, Mustach has a feature in the template to pass semantic control to the json ( {{ > foo }} ), which can also lead to arbitrary file inclusion {{ > /etc/passwd }}
They asked me to ask you for a way to disable this functionality at build time, so they don't have to maintain a fork themselves.
Please add a way to remove this functionality in the upstream version, maybe a #define MUSTACH_SAFE or so.
I would also like to see some man pages in the distribution. Currently you reference an external document for the Ruby library, which documents things you do not support. This is not useful as documentation for Mustach, I think. You should have your own documentation about what you support. As someone who has never used moustache before, I struggled trying to understand what mustach does. What is this prefix functionality, for example?https://gitlab.com/jobol/mustach/-/issues/50segmentation violation on ARMV7 + MUSL2024-02-07T13:57:16Zjosé bollosegmentation violation on ARMV7 + MUSLreported by @qaqland on #48:
> met some problems when do basic-test on armv7: Segmentation fault
>
> log is here: https://gitlab.alpinelinux.org/qaqland/aports/-/jobs/1258701#L130
>
> Do we have support for this architecture?reported by @qaqland on #48:
> met some problems when do basic-test on armv7: Segmentation fault
>
> log is here: https://gitlab.alpinelinux.org/qaqland/aports/-/jobs/1258701#L130
>
> Do we have support for this architecture?https://gitlab.com/jobol/mustach/-/issues/49test of spec must use a specific HASH when cloning2024-01-29T06:40:25Zjosé bollotest of spec must use a specific HASH when cloningsee discussion #48see discussion #48https://gitlab.com/jobol/mustach/-/issues/46Support blocks and parents2024-01-27T13:20:57ZWolfgang WaltherSupport blocks and parentsIt seems like [blocks (`{{$block}}{{/block}}`)](https://mustache.github.io/mustache.5.html#Blocks) and [parents (`{{<...}}`)](https://mustache.github.io/mustache.5.html#Parents) are not supported, yet.It seems like [blocks (`{{$block}}{{/block}}`)](https://mustache.github.io/mustache.5.html#Blocks) and [parents (`{{<...}}`)](https://mustache.github.io/mustache.5.html#Parents) are not supported, yet.https://gitlab.com/jobol/mustach/-/issues/44Issue generating using Jansson-lib2023-09-01T14:03:36ZMatias AlvinIssue generating using Jansson-libHi, I noticed an issue while developing using Jansson Mustach-lib while having JSON-C also installed. Below are the issue details.
## Context
Given this code
<details><summary>Code</summary>
```c
#include <jansson.h>
#include <mustach...Hi, I noticed an issue while developing using Jansson Mustach-lib while having JSON-C also installed. Below are the issue details.
## Context
Given this code
<details><summary>Code</summary>
```c
#include <jansson.h>
#include <mustach/mustach-jansson.h>
#include <stdio.h>
#define TEMPLATE \
"name : {{name}}\n\
age : {{age}}\n\
alive?: {{is_alive}}\n"
json_t *init(void) {
json_t *root = json_object();
json_object_set(root, "name", json_string("test"));
json_object_set(root, "age", json_integer(1));
json_object_set(root, "is_alive", json_true());
return root;
}
int main(void) {
json_t *data = init();
mustach_jansson_file(TEMPLATE, 0, data, Mustach_With_AllExtensions, stdout);
return 0;
}
```
</details>
Compiled using this command **in a machine that has also installed json-c and mustach json-c library support**
```sh
$ cc -o dbg main.c -lmustach -ljansson
```
The result is
```
name : {"name":"test","age":1,"is_alive":true}
age : {"name":"test","age":1,"is_alive":true}
alive?: {"name":"test","age":1,"is_alive":true}
```
## Expected result
```
name : test
age : 1
alive?: true
```
## Step to reproduce
1. Install both JSON-C and Jansson to the machine (order not important)
2. Install Mustach with both of the libraries
3. Compile a program that utilizes Jansson and Mustach-Jansson
4. The result above
## Machine specs
```
OS : Ubuntu 20.04.6 LTS x86_64
Kernel: 5.15.0-79-generic
Shell : zsh 5.8
```
Also reproducible on
```
OS : Debian GNU/Linux 12 (bookworm) x86_64
Kernel: 6.1.0-9-amd64
Shell : zsh 5.9
```
****
## Workaround
Reinstall Mustach without JSON-C lib. The result will be correct.
## Hypothesis
It might be caused by name colliding between those two libraries. Both have functions with the same name, `json_object_iter_next`.
* In `mustach-json-c.c:l151` ([source](https://gitlab.com/jobol/mustach/-/blob/master/mustach-json-c.c?ref_type=heads#L151))
```c
json_object_iter_next(&e->stack[e->depth].iter);
```
* In `mustach-jansson.c:l157` ([source](https://gitlab.com/jobol/mustach/-/blob/master/mustach-jansson.c?ref_type=heads#L157))
```c
e->stack[e->depth].iter = json_object_iter_next(e->stack[e->depth].cont, e->stack[e->depth].iter);
```
---
p.s. I think the issue severity is low. As the scenario is unlikely (need to have two json libraries installed at the same time and Mustach compiled with both libraries support). I just want to let you and maybe others with the same issue know.
Please let me know if there's anything else I can provide. Thank youhttps://gitlab.com/jobol/mustach/-/issues/38pure C api without dependency to JSON library2023-08-31T15:54:43ZGeorgy Shelkovypure C api without dependency to JSON libraryHow about to add pure C api, like
```c
int mustach_process_cjson(const char *template, size_t length, const char *value, size_t buffer_length, int flags, FILE *file, char **err) {
cJSON *root;
int rc = MUSTACH_ERROR_USER(1);
...How about to add pure C api, like
```c
int mustach_process_cjson(const char *template, size_t length, const char *value, size_t buffer_length, int flags, FILE *file, char **err) {
cJSON *root;
int rc = MUSTACH_ERROR_USER(1);
if (!(root = cJSON_ParseWithLength(value, buffer_length))) { *err = (char *)cJSON_GetErrorPtr(); goto ret; }
rc = mustach_cJSON_file(template, length, root, flags, file);
cJSON_Delete(root);
ret:
fclose(file);
return rc;
}
int mustach_process_jansson(const char *template, size_t length, const char *buffer, size_t buflen, int flags, FILE *file, char **err) {
int rc = MUSTACH_ERROR_USER(1);
static char text[JSON_ERROR_TEXT_LENGTH];
json_error_t error;
json_t *root;
if (!(root = json_loadb(buffer, buflen, JSON_DECODE_ANY, &error))) { *err = strncpy(text, error.text, JSON_ERROR_TEXT_LENGTH); goto ret; }
rc = mustach_jansson_file(template, length, root, flags, file);
json_decref(root);
ret:
fclose(file);
return rc;
}
static struct json_object *json_tokener_parse_verbose_len(const char *str, size_t len, enum json_tokener_error *error) {
struct json_tokener *tok;
struct json_object *obj;
if (!(tok = json_tokener_new())) return NULL;
obj = json_tokener_parse_ex(tok, str, len);
*error = tok->err;
if (tok->err != json_tokener_success || json_tokener_get_parse_end(tok) != len) {
if (obj) json_object_put(obj);
obj = NULL;
}
json_tokener_free(tok);
return obj;
}
int mustach_process_json_c(const char *template, size_t length, const char *str, size_t len, int flags, FILE *file, char **err) {
enum json_tokener_error error = json_tokener_success;
int rc = MUSTACH_ERROR_USER(1);
struct json_object *root;
if (!(root = json_tokener_parse_verbose_len(str, len, &error))) { *err = (char *)json_tokener_error_desc(error); goto ret; }
rc = mustach_json_c_file(template, length, root, flags, file);
json_object_put(root);
ret:
fclose(file);
return rc;
}
```josé bollojosé bollohttps://gitlab.com/jobol/mustach/-/issues/36strict mode2022-12-21T21:56:13ZGeorgy Shelkovystrict modeIs it possible to add strict mode, in which raise error if json key not found?
I.e. if templete is {{a}} and json is {"A": 1}, then raise error instead render empty string.Is it possible to add strict mode, in which raise error if json key not found?
I.e. if templete is {{a}} and json is {"A": 1}, then raise error instead render empty string.https://gitlab.com/jobol/mustach/-/issues/34streaming json parser2023-07-10T21:18:28ZGeorgy Shelkovystreaming json parserHow about to use streaming json parser like https://lloyd.github.io/yajl/ ?How about to use streaming json parser like https://lloyd.github.io/yajl/ ?https://gitlab.com/jobol/mustach/-/issues/31handlebars2022-12-21T22:02:18ZGeorgy Shelkovyhandlebarshow about to transform mustach to handlebars via extensions?
(like https://github.com/jbboehr/handlebars.c)how about to transform mustach to handlebars via extensions?
(like https://github.com/jbboehr/handlebars.c)