print in commands now automatically converts to string, untrusted partials cannot include beyond PWD.

2023-02-20 00:58:22 +01:00 · 2023-02-20 00:58:22 +01:00 · bc45937d8e
commit bc45937d8e
parent e07141fe10
2 changed files with 7 additions and 2 deletions
--- a/command.py
+++ b/command.py
@ -68,10 +68,10 @@ def executeCommand(source, element: Element, ctx: Context) -> List[Element]:
 		if mode == 'elements':
 			raise SyntaxError("Cannot use `print` and `appendChild` in one command at the same time.")
 		mode = 'text'
-		text += s
+		text += str(s)

 	def println(s: str=""):
-		print(s+"\n")
+		print(str(s)+"\n")

 	def appendChild(e: Element):
 		nonlocal mode, content
--- a/transform.py
+++ b/transform.py
@ -57,6 +57,11 @@ def transform(e: Element, c: Context) -> Element:
 		if (isinstance(e, Div) and "partial" in e.attributes)\
 		  or (isinstance(e, CodeBlock) and "markdown" in e.classes and "group" in e.classes):
 			if isinstance(e, Div):
+				if not c.trusted: # If we're in an untrusted context, we shouldn't allow inclusion of files outside the PWD.
+					full_path = os.path.abspath(c.dir + "/" + e.attributes["partial"])
+					pwd = os.path.abspath(".")
+					if os.path.commonpath([full_path, pwd]) != os.path.commonpath([pwd]):
+						return nullify(e)
 				text = open(c.dir + "/" + e.attributes["partial"], "r").read()
 				path = c.dir + "/" + e.attributes["partial"]
 			else: