mirror of
https://github.com/anchore/syft.git
synced 2026-07-04 18:18:26 +02:00
fix(template): expose sprig date/time functions in Go templates (#4644)
* fix(template): expose sprig date functions in Go templates
Replace HermeticTxtFuncMap with TxtFuncMap to expose date/time
functions (now, date, dateInZone, etc.) while still excluding
security-sensitive env/expandenv functions.
Users can now use date functions in templates, e.g.:
{{ now | unixEpoch }}
{{ now | date "2006-01-02" }}
Fixes #2372
Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* invert to add functions to the hermetic set, not the other way around
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
parent
e388b5249d
commit
a34f86fba1
@ -33,7 +33,16 @@ type encoder struct {
|
||||
func NewFormatEncoder(cfg EncoderConfig) (sbom.FormatEncoder, error) {
|
||||
// TODO: revisit this... should no template file be an error or simply render an empty result? or render the json output?
|
||||
// Note: do not check for the existence of the template file here, as the default encoder cannot provide one.
|
||||
// start from the hermetic (repeatable) sprig map, which omits functions that reach into the
|
||||
// environment or network (env, expandenv, getHostByName), then re-expose just the date/time
|
||||
// helpers requested in issue #2372. Allowlisting here keeps the user-template trust boundary
|
||||
// safe even if sprig adds new non-hermetic functions in the future.
|
||||
f := sprig.HermeticTxtFuncMap()
|
||||
full := sprig.TxtFuncMap()
|
||||
for _, name := range []string{"now", "date", "dateInZone", "dateModify", "date_in_zone", "date_modify", "htmlDate", "htmlDateInZone"} {
|
||||
f[name] = full[name]
|
||||
}
|
||||
|
||||
f["getLastIndex"] = func(collection any) int {
|
||||
if v := reflect.ValueOf(collection); v.Kind() == reflect.Slice {
|
||||
return v.Len() - 1
|
||||
|
||||
@ -82,6 +82,27 @@ func TestFormatWithOptionAndHasField(t *testing.T) {
|
||||
)
|
||||
}
|
||||
|
||||
func TestFuncMap_ExposesDateFunctions_ExcludesEnvAndNetwork(t *testing.T) {
|
||||
enc, err := NewFormatEncoder(DefaultEncoderConfig())
|
||||
require.NoError(t, err)
|
||||
|
||||
e, ok := enc.(encoder)
|
||||
require.True(t, ok)
|
||||
|
||||
// date/time functions (the reason for issue #2372) should be available
|
||||
for _, name := range []string{"now", "date", "dateInZone", "dateModify", "unixEpoch"} {
|
||||
_, exists := e.funcMap[name]
|
||||
assert.Truef(t, exists, "expected date function %q to be available", name)
|
||||
}
|
||||
|
||||
// functions that reach into the environment or network must remain excluded.
|
||||
// rand*/uuidv4 are also kept out to preserve hermetic (repeatable) output.
|
||||
for _, name := range []string{"env", "expandenv", "getHostByName", "randAlphaNum", "uuidv4"} {
|
||||
_, exists := e.funcMap[name]
|
||||
assert.Falsef(t, exists, "expected non-hermetic function %q to be excluded", name)
|
||||
}
|
||||
}
|
||||
|
||||
func TestFormatWithoutOptions(t *testing.T) {
|
||||
f, err := NewFormatEncoder(DefaultEncoderConfig())
|
||||
require.NoError(t, err)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user