File: fixtreesitter-validate-language-name.patch

package info (click to toggle)
neovim 0.7.2-7
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 53,496 kB
  • sloc: ansic: 237,952; python: 3,358; sh: 2,080; awk: 704; makefile: 398; perl: 335; lisp: 129; xml: 63; ruby: 6
file content (74 lines) | stat: -rw-r--r-- 3,057 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
From: Christian Clason <c.clason@uni-graz.at>
Date: Thu, 26 Jan 2023 09:42:23 +0100
X-Dgit-Generated: 0.7.2-7 8b0dfcf859e0db33ed0ba8402c4563fa15de2768
Subject: fix(treesitter): validate language name

Problem: Some injections (like markdown) allow specifying arbitrary
language names for code blocks, which may be lead to errors when
looking for a corresponding parser in runtime path.

Solution: Validate that the language name only contains alphanumeric
characters and `_` (e.g., for `c_sharp`) and error otherwise.

(cherry picked from commit c032e83b22994332dd8769ef34cb817906a63cac)
Signed-off-by: James McCoy <jamessan@debian.org>

---

diff --git a/runtime/doc/treesitter.txt b/runtime/doc/treesitter.txt
index b10bf3498..01d5cbed2 100644
--- a/runtime/doc/treesitter.txt
+++ b/runtime/doc/treesitter.txt
@@ -399,6 +399,7 @@ require_language({lang}, {path}, {silent})                *require_language()*
 
                 Parameters: ~
                     {lang}    The language the parser should parse
+                              (alphanumerical and `_` only)
                     {path}    Optional path the parser is located at
                     {silent}  Don't throw an error if language not found
 
diff --git a/runtime/lua/vim/treesitter/language.lua b/runtime/lua/vim/treesitter/language.lua
index 8b106108d..26162b82d 100644
--- a/runtime/lua/vim/treesitter/language.lua
+++ b/runtime/lua/vim/treesitter/language.lua
@@ -6,7 +6,7 @@ local M = {}
 ---
 --- Parsers are searched in the `parser` runtime directory.
 ---
----@param lang The language the parser should parse
+---@param lang The language the parser should parse (alphanumerical and `_` only)
 ---@param path Optional path the parser is located at
 ---@param silent Don't throw an error if language not found
 function M.require_language(lang, path, silent)
@@ -14,7 +14,14 @@ function M.require_language(lang, path, silent)
     return true
   end
   if path == nil then
-    local fname = 'parser/' .. vim.fn.fnameescape(lang) .. '.*'
+    if not (lang and lang:match('[%w_]+') == lang) then
+      if silent then
+        return false
+      end
+      error("'" .. lang .. "' is not a valid language name")
+    end
+
+    local fname = 'parser/' .. lang .. '.*'
     local paths = a.nvim_get_runtime_file(fname, false)
     if #paths == 0 then
       if silent then
diff --git a/test/functional/treesitter/language_spec.lua b/test/functional/treesitter/language_spec.lua
index 30585be32..c825a33d5 100644
--- a/test/functional/treesitter/language_spec.lua
+++ b/test/functional/treesitter/language_spec.lua
@@ -28,6 +28,11 @@ describe('treesitter API', function()
        pcall_err(exec_lua, "parser = vim.treesitter.inspect_language('borklang')"))
   end)
 
+  it('shows error for invalid language name', function()
+    eq(".../language.lua:0: '/foo/' is not a valid language name",
+      pcall_err(exec_lua, 'vim.treesitter.require_language("/foo/", nil, false)'))
+  end)
+
   it('inspects language', function()
     if pending_c_parser(pending) then return end