Add +trust option for templates

lowlighter · lowlighter · Jan 19, 2021 · Jan 19, 2021 · Jan 19, 2021 · Jan 19, 2021
commit f580972441e8dd865feb19912fec0a7c470741ac
diff --git a/README.md b/README.md
@@ -649,11 +649,19 @@ For example, to use the `super-metrics` template from `github-user`'s fork, add
  setup_community_templates: github-user/metrics@latest:classic
 ```
 
-To create a community template, just fork this repository and create a new folder in `/source/templates` with the same structure as current templates.
-Then, it's just as simple as HTML and CSS with a bit of JavaScript!
+By default, community templates have their `template.mjs` removed and fallback to the one used by `classic` template.
+It means that they're restricted to common and plugins data, to prevent malicious code injection and token leaks.
+
+If you really trust a template, it is possible to bypass this behaviour by appending `+trust` at the end of their source like below:
+```yaml
+- uses: lowlighter/metrics@master
+ with:
+ # ... other options
+ setup_community_templates: github-user/metrics@latest:classic+trust
+```
 
- ⚠️ Community templates are restricted to common and plugins data.
- Their "template.mjs" is automatically removed to prevent malicious code injection. 
+To create a new community template, just fork this repository and create a folder in `/source/templates` with the same structure as current templates.
+Then, it's just as simple as HTML and CSS with a bit of JavaScript!
 
 </details>
 

diff --git a/source/app/setup.mjs b/source/app/setup.mjs
@@ -71,7 +71,7 @@
  try {
  //Parse community template
  logger(`metrics/setup > load community template ${template}`)
- const {repo, branch, name} = template.match(/^(?<repo>[\s\S]+?)@(?<branch>[\s\S]+?):(?<name>[\s\S]+?)$/)?.groups
+ const {repo, branch, name, trust = false} = template.match(/^(?<repo>[\s\S]+?)@(?<branch>[\s\S]+?):(?<name>[\s\S]+?)(?<trust>[+]trust)?$/)?.groups
  const command = `git clone --single-branch --branch ${branch} https://github.com/${repo}.git ${path.join(__templates, ".community")}`
  logger(`metrics/setup > run ${command}`)
  //Clone remote repository
@@ -80,6 +80,15 @@
  logger(`metrics/setup > extract ${name} from ${repo}@${branch}`)
  await fs.promises.rmdir(path.join(__templates, `@${name}`), {recursive:true})
  await fs.promises.rename(path.join(__templates, ".community/source/templates", name), path.join(__templates, `@${name}`))
+ //JavaScript file
+ if (trust)
+ logger(`metrics/setup > keeping @${name}/template.mjs (unsafe mode is enabled)`)
+ else if (fs.existsSync(path.join(__templates, `@${name}`, "template.mjs"))) {
+ logger(`metrics/setup > removing @${name}/template.mjs`)
+ await fs.promises.unlink(path.join(__templates, `@${name}`, "template.mjs"))
+ }
+ else
+ logger(`metrics/setup > @${name}/template.mjs does not exist`)
  //Clean remote repository
  logger(`metrics/setup > clean ${repo}@${branch}`)
  await fs.promises.rmdir(path.join(__templates, ".community"), {recursive:true})
@@ -107,7 +116,7 @@
  conf.templates[name] = {image, style, fonts, partials, views:[directory]}
 
  //Cache templates scripts
- Templates[name] = (await import(url.pathToFileURL(path.join(directory, "template.mjs")).href)).default
+ Templates[name] = (await import(url.pathToFileURL(path.join(fs.existsSync(path.join(directory, "templates.mjs")) ? directory : path.join(__templates, "classic"), "template.mjs")).href)).default
  logger(`metrics/setup > load template [${name}] > success`)
  //Debug
  if (conf.settings.debug) {