Hacked By AnonymousFox
'use strict'
const parser = require('postcss-selector-parser')
const arrayDelimiter = Symbol('arrayDelimiter')
const escapeSlashes = str =>
str.replace(/\//g, '\\/')
const unescapeSlashes = str =>
str.replace(/\\\//g, '/')
// recursively fixes up any :attr pseudo-class found
const fixupAttr = astNode => {
const properties = []
const matcher = {}
for (const selectorAstNode of astNode.nodes) {
const [firstAstNode] = selectorAstNode.nodes
if (firstAstNode.type === 'tag') {
properties.push(firstAstNode.value)
}
}
const lastSelectorAstNode = astNode.nodes.pop()
const [attributeAstNode] = lastSelectorAstNode.nodes
if (attributeAstNode.value === ':attr') {
const appendParts = fixupAttr(attributeAstNode)
properties.push(arrayDelimiter, ...appendParts.lookupProperties)
matcher.qualifiedAttribute = appendParts.attributeMatcher.qualifiedAttribute
matcher.operator = appendParts.attributeMatcher.operator
matcher.value = appendParts.attributeMatcher.value
// backwards compatibility
matcher.attribute = appendParts.attributeMatcher.attribute
if (appendParts.attributeMatcher.insensitive) {
matcher.insensitive = true
}
} else {
if (attributeAstNode.type !== 'attribute') {
throw Object.assign(
new Error('`:attr` pseudo-class expects an attribute matcher as the last value'),
{ code: 'EQUERYATTR' }
)
}
matcher.qualifiedAttribute = unescapeSlashes(attributeAstNode.qualifiedAttribute)
matcher.operator = attributeAstNode.operator
matcher.value = attributeAstNode.value
// backwards compatibility
matcher.attribute = matcher.qualifiedAttribute
if (attributeAstNode.insensitive) {
matcher.insensitive = true
}
}
astNode.lookupProperties = properties
astNode.attributeMatcher = matcher
astNode.nodes.length = 0
return astNode
}
// fixed up nested pseudo nodes will have their internal selectors moved
// to a new root node that will be referenced by the `nestedNode` property,
// this tweak makes it simpler to reuse `retrieveNodesFromParsedAst` to
// recursively parse and extract results from the internal selectors
const fixupNestedPseudo = astNode => {
// create a new ast root node and relocate any children
// selectors of the current ast node to this new root
const newRootNode = parser.root()
astNode.nestedNode = newRootNode
newRootNode.nodes = [...astNode.nodes]
// clean up the ast by removing the children nodes from the
// current ast node while also cleaning up their `parent` refs
astNode.nodes.length = 0
for (const currAstNode of newRootNode.nodes) {
currAstNode.parent = newRootNode
}
// recursively fixup nodes of any nested selector
transformAst(newRootNode)
}
// :semver(<version|range|selector>, [version|range|selector], [function])
// note: the first or second parameter must be a static version or range
const fixupSemverSpecs = astNode => {
// if we have three nodes, the last is the semver function to use, pull that out first
if (astNode.nodes.length === 3) {
const funcNode = astNode.nodes.pop().nodes[0]
if (funcNode.type === 'tag') {
astNode.semverFunc = funcNode.value
} else if (funcNode.type === 'string') {
// a string is always in some type of quotes, we don't want those so slice them off
astNode.semverFunc = funcNode.value.slice(1, -1)
} else {
// anything that isn't a tag or a string isn't a function name
throw Object.assign(
new Error('`:semver` pseudo-class expects a function name as last value'),
{ code: 'ESEMVERFUNC' }
)
}
}
// now if we have 1 node, it's a static value
// istanbul ignore else
if (astNode.nodes.length === 1) {
const semverNode = astNode.nodes.pop()
astNode.semverValue = semverNode.nodes.reduce((res, next) => `${res}${String(next)}`, '')
} else if (astNode.nodes.length === 2) {
// and if we have two nodes, one of them is a static value and we need to determine which it is
for (let i = 0; i < astNode.nodes.length; ++i) {
const type = astNode.nodes[i].nodes[0].type
// the type of the first child may be combinator for ranges, such as >14
if (type === 'tag' || type === 'combinator') {
const semverNode = astNode.nodes.splice(i, 1)[0]
astNode.semverValue = semverNode.nodes.reduce((res, next) => `${res}${String(next)}`, '')
astNode.semverPosition = i
break
}
}
if (typeof astNode.semverValue === 'undefined') {
throw Object.assign(
new Error('`:semver` pseudo-class expects a static value in the first or second position'),
{ code: 'ESEMVERVALUE' }
)
}
}
// if we got here, the last remaining child should be attribute selector
if (astNode.nodes.length === 1) {
fixupAttr(astNode)
} else {
// if we don't have a selector, we default to `[version]`
astNode.attributeMatcher = {
insensitive: false,
attribute: 'version',
qualifiedAttribute: 'version',
}
astNode.lookupProperties = []
}
astNode.nodes.length = 0
}
const fixupTypes = astNode => {
const [valueAstNode] = astNode.nodes[0].nodes
const { value } = valueAstNode || {}
astNode.typeValue = value
astNode.nodes.length = 0
}
const fixupPaths = astNode => {
astNode.pathValue = unescapeSlashes(String(astNode.nodes[0]))
astNode.nodes.length = 0
}
const fixupOutdated = astNode => {
if (astNode.nodes.length) {
astNode.outdatedKind = String(astNode.nodes[0])
astNode.nodes.length = 0
}
}
const fixupVuln = astNode => {
const vulns = []
if (astNode.nodes.length) {
for (const selector of astNode.nodes) {
const vuln = {}
for (const node of selector.nodes) {
if (node.type !== 'attribute') {
throw Object.assign(
new Error(':vuln pseudo-class only accepts attribute matchers or "cwe" tag'),
{ code: 'EQUERYATTR' }
)
}
if (!['severity', 'cwe'].includes(node._attribute)) {
throw Object.assign(
new Error(':vuln pseudo-class only matches "severity" and "cwe" attributes'),
{ code: 'EQUERYATTR' }
)
}
if (!node.operator) {
node.operator = '='
node.value = '*'
}
if (node.operator !== '=') {
throw Object.assign(
new Error(':vuln pseudo-class attribute selector only accepts "=" operator', node),
{ code: 'EQUERYATTR' }
)
}
if (!vuln[node._attribute]) {
vuln[node._attribute] = []
}
vuln[node._attribute].push(node._value)
}
vulns.push(vuln)
}
astNode.vulns = vulns
astNode.nodes.length = 0
}
}
// a few of the supported ast nodes need to be tweaked in order to properly be
// interpreted as proper arborist query selectors, namely semver ranges from
// both ids and :semver pseudo-class selectors need to be translated from what
// are usually multiple ast nodes, such as: tag:1, class:.0, class:.0 to a
// single `1.0.0` value, other pseudo-class selectors also get preprocessed in
// order to make it simpler to execute later when traversing each ast node
// using rootNode.walk(), such as :path, :type, etc. transformAst handles all
// these modifications to the parsed ast by doing an extra, initial traversal
// of the parsed ast from the query and modifying the parsed nodes accordingly
const transformAst = selector => {
selector.walk((nextAstNode) => {
switch (nextAstNode.value) {
case ':attr':
return fixupAttr(nextAstNode)
case ':is':
case ':has':
case ':not':
return fixupNestedPseudo(nextAstNode)
case ':path':
return fixupPaths(nextAstNode)
case ':semver':
return fixupSemverSpecs(nextAstNode)
case ':type':
return fixupTypes(nextAstNode)
case ':outdated':
return fixupOutdated(nextAstNode)
case ':vuln':
return fixupVuln(nextAstNode)
}
})
}
const queryParser = (query) => {
// if query is an empty string or any falsy
// value, just returns an empty result
if (!query) {
return []
}
return parser(transformAst)
.astSync(escapeSlashes(query), { lossless: false })
}
module.exports = {
parser: queryParser,
arrayDelimiter,
}
Hacked By AnonymousFox1.0, Coded By AnonymousFox