From 8d432b7810349caf91dec1f5b0a1ab8c879490d7 Mon Sep 17 00:00:00 2001
From: Nick Nicholas <opoudjis@gmail.com>
Date: Fri, 23 Aug 2024 01:53:34 +1000
Subject: [PATCH] security updates

---
 lib/metanorma/standoc/base.rb                    | 16 ++++++++--------
 lib/metanorma/standoc/cleanup_inline.rb          |  2 +-
 lib/metanorma/standoc/cleanup_text.rb            |  4 ++--
 .../standoc/datamodel/plantuml_renderer.rb       |  2 +-
 lib/metanorma/standoc/localbib.rb                |  2 +-
 lib/metanorma/standoc/macros.rb                  |  2 +-
 lib/metanorma/standoc/macros_plantuml.rb         |  2 +-
 lib/metanorma/standoc/ref.rb                     |  2 +-
 lib/metanorma/standoc/ref_utility.rb             | 13 +++++++------
 lib/metanorma/standoc/section.rb                 |  4 ++--
 spec/metanorma/base_spec.rb                      |  2 +-
 11 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/lib/metanorma/standoc/base.rb b/lib/metanorma/standoc/base.rb
index 31477dd2..3eb23da3 100644
--- a/lib/metanorma/standoc/base.rb
+++ b/lib/metanorma/standoc/base.rb
@@ -47,15 +47,15 @@ def document1(node)
 
       def insert_xml_cr(doc)
         doc.gsub(%r{(</(clause|table|figure|p|bibitem|ul|ol|dl|dt|dd|li|example|
-                       sourcecode|formula|quote|references|annex|appendix|title|
-                       name|note|thead|tbody|tfoot|th|td|form|requirement|
-                       recommendation|permission|imagemap|svgmap|preferred|
-                       admitted|related|deprecates|letter-symbol|domain|
-                       graphical-symbol|expression|abbreviation-type|subject|
-                       pronunciation|grammar|term|terms|termnote|termexample|
-                       termsource|origin|termref|modification)>)}x, "\\1\n")
+            sourcecode|formula|quote|references|annex|appendix|title|name|note|
+            thead|tbody|tfoot|th|td|form|requirement|recommendation|permission|
+            imagemap|svgmap|preferred|admitted|related|domain|deprecates|
+            letter-symbol|graphical-symbol|expression|subject|abbreviation-type|
+            pronunciation|grammar|term|terms|termnote|termexample|termsource|
+            origin|termref|modification)>)}x, "\\1\n")
           .gsub(%r{(<(title|name))}, "\n\\1")
-          .gsub(%r{(<sourcecode[^>]*>)\s+(<name[^>]*>[^<]+</name>)\s+}, "\\1\\2")
+          .gsub(%r{(<sourcecode[^<>]*>)\s+(<name[^<>]*>[^<]+</name>)\s+},
+                "\\1\\2")
       end
 
       def version
diff --git a/lib/metanorma/standoc/cleanup_inline.rb b/lib/metanorma/standoc/cleanup_inline.rb
index 56c3fe15..fafe3736 100644
--- a/lib/metanorma/standoc/cleanup_inline.rb
+++ b/lib/metanorma/standoc/cleanup_inline.rb
@@ -99,7 +99,7 @@ def related_cleanup(xmldoc)
       def key_extract_locality(elem)
         elem["key"].include?(",") or return
         elem.add_child("<locality>#{elem['key'].sub(/^[^,]+,/, '')}</locality>")
-        elem["key"] = elem["key"].sub(/,.*$/, "")
+        elem["key"] = elem["key"].sub(/(^[^,]+),.*$/, "\\1")
       end
 
       def concept_termbase_cleanup(elem)
diff --git a/lib/metanorma/standoc/cleanup_text.rb b/lib/metanorma/standoc/cleanup_text.rb
index a6b5f9ee..a18b943b 100644
--- a/lib/metanorma/standoc/cleanup_text.rb
+++ b/lib/metanorma/standoc/cleanup_text.rb
@@ -2,8 +2,8 @@ module Metanorma
   module Standoc
     module Cleanup
       def textcleanup(result)
-        text = result.flatten.map { |l| l.sub(/\s*\Z/, "") } * "\n"
-        text = text.gsub(/\s+<fn /, "<fn ")
+        text = result.flatten.map { |l| l.sub(/(?<!\s)\s*\Z/, "") } * "\n"
+        text = text.gsub(/(?<!\s)\s+<fn /, "<fn ")
         %w(passthrough passthrough-inline).each do |v|
           text.gsub!(%r{<#{v}\s+formats="metanorma">([^<]*)
                     </#{v}>}mx) { @c.decode($1) }
diff --git a/lib/metanorma/standoc/datamodel/plantuml_renderer.rb b/lib/metanorma/standoc/datamodel/plantuml_renderer.rb
index 7ef292ff..d1a7ff03 100644
--- a/lib/metanorma/standoc/datamodel/plantuml_renderer.rb
+++ b/lib/metanorma/standoc/datamodel/plantuml_renderer.rb
@@ -15,7 +15,7 @@ def initialize(yml, plantuml_path)
       end
 
       def join_as_plantuml(*ary)
-        ary.compact.join("\n").sub(/\s+\Z/, "")
+        ary.compact.join("\n").sub(/(?<!\s)\s+\Z/, "")
       end
 
       def render
diff --git a/lib/metanorma/standoc/localbib.rb b/lib/metanorma/standoc/localbib.rb
index d5c586a5..857c0269 100644
--- a/lib/metanorma/standoc/localbib.rb
+++ b/lib/metanorma/standoc/localbib.rb
@@ -23,7 +23,7 @@ def read_files(node)
 
       def init_file_bibdb_config(defn, key)
         /=/.match?(defn) or defn = "file=#{defn}"
-        values = defn.split(",").map { |item| item.split /\s*=\s*/ }.to_h
+        values = defn.split(",").map { |item| item.split /(?<!\s)\s*=\s*/ }.to_h
         values["key"] = key
         values["format"] ||= "bibtex" # all we currently suppoort
         values
diff --git a/lib/metanorma/standoc/macros.rb b/lib/metanorma/standoc/macros.rb
index 38fe03f7..c93a5106 100644
--- a/lib/metanorma/standoc/macros.rb
+++ b/lib/metanorma/standoc/macros.rb
@@ -22,7 +22,7 @@ class PseudocodeBlockMacro < Asciidoctor::Extensions::BlockProcessor
       on_context :example, :sourcecode
 
       def init_indent(line)
-        /^(?<prefix>[ \t]*)(?<suffix>.*)$/ =~ line
+        /^(?<prefix>[ \t]*)(?![ \t])(?<suffix>.*)$/ =~ line
         prefix = prefix.gsub("\t", "\u00a0\u00a0\u00a0\u00a0")
           .tr(" ", "\u00a0")
         prefix + suffix
diff --git a/lib/metanorma/standoc/macros_plantuml.rb b/lib/metanorma/standoc/macros_plantuml.rb
index 1e01038e..bff667a7 100644
--- a/lib/metanorma/standoc/macros_plantuml.rb
+++ b/lib/metanorma/standoc/macros_plantuml.rb
@@ -71,7 +71,7 @@ def self.save_plantuml(_parent, reader, _localdir)
 
       def self.prep_source(reader)
         src = reader.source
-        reader.lines.first.sub(/\s+$/, "").match /^@startuml($| )/ or
+        reader.lines.first.sub(/(?<!\s)\s+$/, "").match /^@startuml($| )/ or
           src = "@startuml\n#{src}\n@enduml\n"
         %r{@enduml\s*$}m.match?(src) or
           raise "@startuml without matching @enduml in PlantUML!"
diff --git a/lib/metanorma/standoc/ref.rb b/lib/metanorma/standoc/ref.rb
index 342d26a8..ccc44c23 100644
--- a/lib/metanorma/standoc/ref.rb
+++ b/lib/metanorma/standoc/ref.rb
@@ -5,7 +5,7 @@ module Metanorma
   module Standoc
     module Refs
       def iso_publisher(bib, code)
-        code.sub(/ .*$/, "").split("/").each do |abbrev|
+        code.sub(/(?<! ) .*$/, "").split("/").each do |abbrev|
           bib.contributor do |c|
             c.role type: "publisher"
             c.organization do |org|
diff --git a/lib/metanorma/standoc/ref_utility.rb b/lib/metanorma/standoc/ref_utility.rb
index eb97e017..b84244e2 100644
--- a/lib/metanorma/standoc/ref_utility.rb
+++ b/lib/metanorma/standoc/ref_utility.rb
@@ -20,7 +20,7 @@ def id_and_year(id, year)
       def norm_year(year)
         /^&\#821[12];$/.match(year) and return "--"
         /^\d\d\d\d-\d\d\d\d$/.match(year) and return year
-        year&.sub(/(?<=[0-9])-.*$/, "")
+        year&.sub(/^([0-9]+)-.*$/, "\\1")
       end
 
       def conditional_date(bib, match, noyr)
@@ -46,7 +46,7 @@ def docid(bib, code)
                         @bibdb&.docid_type(code) || [nil, code]
                       end
         code1.sub!(/^nofetch\((.+)\)$/, "\\1")
-        bib.docidentifier **attr_code(type: type) do |d|
+        bib.docidentifier **attr_code(type:) do |d|
           d << code1
         end
       end
@@ -59,7 +59,7 @@ def docnumber(bib, code)
       end
 
       def mn_code(code)
-        code.sub(/^\(/, "[").sub(/\).*$/, "]")
+        code.sub(/^\(/, "[").sub(/^([^)]+)\).*$/, "\\1]")
           .sub(/^dropid\((.+)\)$/, "\\1")
           .sub(/^hidden\((.+)\)$/, "\\1")
           .sub(/^nofetch\((.+)\)$/, "\\1")
@@ -67,7 +67,8 @@ def mn_code(code)
       end
 
       def analyse_ref_localfile(ret)
-        m = /^local-file\((?:(?<source>[^,]+),\s*)?(?<id>.+)\)$/.match(ret[:id])
+        m = /^local-file\((?:(?<source>[^,)]+),\s*)?(?<id>[^)]+)\)$/
+          .match(ret[:id])
         m or return ret
         ret.merge(id: m[:id], localfile: m[:source] || "default")
       end
@@ -88,7 +89,7 @@ def analyse_ref_dropid(ret)
       end
 
       def analyse_ref_repo_path(ret)
-        m = /^(?<type>repo|path|attachment):\((?<key>[^,]+),?(?<id>[^)]*)\)$/
+        m = /^(?<type>repo|path|attachment):\((?<key>[^,)]+),?(?<id>[^)]*)\)$/
           .match(ret[:id]) or return ret
         id = if m[:id].empty?
                if m[:type] == "attachment"
@@ -96,7 +97,7 @@ def analyse_ref_repo_path(ret)
                else m[:key].sub(%r{^[^/]+/}, "")
                end
              else m[:id] end
-        ret.merge(id: id, type: m[:type], key: m[:key], nofetch: true)
+        ret.merge(id:, type: m[:type], key: m[:key], nofetch: true)
       end
 
       def analyse_ref_numeric(ret)
diff --git a/lib/metanorma/standoc/section.rb b/lib/metanorma/standoc/section.rb
index 1abbd118..f03b6b47 100644
--- a/lib/metanorma/standoc/section.rb
+++ b/lib/metanorma/standoc/section.rb
@@ -14,8 +14,8 @@ def sectiontype1(node)
         node.attr("heading")&.downcase ||
           node.title
             .gsub(%r{<index>.*?</index>}m, "")
-            .gsub(%r{<fn[^>]*>.*?</fn>}m, "")
-            .gsub(/<[^>]+>/, "")
+            .gsub(%r{<fn[^<>]*>.*?</fn>}m, "")
+            .gsub(/<[^<>]+>/, "")
             .strip.downcase.sub(/\.$/, "")
       end
 
diff --git a/spec/metanorma/base_spec.rb b/spec/metanorma/base_spec.rb
index 27efc4af..e686ac03 100644
--- a/spec/metanorma/base_spec.rb
+++ b/spec/metanorma/base_spec.rb
@@ -1378,7 +1378,7 @@
       :scripts: spec/assets/scripts.html
     INPUT
     html = File.read("test.html", encoding: "utf-8")
-    expect(html).to match(%r{<script>})
+    expect(html).to match(%r{<script>}i)
   end
 
   it "uses specified fonts and assets in HTML" do