Use more secure exturl library

exturl no longer reads from pwd automatically, so we have to explicitly
support it in all the CLI tools

TUTORIAL.md

@@ -262,13 +262,13 @@ The `puccini-clout scriptlet exec` command can also execute scriptlets that are
 embedded in the Clout. Let's use a scriptlet that creates an HTML page that visualizes
 the topology:
 
-    puccini-clout scriptlet exec assets/profiles/common/1.0/js/visualize.js clout.yaml --output=tosca.html
+    puccini-clout scriptlet exec assets/tosca/profiles/common/1.0/js/visualize.js clout.yaml --output=tosca.html
     xdg-open tosca.html
 
 Note another shortcut for `puccini-tosca compile`: you can use the `--exec` flag to
 execute scriptlets right after compilation, thus skipping the Clout intermediary:
 
-    puccini-tosca compile examples/tosca/requirements-and-capabilities.yaml --exec=assets/profiles/common/1.0/js/visualize.js
+    puccini-tosca compile examples/tosca/requirements-and-capabilities.yaml --exec=assets/tosca/profiles/common/1.0/js/visualize.js
 
 See [here](puccini-clout/) for more information about the `puccini-clout` tool.
 

clout/js/clout-api.go

@@ -9,6 +9,7 @@ import (
 	"github.com/dop251/goja"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/tliron/commonjs-goja"
+	"github.com/tliron/exturl"
 	"github.com/tliron/go-ard"
 	cloutpkg "github.com/tliron/puccini/clout"
 	"github.com/vmihailenco/msgpack/v5"
@@ -36,8 +37,14 @@ func (self *CloutAPI) Load(context contextpkg.Context, data any) (*CloutAPI, err
 	var err error
 
 	switch data_ := data.(type) {
+	case exturl.URL:
+		if clout, err = cloutpkg.Load(context, data_); err != nil {
+			return nil, err
+		}
+
 	case string:
-		if clout, err = cloutpkg.Load(context, data_, "", self.cloutContext.Context.URLContext); err != nil {
+		url := self.cloutContext.Context.URLContext.NewAnyOrFileURL(data_)
+		if clout, err = cloutpkg.Load(context, url); err != nil {
 			return nil, err
 		}
 
@@ -62,6 +69,7 @@ func (self *CloutAPI) Call(scriptletName string, functionName string, arguments
 	return executionContext.Call(scriptletName, functionName, arguments)
 }
 
+// TODO: unused?
 func (self *CloutAPI) CallAll(function goja.FunctionCall) goja.Value {
 	if len(function.Arguments) >= 2 {
 		if scriptletBaseName, ok := function.Arguments[0].Export().(string); ok {

clout/js/context.go

@@ -98,5 +98,9 @@ func (self *Context) NewEnvironment(clout *cloutpkg.Clout, apis map[string]any)
 
 func (self *Context) Require(clout *cloutpkg.Clout, scriptletName string, apis map[string]any) (*goja.Object, error) {
 	environment := self.NewEnvironment(clout, apis)
-	return environment.RequireID(scriptletName)
+	if r, err := environment.RequireID(scriptletName); err == nil {
+		return r, nil
+	} else {
+		return r, UnwrapException(err)
+	}
 }

clout/js/puccini-api.go

@@ -110,7 +110,7 @@ func (self *PucciniAPI) Write(data any, path string, dontOverwrite bool) {
 
 func (self *PucciniAPI) LoadString(url string) (string, error) {
 	context := contextpkg.TODO()
-	if url_, err := self.context.URLContext.NewValidURL(context, url, nil); err == nil {
+	if url_, err := self.context.URLContext.NewValidAnyOrFileURL(context, url, nil); err == nil {
 		return exturl.ReadString(context, url_)
 	} else {
 		return "", err

clout/load.go

@@ -7,24 +7,11 @@ import (
 	"github.com/tliron/kutil/util"
 )
 
-func Load(context contextpkg.Context, url string, format string, urlContext *exturl.Context) (*Clout, error) {
-	var url_ exturl.URL
-
-	var err error
-	if url != "" {
-		if url_, err = urlContext.NewValidURL(context, url, nil); err != nil {
-			return nil, err
-		}
-	} else {
-		if url_, err = urlContext.ReadToInternalURLFromStdin(context, format); err != nil {
-			return nil, err
-		}
-	}
-
-	if reader, err := url_.Open(context); err == nil {
+func Load(context contextpkg.Context, url exturl.URL) (*Clout, error) {
+	if reader, err := url.Open(context); err == nil {
 		reader = util.NewContextualReadCloser(context, reader)
 		defer reader.Close()
-		return Read(reader, url_.Format())
+		return Read(reader, url.Format())
 	} else {
 		return nil, err
 	}

go.mod

@@ -3,16 +3,16 @@ module github.com/tliron/puccini
 go 1.21
 
 require (
-	github.com/dop251/goja v0.0.0-20230812105242-81d76064690d
+	github.com/dop251/goja v0.0.0-20230828202809-3dbe69dd2b8e
 	github.com/fxamacker/cbor/v2 v2.5.0
 	github.com/klauspost/compress v1.16.7
 	github.com/klauspost/pgzip v1.2.6
 	github.com/segmentio/ksuid v1.0.4
 	github.com/spf13/cobra v1.7.0
-	github.com/tliron/commonjs-goja v0.1.0
+	github.com/tliron/commonjs-goja v0.1.2
 	github.com/tliron/commonlog v0.1.1
-	github.com/tliron/exturl v0.2.9
-	github.com/tliron/go-ard v0.1.3
+	github.com/tliron/exturl v0.4.0
+	github.com/tliron/go-ard v0.1.4
 	github.com/tliron/kutil v0.2.11
 	github.com/tliron/yamlkeys v1.3.6
 	github.com/vmihailenco/msgpack/v5 v5.3.5

go.sum

@@ -41,8 +41,8 @@ github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bc
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/dop251/goja v0.0.0-20211022113120-dc8c55024d06/go.mod h1:R9ET47fwRVRPZnOGvHxxhuZcbrMCuiqOz3Rlrh4KSnk=
-github.com/dop251/goja v0.0.0-20230812105242-81d76064690d h1:9aaGwVf4q+kknu+mROAXUApJ1DoOwhE8dGj/XLBYzWg=
-github.com/dop251/goja v0.0.0-20230812105242-81d76064690d/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
+github.com/dop251/goja v0.0.0-20230828202809-3dbe69dd2b8e h1:UvQD6hTSfeM6hhTQ24Dlw2RppP05W7SWbWb6kubJAog=
+github.com/dop251/goja v0.0.0-20230828202809-3dbe69dd2b8e/go.mod h1:QMWlm50DNe14hD7t24KEqZuUdC9sOTy8W6XbCU1mlw4=
 github.com/dop251/goja_nodejs v0.0.0-20210225215109-d91c329300e7/go.mod h1:hn7BA7c8pLvoGndExHudxTDKZ84Pyvv+90pbBjbTz0Y=
 github.com/dop251/goja_nodejs v0.0.0-20211022123610-8dd9abb0616d/go.mod h1:DngW8aVqWbuLRMHItjPUyqdj+HWPvnQe8V8y1nDpIbM=
 github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0=
@@ -166,14 +166,14 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/tliron/commonjs-goja v0.1.0 h1:BF1NitaiHl2RLxqjp9lGNXx2eiJtTKKk3UFpSEp3j5c=
-github.com/tliron/commonjs-goja v0.1.0/go.mod h1:mgGnXjwqvLSzMqsfLpwFGKS5qz40b66rE97IWHLQUSA=
+github.com/tliron/commonjs-goja v0.1.2 h1:DZj5x/WlkBPxPwg1DF+kYHkQpraxvzJ4UHUQHkvd/no=
+github.com/tliron/commonjs-goja v0.1.2/go.mod h1:B6gZxxfXlRR7DEcRbDvktu+KRW9L1zcEpg2lJLzqzdk=
 github.com/tliron/commonlog v0.1.1 h1:bCkNKk+O5ciKBFxnjcMGLR79TGCq8hMSh5DfaeRJQHk=
 github.com/tliron/commonlog v0.1.1/go.mod h1:qswie0h44wu9XrQ8sGOtmOjVVgI5qbU4Dl4wbi1b/w0=
-github.com/tliron/exturl v0.2.9 h1:7utvDHC9d1tqC/eHmiZvzklCn/ZRH7+/5QvjAU5+4Vc=
-github.com/tliron/exturl v0.2.9/go.mod h1:FoKROnSga8WXPeDHQTFPTaQPAyeJTR3PVGhycvM2hhg=
-github.com/tliron/go-ard v0.1.3 h1:E7M2Bpyb51wplLJGf5A4NqaOGoQqf2HuMwlmOGSi+Ig=
-github.com/tliron/go-ard v0.1.3/go.mod h1:zhlpib5+3HdpBEfTyU+KZ6XskBf2az8up4ZgJyT9hVw=
+github.com/tliron/exturl v0.4.0 h1:2lHilabGmaoux3oYyPMJxcAcuMevVbw8cZ3LL9qxYB4=
+github.com/tliron/exturl v0.4.0/go.mod h1:OGgLAYa3qGYKmRu/RVjKnNvw4Va4lhCxKMxMbbdicSI=
+github.com/tliron/go-ard v0.1.4 h1:NNtNdlX2Gxh14pIOd7xHBYIOws3XUCEIH4379Apag08=
+github.com/tliron/go-ard v0.1.4/go.mod h1:OFSzMH/CINMYBmCUwEzUmWvNbnAMJJE9f2LARwo4G3w=
 github.com/tliron/kutil v0.2.11 h1:DtYxIcABJK1sdDn6F5Fbth6LezbnWuVQQYu5z+rAU7E=
 github.com/tliron/kutil v0.2.11/go.mod h1:sLKEUxnqQ3iks5qv0d8hNLmk5kIerpZ58fJALtwSn9M=
 github.com/tliron/yamlkeys v1.3.6 h1:PPV4q7flMqIvmSUSsEZuns7Qt3VIMxkhBj+6KTRvI9c=

library/library.go

@@ -13,13 +13,13 @@ import (
 	"github.com/tliron/kutil/transcribe"
 	cloutpkg "github.com/tliron/puccini/clout"
 	"github.com/tliron/puccini/clout/js"
-	"github.com/tliron/puccini/tosca/parser"
+	"github.com/tliron/puccini/normal"
+	parserpkg "github.com/tliron/puccini/tosca/parser"
 	"github.com/tliron/puccini/tosca/parsing"
 	"github.com/tliron/yamlkeys"
 )
-import "github.com/tliron/puccini/normal"
 
-var parser_ = parser.NewParser()
+var parser = parserpkg.NewParser()
 
 //export Compile
 func Compile(url *C.char, inputs *C.char, quirks *C.char, resolve C.char, coerce C.char) *C.char {
@@ -66,11 +66,11 @@ func Compile(url *C.char, inputs *C.char, quirks *C.char, resolve C.char, coerce
 
 	var url_ exturl.URL
 	var err error
-	if url_, err = urlContext.NewValidURL(context, C.GoString(url), nil); err != nil {
+	if url_, err = urlContext.NewValidAnyOrFileURL(context, C.GoString(url), nil); err != nil {
 		return result(nil, nil, err)
 	}
 
-	parserContext := parser_.NewContext()
+	parserContext := parser.NewContext()
 	parserContext.URL = url_
 	parserContext.Quirks = quirks_
 	parserContext.Inputs = inputs_

puccini-clout/commands/common.go

@@ -1,11 +1,39 @@
 package commands
 
 import (
+	contextpkg "context"
+
 	"github.com/tliron/commonlog"
+	"github.com/tliron/exturl"
+	"github.com/tliron/kutil/util"
+	"github.com/tliron/puccini/clout"
+	cloutpkg "github.com/tliron/puccini/clout"
 )
 
 const toolName = "puccini-clout"
 
 var log = commonlog.GetLogger(toolName)
 
 var output string
+
+func Bases(urlContext *exturl.Context) []exturl.URL {
+	workingDir, err := urlContext.NewWorkingDirFileURL()
+	util.FailOnError(err)
+	return []exturl.URL{workingDir}
+}
+
+func LoadClout(context contextpkg.Context, url string, urlContext *exturl.Context) *clout.Clout {
+	var url_ exturl.URL
+	var err error
+	if url != "" {
+		url_, err = urlContext.NewValidAnyOrFileURL(context, url, Bases(urlContext))
+		util.FailOnError(err)
+	} else {
+		url_, err = urlContext.ReadToInternalURLFromStdin(context, format)
+		util.FailOnError(err)
+	}
+
+	clout, err := cloutpkg.Load(context, url_)
+	util.FailOnError(err)
+	return clout
+}

puccini-clout/commands/scriptlet-exec.go

@@ -36,15 +36,14 @@ var execCommand = &cobra.Command{
 		defer urlContext.Release()
 		context := contextpkg.TODO()
 
-		clout, err := cloutpkg.Load(context, url, inputFormat, urlContext)
-		util.FailOnError(err)
+		clout := LoadClout(context, url, urlContext)
 
 		// Try loading JavaScript from Clout
 		scriptlet, err := js.GetScriptlet(scriptletName, clout)
 
 		if err != nil {
 			// Try loading JavaScript from path or URL
-			scriptletUrl, err := urlContext.NewValidURL(context, scriptletName, nil)
+			scriptletUrl, err := urlContext.NewValidAnyOrFileURL(context, scriptletName, Bases(urlContext))
 			util.FailOnError(err)
 
 			scriptlet, err = exturl.ReadString(context, scriptletUrl)
@@ -62,5 +61,5 @@ var execCommand = &cobra.Command{
 func Exec(scriptletName string, scriptlet string, clout *cloutpkg.Clout, urlContext *exturl.Context) error {
 	jsContext := js.NewContext(scriptletName, log, arguments, terminal.Quiet, format, strict, pretty, output, urlContext)
 	_, err := jsContext.Require(clout, scriptletName, nil)
-	return js.UnwrapException(err)
+	return err
 }

puccini-clout/commands/scriptlet-get.go

@@ -9,7 +9,6 @@ import (
 	"github.com/tliron/kutil/terminal"
 	"github.com/tliron/kutil/transcribe"
 	"github.com/tliron/kutil/util"
-	cloutpkg "github.com/tliron/puccini/clout"
 	"github.com/tliron/puccini/clout/js"
 )
 
@@ -34,8 +33,7 @@ var getCommand = &cobra.Command{
 		urlContext := exturl.NewContext()
 		defer urlContext.Release()
 
-		clout, err := cloutpkg.Load(contextpkg.TODO(), url, inputFormat, urlContext)
-		util.FailOnError(err)
+		clout := LoadClout(contextpkg.TODO(), url, urlContext)
 
 		scriptlet, err := js.GetScriptlet(scriptletName, clout)
 		util.FailOnError(err)

puccini-clout/commands/scriptlet-list.go

@@ -1,7 +1,7 @@
 package commands
 
 import (
-	"context"
+	contextpkg "context"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -31,8 +31,7 @@ var listCommand = &cobra.Command{
 		urlContext := exturl.NewContext()
 		defer urlContext.Release()
 
-		clout, err := cloutpkg.Load(context.TODO(), url, inputFormat, urlContext)
-		util.FailOnError(err)
+		clout := LoadClout(contextpkg.TODO(), url, urlContext)
 
 		List(clout)
 	},

puccini-clout/commands/scriptlet-put.go

@@ -8,7 +8,6 @@ import (
 	"github.com/tliron/exturl"
 	"github.com/tliron/kutil/transcribe"
 	"github.com/tliron/kutil/util"
-	cloutpkg "github.com/tliron/puccini/clout"
 	"github.com/tliron/puccini/clout/js"
 )
 
@@ -35,10 +34,9 @@ var putCommand = &cobra.Command{
 		defer urlContext.Release()
 		context := contextpkg.TODO()
 
-		clout, err := cloutpkg.Load(context, url, inputFormat, urlContext)
-		util.FailOnError(err)
+		clout := LoadClout(context, url, urlContext)
 
-		scriptletUrl_, err := urlContext.NewValidURL(context, scriptletUrl, nil)
+		scriptletUrl_, err := urlContext.NewValidAnyOrFileURL(context, scriptletUrl, Bases(urlContext))
 		util.FailOnError(err)
 
 		scriptlet, err := exturl.ReadString(context, scriptletUrl_)

puccini-csar/commands/common.go

@@ -2,10 +2,18 @@ package commands
 
 import (
 	"github.com/tliron/commonlog"
+	"github.com/tliron/exturl"
+	"github.com/tliron/kutil/util"
 )
 
 const toolName = "puccini-csar"
 
 var log = commonlog.GetLogger(toolName)
 
 var archiveFormat string
+
+func Bases(urlContext *exturl.Context) []exturl.URL {
+	workingDir, err := urlContext.NewWorkingDirFileURL()
+	util.FailOnError(err)
+	return []exturl.URL{workingDir}
+}