ferrocv 0.6.0

Render JSON Resume documents to PDF, HTML, and plain text via embedded Typst.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228

//! `typst.toml` manifest parsing.
//!
//! We parse the minimum required fields for `ferrocv` to be able to
//! wire a cached package into [`crate::theme::OwnedTheme`]:
//!
//! - `package.name`
//! - `package.version`
//! - `package.entrypoint`
//!
//! Optional fields (authors, license, description, keywords, etc.)
//! are ignored. We parse via `toml::Value` rather than `serde`-derived
//! types to avoid pulling `serde-derive` into the `install` feature
//! just for three string fields.

use std::path::{Component, Path};

use super::InstallError;

/// Minimal view of `typst.toml` that `ferrocv` cares about.
///
/// Built by [`parse_manifest`]; never constructed directly. The
/// `entrypoint` string is validated to be a relative path with no
/// `..` components, so Stage C's cache resolver can safely join it
/// against the package root without worrying about escapes.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Manifest {
    /// `package.name`.
    pub name: String,
    /// `package.version`.
    pub version: String,
    /// `package.entrypoint` — relative path inside the package.
    pub entrypoint: String,
}

/// Parse a `typst.toml` string into a [`Manifest`].
pub fn parse_manifest(toml_str: &str) -> Result<Manifest, InstallError> {
    let value: toml::Value =
        toml_str
            .parse()
            .map_err(|e: toml::de::Error| InstallError::ManifestParse {
                reason: e.to_string(),
            })?;

    let package = value
        .get("package")
        .ok_or_else(|| InstallError::ManifestParse {
            reason: "missing [package] table".to_owned(),
        })?;

    let name = read_required_string(package, "name")?;
    let version = read_required_string(package, "version")?;
    let entrypoint = read_required_string(package, "entrypoint")?;

    if entrypoint.is_empty() {
        return Err(InstallError::ManifestParse {
            reason: "package.entrypoint is empty".to_owned(),
        });
    }
    // Reject Windows drive-letter and UNC prefixes explicitly: the
    // manifest parses on whatever host runs `themes install`, but
    // the cache may be read on a different host. `Path::components()`
    // is platform-dependent — on Unix it would happily accept
    // `C:\evil.typ` as a single Normal component, only for a later
    // `Path::join(cache_root, "C:\\evil.typ")` on Windows to discard
    // the cache root. The string check runs before the `Path` walk
    // so the rejection is host-independent.
    let bytes = entrypoint.as_bytes();
    if bytes.len() >= 2 && bytes[1] == b':' && bytes[0].is_ascii_alphabetic() {
        return Err(InstallError::ManifestParse {
            reason: format!("package.entrypoint must be a relative path: {entrypoint}"),
        });
    }
    if entrypoint.starts_with("\\\\") || entrypoint.starts_with("//") {
        return Err(InstallError::ManifestParse {
            reason: format!("package.entrypoint must be a relative path: {entrypoint}"),
        });
    }
    // Walk the path's components to catch Unix-absolute paths and
    // `..` segments. The drive-letter / UNC checks above already
    // covered the host-independent prefixes; this catches the rest.
    for component in Path::new(&entrypoint).components() {
        match component {
            Component::Normal(_) | Component::CurDir => {}
            Component::ParentDir => {
                return Err(InstallError::ManifestParse {
                    reason: format!(
                        "package.entrypoint may not contain `..` segments: {entrypoint}"
                    ),
                });
            }
            Component::RootDir | Component::Prefix(_) => {
                return Err(InstallError::ManifestParse {
                    reason: format!("package.entrypoint must be a relative path: {entrypoint}"),
                });
            }
        }
    }

    Ok(Manifest {
        name,
        version,
        entrypoint,
    })
}

fn read_required_string(table: &toml::Value, key: &str) -> Result<String, InstallError> {
    let v = table.get(key).ok_or_else(|| InstallError::ManifestParse {
        reason: format!("missing package.{key}"),
    })?;
    v.as_str()
        .map(|s| s.to_owned())
        .ok_or_else(|| InstallError::ManifestParse {
            reason: format!("package.{key} must be a string"),
        })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parses_minimal_manifest() {
        let src = r#"
[package]
name = "basic-resume"
version = "0.2.8"
entrypoint = "src/lib.typ"
"#;
        let m = parse_manifest(src).expect("minimal manifest parses");
        assert_eq!(m.name, "basic-resume");
        assert_eq!(m.version, "0.2.8");
        assert_eq!(m.entrypoint, "src/lib.typ");
    }

    #[test]
    fn ignores_extra_fields() {
        let src = r#"
[package]
name = "basic-resume"
version = "0.2.8"
entrypoint = "src/lib.typ"
authors = ["Some Person"]
license = "MIT"
description = "blah"
keywords = ["cv"]
exclude = [".github"]

[template]
path = "template"
entrypoint = "main.typ"
"#;
        let m = parse_manifest(src).expect("manifest with extra fields parses");
        assert_eq!(m.name, "basic-resume");
        assert_eq!(m.entrypoint, "src/lib.typ");
    }

    #[test]
    fn rejects_missing_entrypoint() {
        let src = r#"
[package]
name = "x"
version = "1"
"#;
        let err = parse_manifest(src).expect_err("missing entrypoint must fail");
        assert!(matches!(err, InstallError::ManifestParse { .. }));
    }

    #[test]
    fn rejects_absolute_entrypoint() {
        let src = r#"
[package]
name = "x"
version = "1"
entrypoint = "/etc/passwd"
"#;
        let err = parse_manifest(src).expect_err("absolute entrypoint must fail");
        match err {
            InstallError::ManifestParse { reason } => {
                assert!(reason.contains("relative"));
            }
            other => panic!("expected ManifestParse, got {other:?}"),
        }
    }

    #[test]
    fn rejects_dotdot_entrypoint() {
        let src = r#"
[package]
name = "x"
version = "1"
entrypoint = "../other/lib.typ"
"#;
        let err = parse_manifest(src).expect_err("path-traversal entrypoint must fail");
        assert!(matches!(err, InstallError::ManifestParse { .. }));
    }

    #[test]
    fn rejects_windows_drive_letter_entrypoint() {
        // Drive-letter prefixes (`C:lib.typ`, `C:\lib.typ`) on Windows
        // are absolute or drive-relative; `Path::join(cache_root, ...)`
        // would discard the cache root and read from outside it. The
        // component-walk validator must reject these on every host so
        // a malicious manifest can't slip past Linux/macOS CI.
        for src in [
            r#"
[package]
name = "x"
version = "1"
entrypoint = "C:\\evil.typ"
"#,
            r#"
[package]
name = "x"
version = "1"
entrypoint = "C:lib.typ"
"#,
        ] {
            let err = parse_manifest(src).expect_err("drive-letter entrypoint must fail");
            assert!(matches!(err, InstallError::ManifestParse { .. }));
        }
    }

    #[test]
    fn rejects_invalid_toml() {
        let err = parse_manifest("not valid toml = = =").expect_err("malformed toml must fail");
        assert!(matches!(err, InstallError::ManifestParse { .. }));
    }
}