fix: make eval opt in for Fn::Eval, Fn::IfEval off by default

README.md

@@ -88,7 +88,7 @@ Options:
 * `--version`        print version and exit
 * `--context`        template full path. only utilized for stdin when the template is piped to this script
   example:          `cat examples/base.template | ./bin/cli.js --context examples/base.template`
-* `--enable`         different options / toggles: ['env']    [string] [choices: "env"]
+* `--enable`         different options / toggles: ['env','eval']    [string] [choices: 'env','eval','env.eval' etc...]
   * `env` pre-process env vars and inject into templates as they are processed looks for $KEY or ${KEY} matches
 * `-i, --inject`     JSON string payload to use for template injection. (Takes precedence over process.env (if enabled) injection and will be merged on top of process.env)
 * `--doLog`          console log out include options in recurse step.
@@ -1015,6 +1015,10 @@ In summary falsy values are omitted from an object except `false` and `0`.
 
 ## Fn::Eval
 
+Opt in to use `eval` in your templates. This is disabled by default.
+
+`--enable eval` is required to turn on options.doEval in the include function.
+
 ```yaml
 Fn::Eval:
   state: [1, 2, 3]
@@ -1030,6 +1034,10 @@ Fn::Eval:
 
 ## Fn::IfEval
 
+Opt in to use `eval` in your templates. This is disabled by default.
+
+`--enable eval` is required to turn on options.doEval in the include function.
+
 ```yaml
 Fn::IfEval:
   inject:

bin/cli.js

@@ -70,8 +70,9 @@ const opts = yargs
     },
     enable: {
       string: true,
-      desc: `enable different options: ['env']`,
-      choices: ['env'],
+      desc: `enable different options: ['env','eval'] or a combination of both via comma.`,
+      choices: ['', 'env', 'env,eval', 'eval,env', 'eval'], // '' hack
+      default: '',
     },
     inject: {
       alias: 'i',
@@ -96,6 +97,9 @@ const opts = yargs
   })
   .parse();
 
+// make enable an array
+opts.enable = opts.enable.split(',');
+
 let promise;
 if (opts.path) {
   let location;
@@ -105,7 +109,8 @@ if (opts.path) {
   else location = `file://${path.join(process.cwd(), opts.path)}`;
   promise = include({
     url: location,
-    doEnv: opts.enable === 'env',
+    doEnv: opts.enable.includes('env'),
+    doEval: opts.enable.includes('eval'),
     inject: opts.inject,
     doLog: opts.doLog,
   });
@@ -126,12 +131,13 @@ if (opts.path) {
       ? path.resolve(opts.context)
       : path.join(process.cwd(), 'template.yml');
 
-    template = opts.enable === 'env' ? replaceEnv(template) : template;
+    template = opts.enable.includes('env') ? replaceEnv(template) : template;
 
     return include({
       template: yaml.load(template),
       url: `file://${location}`,
-      doEnv: opts.enable === 'env',
+      doEnv: opts.enable.includes('env'),
+      doEval: opts.enable.includes('eval'),
       inject: opts.inject,
       doLog: opts.doLog,
     }).catch((err) => console.error(err));

index.js

@@ -44,6 +44,7 @@ const { isOurExplicitFunction } = require('./lib/schema');
  *     doEnv: opts.enable === 'env',
  *     inject: opts.inject,
  *     doLog: opts.doLog,
+ *     doEval: opts.doEval, -- allow Fn::Eval to be used
  *   })
  */
 module.exports = async function (options) {
@@ -231,7 +232,7 @@ async function recurse({ base, scope, cft, ...opts }) {
         }
       );
     }
-    if (cft['Fn::Eval']) {
+    if (cft['Fn::Eval'] && opts.doEval) {
       return recurse({ base, scope, cft: cft['Fn::Eval'], ...opts }).then(function (json) {
         // **WARNING** you have now enabled god mode
         // eslint-disable-next-line no-unused-vars, prefer-const
@@ -386,7 +387,7 @@ async function recurse({ base, scope, cft, ...opts }) {
       return isString ? seq.map((i) => String.fromCharCode(i)) : seq;
     }
 
-    if (cft['Fn::IfEval']) {
+    if (cft['Fn::IfEval'] && opts.doEval) {
       return recurse({ base, scope, cft: cft['Fn::IfEval'], ...opts }).then(function (json) {
         // eslint-disable-next-line prefer-const
         let { truthy, falsy, evalCond, inject, doLog } = json;

t/cli.js

@@ -26,6 +26,7 @@ const extendEnv = require('./tests/extendEnv');
                 return done();
               }
               // console.log({out: out.toString()})
+              out = out || '{}'; // fix for empty output to see failed test
               const json = JSON.parse(out.toString());
               delete json.Metadata;
               assert.deepEqual(json, test.output);

t/include.js

@@ -54,6 +54,7 @@ tests.forEach(function (file) {
           // eslint-disable-next-line n/no-path-concat
           url: `file://${__dirname}/template.json`,
           doEnv: !!test.doEnv || false,
+          doEval: !!test.doEval || false,
         };
         if (test.inject) {
           opts.inject = test.inject;

t/tests/ifeval.js

@@ -2,6 +2,7 @@ module.exports = {
   ifEval: [
     {
       name: 'truthy',
+      doEval: true,
       template: {
         'Fn::IfEval': {
           inject: {
@@ -25,6 +26,7 @@ module.exports = {
     },
     {
       name: 'falsy',
+      doEval: true,
       template: {
         'Fn::IfEval': {
           inject: {
@@ -48,6 +50,7 @@ module.exports = {
     },
     {
       name: 'no falsy',
+      doEval: true,
       template: {
         'Fn::IfEval': {
           inject: {
@@ -64,6 +67,7 @@ module.exports = {
     },
     {
       name: 'evalCond required',
+      doEval: true,
       template: {
         'Fn::IfEval': {
           inject: {