Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/danielgtaylor/chroma
NOTE: As Chroma has just been released, its API is still in flux. That said, the high-level interface should not change significantly.
Chroma takes source code and other structured text and converts it into syntax highlighted HTML, ANSI-coloured text, etc.
Chroma is based heavily on Pygments, and includes translators for Pygments lexers and styles.
ABNF, ANTLR, APL, ActionScript, ActionScript 3, Ada, Angular2, ApacheConf, AppleScript, Awk, BNF, Ballerina, Base Makefile, Bash, Batchfile, BlitzBasic, Brainfuck, C, C#, C++, CFEngine3, CMake, COBOL, CSS, Cap'n Proto, Ceylon, ChaiScript, Cheetah, Clojure, CoffeeScript, Common Lisp, Coq, Crystal, Cython, DTD, Dart, Diff, Django/Jinja, Docker, EBNF, Elixir, Elm, EmacsLisp, Erlang, FSharp, Factor, Fish, Forth, Fortran, GAS, GDScript, GLSL, Genshi, Genshi HTML, Genshi Text, Gnuplot, Go, Go HTML Template, Go Text Template, Groovy, HTML, HTTP, Handlebars, Haskell, Haxe, Hexdump, Hy, INI, Idris, Io, JSON, JSX, Java, JavaScript, Julia, Kotlin, LLVM, Lighttpd configuration file, Lua, Mako, Mason, Mathematica, MiniZinc, Modula-2, MorrowindScript, MySQL, Myghty, NASM, Newspeak, Nginx configuration file, Nim, Nix, OCaml, Objective-C, Octave, Org Mode, PHP, PL/pgSQL, POVRay, PacmanConf, Perl, Pig, PkgConfig, PostScript, PostgreSQL SQL dialect, PowerShell, Prolog, Protocol Buffer, Puppet, Python, Python 3, QBasic, R, Racket, Ragel, Rexx, Ruby, Rust, SCSS, SPARQL, SQL, Sass, Scala, Scheme, Scilab, Smalltalk, Smarty, Snobol, Solidity, SquidConf, Swift, TASM, TOML, Tcl, Tcsh, TeX, Termcap, Terminfo, Terraform, Thrift, Transact-SQL, Turtle, Twig, TypeScript, TypoScript, TypoScriptCssData, TypoScriptHtmlData, VHDL, VimL, WDTE, XML, Xorg, YAML, cfstatement, markdown, reStructuredText, reg, systemverilog, verilog
I will attempt to keep this section up to date, but an authoritative list can be
displayed with chroma --list
.
Chroma, like Pygments, has the concepts of lexers, formatters and styles.
Lexers convert source text into a stream of tokens, styles specify how token types are mapped to colours, and formatters convert tokens and styles into formatted output.
A package exists for each of these, containing a global Registry
variable
with all of the registered implementations. There are also helper functions
for using the registry in each package, such as looking up lexers by name or
matching filenames, etc.
In all cases, if a lexer, formatter or style can not be determined, nil
will
be returned. In this situation you may want to default to the Fallback
value in each respective package, which provides sane defaults.
A convenience function exists that can be used to simply format some source text, without any effort:
err := quick.Highlight(os.Stdout, someSourceCode, "go", "html", "monokai")
To highlight code, you'll first have to identify what language the code is written in. There are three primary ways to do that:
Detect the language from its filename.
lexer := lexers.Match("foo.go")
Explicitly specify the language by its Chroma syntax ID (a full list is available from lexers.Names()
).
lexer := lexers.Get("go")
Detect the language from its content.
lexer := lexers.Analyse("package main\n\nfunc main()\n{\n}\n")
In all cases, nil
will be returned if the language can not be identified.
if lexer == nil {
lexer = lexers.Fallback
}
At this point, it should be noted that some lexers can be extremely chatty. To mitigate this, you can use the coalescing lexer to coalesce runs of identical token types into a single token:
lexer = chroma.Coalesce(lexer)
Once a language is identified you will need to pick a formatter and a style (theme).
style := styles.Get("swapoff")
if style == nil {
style = styles.Fallback
}
formatter := formatters.Get("html")
if formatter == nil {
formatter = formatters.Fallback
}
Then obtain an iterator over the tokens:
contents, err := ioutil.ReadAll(r)
iterator, err := lexer.Tokenise(nil, string(contents))
And finally, format the tokens from the iterator:
err := formatter.Format(w, style, iterator)
By default the html
registered formatter generates standalone HTML with
embedded CSS. More flexibility is available through the formatters/html
package.
Firstly, the output generated by the formatter can be customised with the following constructor options:
Standalone()
- generate standalone HTML with embedded CSS.WithClasses()
- use classes rather than inlined style attributes.ClassPrefix(prefix)
- prefix each generated CSS class.TabWidth(width)
- Set the rendered tab width, in characters.WithLineNumbers()
- Render line numbers (style with LineNumbers
).HighlightLines(ranges)
- Highlight lines in these ranges (style with LineHighlight
).LineNumbersInTable()
- Use a table for formatting line numbers and code, rather than spans.If WithClasses()
is used, the corresponding CSS can be obtained from the formatter with:
formatter := html.New(html.WithClasses())
err := formatter.WriteCSS(w, style)
See the Pygments documentation for details on implementing lexers. Most concepts apply directly to Chroma, but see existing lexer implementations for real examples.
In many cases lexers can be automatically converted directly from Pygments by
using the included Python 3 script pygments2chroma.py
. I use something like
the following:
python3 ~/Projects/chroma/_tools/pygments2chroma.py \
pygments.lexers.jvm.KotlinLexer \
> ~/Projects/chroma/lexers/kotlin.go \
&& gofmt -s -w ~/Projects/chroma/lexers/*.go
See notes in pygments-lexers.go for a list of lexers, and notes on some of the issues importing them.
Chroma supports HTML output, as well as terminal output in 8 colour, 256 colour, and true-colour.
A noop
formatter is included that outputs the token text only, and a tokens
formatter outputs raw tokens. The latter is useful for debugging lexers.
Chroma styles use the same syntax as Pygments.
All Pygments styles have been converted to Chroma using the _tools/style.py
script.
For a quick overview of the available styles and how they look, check out the Chroma Style Gallery.
A command-line interface to Chroma is included. It can be installed with:
go get -u github.com/alecthomas/chroma/cmd/chroma
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.