Fix clojure test cases for in-depth escaping scenario

Author: pimterry

src/targets/clojure/clj_http.js

@@ -12,6 +12,7 @@
 
 const CodeBuilder = require('../../helpers/code-builder')
 const helpers = require('../../helpers/headers')
+const { escape } = require('../../helpers/format')
 
 const Keyword = function (name) {
   this.name = name
@@ -60,7 +61,7 @@ const padBlock = function (x, s) {
 const jsToEdn = function (js) {
   switch (jsType(js)) {
     case 'string':
-      return '"' + js.replace(/"/g, '\\"') + '"'
+      return '"' + escape(js, { delimiter: '"' }) + '"'
     case 'file':
       return js.toString()
     case 'keyword':
@@ -73,7 +74,14 @@ const jsToEdn = function (js) {
       const obj = Object.keys(js)
         .reduce(function (acc, key) {
           const val = padBlock(key.length + 2, jsToEdn(js[key]))
-          return acc + ':' + key + ' ' + val + '\n '
+
+          // This check is overly strict, but good enough for us for
+          // all typical HTTP values we care about
+          const safeKey = key.match(/^[a-zA-Z_][\w-]*$/)
+            ? ':' + key
+            : jsToEdn(key)
+
+          return acc + safeKey + ' ' + val + '\n '
         }, '')
         .trim()
       return '{' + padBlock(1, obj) + '}'

test/fixtures/output/clojure/clj_http/malicious.clj

@@ -0,0 +1,36 @@
+(require '[clj-http.client :as client])
+
+(client/post "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//" {:headers {:squote-value-test "'"
+                                                                            :dquote-value-test "\""
+                                                                            :backtick-value-test "`"
+                                                                            :dollar-parenthesis-value-test "$("
+                                                                            :hash-brace-value-test "#{"
+                                                                            :percent-parenthesis-value-test "%("
+                                                                            :percent-brace-value-test "%{"
+                                                                            :double-brace-value-test "{{"
+                                                                            :null-value-test "\\0"
+                                                                            :string-fmt-value-test "%s"
+                                                                            :slash-value-test "\\"}
+                                                                  :query-params {"'" "squote-key-test"
+                                                                                 :squote-value-test "'"
+                                                                                 "\"" "dquote-key-test"
+                                                                                 :dquote-value-test "\""
+                                                                                 "`" "backtick-key-test"
+                                                                                 :backtick-value-test "`"
+                                                                                 "$(" "dollar-parenthesis-key-test"
+                                                                                 :dollar-parenthesis-value-test "$("
+                                                                                 "#{" "hash-brace-key-test"
+                                                                                 :hash-brace-value-test "#{"
+                                                                                 "%(" "percent-parenthesis-key-test"
+                                                                                 :percent-parenthesis-value-test "%("
+                                                                                 "%{" "percent-brace-key-test"
+                                                                                 :percent-brace-value-test "%{"
+                                                                                 "{{" "double-brace-key-test"
+                                                                                 :double-brace-value-test "{{"
+                                                                                 "\\0" "null-key-test"
+                                                                                 :null-value-test "\\0"
+                                                                                 "%s" "string-fmt-key-test"
+                                                                                 :string-fmt-value-test "%s"
+                                                                                 "\\" "slash-key-test"
+                                                                                 :slash-value-test "\\"}
+                                                                  :body "' \" ` $( #{ %( %{ {{ \\0 %s \\"})

test/fixtures/output/clojure/clj_http/nested.clj

@@ -1,5 +1,5 @@
 (require '[clj-http.client :as client])
 
-(client/get "http://mockbin.com/har" {:query-params {:foo[bar] "baz,zap"
+(client/get "http://mockbin.com/har" {:query-params {"foo[bar]" "baz,zap"
                                                      :fiz "buz"
                                                      :key "value"}})

test/targets.js

@@ -42,7 +42,7 @@ const itShouldHaveInfo = function (name, obj) {
 // TODO: investigate issues with these fixtures
 const skipMe = {
   clojure: {
-    clj_http: ['jsonObj-null-value', 'jsonObj-multiline', 'malicious']
+    clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
   },
   objc: {
     nsurlsession: ['malicious']