Fix python test cases for in-depth escaping scenario

pimterry · pimterry · commit 0a7fa5d504d9 · 2024-07-02T18:10:21.000+02:00
diff --git a/src/targets/python/helpers.js b/src/targets/python/helpers.js
@@ -62,7 +62,12 @@ module.exports = {
       case '[object Object]': {
         const keyValuePairs = []
         for (const k in value) {
-          keyValuePairs.push(util.format('"%s": %s', k, this.literalRepresentation(value[k], opts, indentLevel)))
+          keyValuePairs.push(
+            util.format('%s: %s',
+              this.literalRepresentation(k, opts, indentLevel),
+              this.literalRepresentation(value[k], opts, indentLevel)
+            )
+          )
         }
         return concatValues('object', keyValuePairs, opts.pretty && keyValuePairs.length > 1, opts.indent, indentLevel)
       }
diff --git a/test/fixtures/output/python/requests/malicious.py b/test/fixtures/output/python/requests/malicious.py
@@ -0,0 +1,47 @@
+import requests
+
+url = "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//"
+
+querystring = {
+    "'": "squote-key-test",
+    "squote-value-test": "'",
+    "\"": "dquote-key-test",
+    "dquote-value-test": "\"",
+    "`": "backtick-key-test",
+    "backtick-value-test": "`",
+    "$(": "dollar-parenthesis-key-test",
+    "dollar-parenthesis-value-test": "$(",
+    "#{": "hash-brace-key-test",
+    "hash-brace-value-test": "#{",
+    "%(": "percent-parenthesis-key-test",
+    "percent-parenthesis-value-test": "%(",
+    "%{": "percent-brace-key-test",
+    "percent-brace-value-test": "%{",
+    "{{": "double-brace-key-test",
+    "double-brace-value-test": "{{",
+    "\\0": "null-key-test",
+    "null-value-test": "\\0",
+    "%s": "string-fmt-key-test",
+    "string-fmt-value-test": "%s",
+    "\\": "slash-key-test",
+    "slash-value-test": "\\"
+}
+
+payload = "' \" ` $( #{ %( %{ {{ \\0 %s \\"
+headers = {
+    "squote-value-test": "'",
+    "dquote-value-test": "\"",
+    "backtick-value-test": "`",
+    "dollar-parenthesis-value-test": "$(",
+    "hash-brace-value-test": "#{",
+    "percent-parenthesis-value-test": "%(",
+    "percent-brace-value-test": "%{",
+    "double-brace-value-test": "{{",
+    "null-value-test": "\\0",
+    "string-fmt-value-test": "%s",
+    "slash-value-test": "\\"
+}
+
+response = requests.post(url, data=payload, headers=headers, params=querystring)
+
+print(response.text)
diff --git a/test/targets.js b/test/targets.js
@@ -44,9 +44,6 @@ const skipMe = {
   clojure: {
     clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
   },
-  python: {
-    requests: ['malicious']
-  },
   r: {
     httr: ['malicious']
   },

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,12 @@ module.exports = {`
`62`	`62`	`case '[object Object]': {`
`63`	`63`	`const keyValuePairs = []`
`64`	`64`	`for (const k in value) {`
`65`		`- keyValuePairs.push(util.format('"%s": %s', k, this.literalRepresentation(value[k], opts, indentLevel)))`
	`65`	`+ keyValuePairs.push(`
	`66`	`+ util.format('%s: %s',`
	`67`	`+ this.literalRepresentation(k, opts, indentLevel),`
	`68`	`+ this.literalRepresentation(value[k], opts, indentLevel)`
	`69`	`+ )`
	`70`	`+ )`
`66`	`71`	`}`
`67`	`72`	`return concatValues('object', keyValuePairs, opts.pretty && keyValuePairs.length > 1, opts.indent, indentLevel)`
`68`	`73`	`}`