Skip to content

Commit 91ba1b4

Browse files
pimterrypimterry
committed
Fix ObjC test cases for in-depth escaping scenario
1 parent 01ec104 commit 91ba1b4

File tree

4 files changed

+40
-5
lines changed

4 files changed

+40
-5
lines changed

src/targets/objc/helpers.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
const util = require('util')
44

5+
const { escape } = require('../../helpers/format')
6+
57
module.exports = {
68
/**
79
* Create an string of given length filled with blank spaces
@@ -73,7 +75,7 @@ module.exports = {
7375
if (value === null || value === undefined) {
7476
return ''
7577
}
76-
return '@"' + value.toString().replace(/"/g, '\\"') + '"'
78+
return '@"' + escape(value.toString(), { delimiter: '"' }) + '"'
7779
}
7880
}
7981
}

src/targets/objc/nsurlsession.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,9 @@ module.exports = function (source, options) {
9191

9292
default:
9393
code.blank()
94-
.push('NSData *postData = [[NSData alloc] initWithData:[@"' + source.postData.text + '" dataUsingEncoding:NSUTF8StringEncoding]];')
94+
.push('NSData *postData = [[NSData alloc] initWithData:[' +
95+
helpers.literalRepresentation(source.postData.text) +
96+
' dataUsingEncoding:NSUTF8StringEncoding]];')
9597
}
9698
}
9799

test/fixtures/output/objc/nsurlsession/malicious.m

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
#import <Foundation/Foundation.h>
2+
3+
NSDictionary *headers = @{ @"squote-value-test": @"'",
4+
@"dquote-value-test": @"\"",
5+
@"backtick-value-test": @"`",
6+
@"dollar-parenthesis-value-test": @"$(",
7+
@"hash-brace-value-test": @"#{",
8+
@"percent-parenthesis-value-test": @"%(",
9+
@"percent-brace-value-test": @"%{",
10+
@"double-brace-value-test": @"{{",
11+
@"null-value-test": @"\\0",
12+
@"string-fmt-value-test": @"%s",
13+
@"slash-value-test": @"\\" };
14+
15+
NSData *postData = [[NSData alloc] initWithData:[@"' \" ` $( #{ %( %{ {{ \\0 %s \\" dataUsingEncoding:NSUTF8StringEncoding]];
16+
17+
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"]
18+
cachePolicy:NSURLRequestUseProtocolCachePolicy
19+
timeoutInterval:10.0];
20+
[request setHTTPMethod:@"POST"];
21+
[request setAllHTTPHeaderFields:headers];
22+
[request setHTTPBody:postData];
23+
24+
NSURLSession *session = [NSURLSession sharedSession];
25+
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
26+
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
27+
if (error) {
28+
NSLog(@"%@", error);
29+
} else {
30+
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
31+
NSLog(@"%@", httpResponse);
32+
}
33+
}];
34+
[dataTask resume];

test/targets.js

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,9 +44,6 @@ const skipMe = {
4444
clojure: {
4545
clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
4646
},
47-
objc: {
48-
nsurlsession: ['malicious']
49-
},
5047
powershell: {
5148
restmethod: ['malicious'],
5249
webrequest: ['malicious']

0 commit comments

Comments
 (0)