Correctly escape single & double quotes within header values

Author: pimterry

src/helpers/code-builder.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const formatString = require('./format')
+const { format: formatString } = require('./format')
 
 /**
  * Helper object to format and aggragate lines of code.

src/helpers/format.js

@@ -1,46 +1,87 @@
 const util = require('util')
 
-function quote (value) {
-  if (typeof value !== 'string') value = JSON.stringify(value)
-  return JSON.stringify(value)
+exports.escape = function escape (value, options) {
+  // The JSON-stringify string serialization algorithm, but generalized for string delimiters
+  // (e.g. " or ') and different escape characters (e.g. Powershell uses `)
+  // https://tc39.es/ecma262/multipage/structured-data.html#sec-quotejsonstring
+  const {
+    delimiter = '"',
+    escapeChar = '\\',
+    escapeNewlines = true
+  } = options || {}
+
+  return [...value].map((c) => {
+    if (c === '\b') {
+      return escapeChar + 'b'
+    } else if (c === '\t') {
+      return escapeChar + 't'
+    } else if (c === '\n') {
+      if (escapeNewlines) {
+        return escapeChar + 'n'
+      } else {
+        return c // Don't just continue, or this is caught by < \u0020
+      }
+    } else if (c === '\f') {
+      return escapeChar + 'f'
+    } else if (c === '\r') {
+      if (escapeNewlines) {
+        return escapeChar + 'r'
+      } else {
+        return c // Don't just continue, or this is caught by < \u0020
+      }
+    } else if (c === escapeChar) {
+      return escapeChar + escapeChar
+    } else if (c === delimiter) {
+      return escapeChar + delimiter
+    } else if (c < '\u0020' || c > '\u007E') {
+      // Delegate the trickier non-ASCII cases to the normal algorithm. Some of these are escaped as
+      // \uXXXX, whilst others are represented literally. Since we're using this primarily for header
+      // values that are generally (though not strictly?) ASCII-only, this should almost never happen.
+      return JSON.stringify(c).slice(1, -1)
+    } else {
+      return c
+    }
+  }).join('')
 }
 
-function escape (value) {
-  const q = quote(value)
-  return q && q.slice(1, -1)
+function doubleQuoteEscape (value) {
+  return exports.escape(value, { delimiter: '"' })
+}
+
+function singleQuoteEscape (value) {
+  return exports.escape(value, { delimiter: "'" })
 }
 
 /**
- * Wraps the `util.format` function and adds the %q and %v format options,
- * where `%q` - escape tricky characters, like newline or quotes
- * and `%v` - JSON-stringify-if-necessary
+ * Wraps the `util.format` function and adds the %qd, %qs and %v format options,
+ * where `%qd` escapes characters for a single-line double-quoted string, `%qs`
+ * escapes characters for a single-line single-quoted string, and `%v`
+ * JSON-stringifies the value.
  *
  * @param {string} value
  * @param  {...string} format
  *
- * @example
- * format('foo("%q")', { bar: 'baz' })
- * // output: foo("{\"bar\":\"baz\"}")
- *
- * format('foo(%v)', { bar: 'baz' })
- * // output: foo({"bar":"baz"})
- *
  * @returns {string} Formatted string
  */
-function format (value, ...format) {
+exports.format = function format (value, ...format) {
   if (typeof value !== 'string') return ''
 
   let i = 0
-  value = value.replace(/(?<!%)%[sdifjoOcqv]/g, (m) => {
+  value = value.replace(/(?<!%)%([sdifjoOcv]|q[sd])/g, (m) => {
     // JSON-stringify
     if (m === '%v') {
       const [elem] = format.splice(i, 1)
       return JSON.stringify(elem)
     }
-    // JSON-stringify, remove quotes (means, escape)
-    if (m === '%q') {
+    // Escape for double-quoted string
+    if (m === '%qd') {
+      const [elem] = format.splice(i, 1)
+      return doubleQuoteEscape(elem)
+    }
+    // Escape for single-quoted string
+    if (m === '%qs') {
       const [elem] = format.splice(i, 1)
-      return escape(elem)
+      return singleQuoteEscape(elem)
     }
     i += 1
     return m
@@ -49,5 +90,3 @@ function format (value, ...format) {
   const ret = util.format(value, ...format)
   return ret
 }
-
-module.exports = format

src/targets/c/libcurl.js

@@ -19,7 +19,7 @@ module.exports = function (source, options) {
       .push('struct curl_slist *headers = NULL;')
 
     headers.forEach(function (key) {
-      code.push('headers = curl_slist_append(headers, "%s: %s");', key, source.headersObj[key])
+      code.push('headers = curl_slist_append(headers, "%s: %qd");', key, source.headersObj[key])
     })
 
     code.push('curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);')

src/targets/csharp/httpclient.js

@@ -85,7 +85,7 @@ module.exports = function (source, options) {
     code.push(1, 'Headers =')
     code.push(1, '{')
     headers.forEach(function (key) {
-      code.push(2, '{ "%s", "%s" },', key, source.allHeaders[key])
+      code.push(2, '{ "%s", "%qd" },', key, source.allHeaders[key])
     })
     code.push(1, '},')
   }

src/targets/csharp/restsharp.js

@@ -20,7 +20,7 @@ module.exports = function (source, options) {
   // construct headers
   if (headers.length) {
     headers.forEach(function (key) {
-      code.push('request.AddHeader("%s", "%s");', key, source.headersObj[key])
+      code.push('request.AddHeader("%s", "%qd");', key, source.headersObj[key])
     })
   }
 

src/targets/go/native.js

@@ -112,7 +112,7 @@ module.exports = function (source, options) {
   // Add headers
   if (Object.keys(source.allHeaders).length) {
     Object.keys(source.allHeaders).forEach(function (key) {
-      code.push(indent, 'req.Header.Add("%s", "%s")', key, source.allHeaders[key])
+      code.push(indent, 'req.Header.Add("%s", "%qd")', key, source.allHeaders[key])
     })
 
     code.blank()

src/targets/java/asynchttp.js

@@ -29,7 +29,7 @@ module.exports = function (source, options) {
   // construct headers
   if (headers.length) {
     headers.forEach(function (key) {
-      code.push(1, '.setHeader("%s", "%s")', key, source.allHeaders[key])
+      code.push(1, '.setHeader("%s", "%qd")', key, source.allHeaders[key])
     })
   }
 

src/targets/java/nethttp.js

@@ -30,7 +30,7 @@ module.exports = function (source, options) {
   // construct headers
   if (headers.length) {
     headers.forEach(function (key) {
-      code.push(2, '.header("%s", "%s")', key, source.allHeaders[key])
+      code.push(2, '.header("%s", "%qd")', key, source.allHeaders[key])
     })
   }
 

src/targets/java/okhttp.js

@@ -59,7 +59,7 @@ module.exports = function (source, options) {
   // construct headers
   if (headers.length) {
     headers.forEach(function (key) {
-      code.push(1, '.addHeader("%s", "%s")', key, source.allHeaders[key])
+      code.push(1, '.addHeader("%s", "%qd")', key, source.allHeaders[key])
     })
   }
 

src/targets/java/unirest.js

@@ -33,7 +33,7 @@ module.exports = function (source, options) {
   // construct headers
   if (headers.length) {
     headers.forEach(function (key) {
-      code.push(1, '.header("%s", "%s")', key, source.allHeaders[key])
+      code.push(1, '.header("%s", "%qd")', key, source.allHeaders[key])
     })
   }