Skip to content

Commit a9deb0d

Browse files
pimterrypimterry
committed
Commit all-escapes test case with all working (apparently) safe outputs
Goal here is that for all _valid_ HTTP inputs, we should correctly escape special characters throughout. This is tricky to get 100% right in so many different languages and targets, but this gives us a test case and a set of checked correctly outputs, and we can incrementally fix the other cases with broken escaping to resolve the remaining cases until everything is escaped everywhere correctly.
1 parent 17ce2ef commit a9deb0d

File tree

25 files changed

+785
-1
lines changed

25 files changed

+785
-1
lines changed

test/fixtures/output/c/libcurl/malicious.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
CURL *hnd = curl_easy_init();
2+
3+
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
4+
curl_easy_setopt(hnd, CURLOPT_URL, "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C");
5+
6+
struct curl_slist *headers = NULL;
7+
headers = curl_slist_append(headers, "squote-value-test: '");
8+
headers = curl_slist_append(headers, "dquote-value-test: \"");
9+
headers = curl_slist_append(headers, "backtick-value-test: `");
10+
headers = curl_slist_append(headers, "dollar-parenthesis-value-test: $(");
11+
headers = curl_slist_append(headers, "hash-brace-value-test: #{");
12+
headers = curl_slist_append(headers, "percent-parenthesis-value-test: %(");
13+
headers = curl_slist_append(headers, "percent-brace-value-test: %{");
14+
headers = curl_slist_append(headers, "double-brace-value-test: {{");
15+
headers = curl_slist_append(headers, "null-value-test: \\0");
16+
headers = curl_slist_append(headers, "string-fmt-value-test: %s");
17+
headers = curl_slist_append(headers, "slash-value-test: \\");
18+
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
19+
20+
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "' \" ` $( #{ %( %{ {{ \\0 %s \\");
21+
22+
CURLcode ret = curl_easy_perform(hnd);

test/fixtures/output/csharp/httpclient/malicious.cs

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
var client = new HttpClient();
2+
var request = new HttpRequestMessage
3+
{
4+
Method = HttpMethod.Post,
5+
RequestUri = new Uri("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"),
6+
Headers =
7+
{
8+
{ "squote-value-test", "'" },
9+
{ "dquote-value-test", "\"" },
10+
{ "backtick-value-test", "`" },
11+
{ "dollar-parenthesis-value-test", "$(" },
12+
{ "hash-brace-value-test", "#{" },
13+
{ "percent-parenthesis-value-test", "%(" },
14+
{ "percent-brace-value-test", "%{" },
15+
{ "double-brace-value-test", "{{" },
16+
{ "null-value-test", "\\0" },
17+
{ "string-fmt-value-test", "%s" },
18+
{ "slash-value-test", "\\" },
19+
},
20+
Content = new StringContent("' \" ` $( #{ %( %{ {{ \\0 %s \\")
21+
{
22+
Headers =
23+
{
24+
ContentType = new MediaTypeHeaderValue("text/plain")
25+
}
26+
}
27+
};
28+
using (var response = await client.SendAsync(request))
29+
{
30+
response.EnsureSuccessStatusCode();
31+
var body = await response.Content.ReadAsStringAsync();
32+
Console.WriteLine(body);
33+
}

test/fixtures/output/csharp/restsharp/malicious.cs

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
var client = new RestClient("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C");
2+
var request = new RestRequest(Method.POST);
3+
request.AddHeader("squote-value-test", "'");
4+
request.AddHeader("dquote-value-test", "\"");
5+
request.AddHeader("backtick-value-test", "`");
6+
request.AddHeader("dollar-parenthesis-value-test", "$(");
7+
request.AddHeader("hash-brace-value-test", "#{");
8+
request.AddHeader("percent-parenthesis-value-test", "%(");
9+
request.AddHeader("percent-brace-value-test", "%{");
10+
request.AddHeader("double-brace-value-test", "{{");
11+
request.AddHeader("null-value-test", "\\0");
12+
request.AddHeader("string-fmt-value-test", "%s");
13+
request.AddHeader("slash-value-test", "\\");
14+
request.AddParameter("undefined", "' \" ` $( #{ %( %{ {{ \\0 %s \\", ParameterType.RequestBody);
15+
IRestResponse response = client.Execute(request);

test/fixtures/output/go/native/malicious.go

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
package main
2+
3+
import (
4+
"fmt"
5+
"strings"
6+
"net/http"
7+
"io"
8+
)
9+
10+
func main() {
11+
12+
url := "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"
13+
14+
payload := strings.NewReader("' \" ` $( #{ %( %{ {{ \\0 %s \\")
15+
16+
req, _ := http.NewRequest("POST", url, payload)
17+
18+
req.Header.Add("squote-value-test", "'")
19+
req.Header.Add("dquote-value-test", "\"")
20+
req.Header.Add("backtick-value-test", "`")
21+
req.Header.Add("dollar-parenthesis-value-test", "$(")
22+
req.Header.Add("hash-brace-value-test", "#{")
23+
req.Header.Add("percent-parenthesis-value-test", "%(")
24+
req.Header.Add("percent-brace-value-test", "%{")
25+
req.Header.Add("double-brace-value-test", "{{")
26+
req.Header.Add("null-value-test", "\\0")
27+
req.Header.Add("string-fmt-value-test", "%s")
28+
req.Header.Add("slash-value-test", "\\")
29+
30+
res, _ := http.DefaultClient.Do(req)
31+
32+
defer res.Body.Close()
33+
body, _ := io.ReadAll(res.Body)
34+
35+
fmt.Println(res)
36+
fmt.Println(string(body))
37+
38+
}

test/fixtures/output/http/1.1/malicious

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
POST /%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C HTTP/1.1
2+
Squote-Value-Test: '
3+
Dquote-Value-Test: "
4+
Backtick-Value-Test: `
5+
Dollar-Parenthesis-Value-Test: $(
6+
Hash-Brace-Value-Test: #{
7+
Percent-Parenthesis-Value-Test: %(
8+
Percent-Brace-Value-Test: %{
9+
Double-Brace-Value-Test: {{
10+
Null-Value-Test: \0
11+
String-Fmt-Value-Test: %s
12+
Slash-Value-Test: \
13+
Host: example.test
14+
Content-Length: 28
15+
16+
' " ` $( #{ %( %{ {{ \0 %s \

test/fixtures/output/java/asynchttp/malicious.java

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
AsyncHttpClient client = new DefaultAsyncHttpClient();
2+
client.prepare("POST", "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
3+
.setHeader("squote-value-test", "'")
4+
.setHeader("dquote-value-test", "\"")
5+
.setHeader("backtick-value-test", "`")
6+
.setHeader("dollar-parenthesis-value-test", "$(")
7+
.setHeader("hash-brace-value-test", "#{")
8+
.setHeader("percent-parenthesis-value-test", "%(")
9+
.setHeader("percent-brace-value-test", "%{")
10+
.setHeader("double-brace-value-test", "{{")
11+
.setHeader("null-value-test", "\\0")
12+
.setHeader("string-fmt-value-test", "%s")
13+
.setHeader("slash-value-test", "\\")
14+
.setBody("' \" ` $( #{ %( %{ {{ \\0 %s \\")
15+
.execute()
16+
.toCompletableFuture()
17+
.thenAccept(System.out::println)
18+
.join();
19+
20+
client.close();

test/fixtures/output/java/nethttp/malicious.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
HttpRequest request = HttpRequest.newBuilder()
2+
.uri(URI.create("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"))
3+
.header("squote-value-test", "'")
4+
.header("dquote-value-test", "\"")
5+
.header("backtick-value-test", "`")
6+
.header("dollar-parenthesis-value-test", "$(")
7+
.header("hash-brace-value-test", "#{")
8+
.header("percent-parenthesis-value-test", "%(")
9+
.header("percent-brace-value-test", "%{")
10+
.header("double-brace-value-test", "{{")
11+
.header("null-value-test", "\\0")
12+
.header("string-fmt-value-test", "%s")
13+
.header("slash-value-test", "\\")
14+
.method("POST", HttpRequest.BodyPublishers.ofString("' \" ` $( #{ %( %{ {{ \\0 %s \\"))
15+
.build();
16+
HttpResponse<String> response = HttpClient.newHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
17+
System.out.println(response.body());

test/fixtures/output/java/okhttp/malicious.java

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
OkHttpClient client = new OkHttpClient();
2+
3+
MediaType mediaType = MediaType.parse("text/plain");
4+
RequestBody body = RequestBody.create(mediaType, "' \" ` $( #{ %( %{ {{ \\0 %s \\");
5+
Request request = new Request.Builder()
6+
.url("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
7+
.post(body)
8+
.addHeader("squote-value-test", "'")
9+
.addHeader("dquote-value-test", "\"")
10+
.addHeader("backtick-value-test", "`")
11+
.addHeader("dollar-parenthesis-value-test", "$(")
12+
.addHeader("hash-brace-value-test", "#{")
13+
.addHeader("percent-parenthesis-value-test", "%(")
14+
.addHeader("percent-brace-value-test", "%{")
15+
.addHeader("double-brace-value-test", "{{")
16+
.addHeader("null-value-test", "\\0")
17+
.addHeader("string-fmt-value-test", "%s")
18+
.addHeader("slash-value-test", "\\")
19+
.build();
20+
21+
Response response = client.newCall(request).execute();

test/fixtures/output/java/unirest/malicious.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
HttpResponse<String> response = Unirest.post("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
2+
.header("squote-value-test", "'")
3+
.header("dquote-value-test", "\"")
4+
.header("backtick-value-test", "`")
5+
.header("dollar-parenthesis-value-test", "$(")
6+
.header("hash-brace-value-test", "#{")
7+
.header("percent-parenthesis-value-test", "%(")
8+
.header("percent-brace-value-test", "%{")
9+
.header("double-brace-value-test", "{{")
10+
.header("null-value-test", "\\0")
11+
.header("string-fmt-value-test", "%s")
12+
.header("slash-value-test", "\\")
13+
.body("' \" ` $( #{ %( %{ {{ \\0 %s \\")
14+
.asString();

test/fixtures/output/javascript/jquery/malicious.js

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
const settings = {
2+
"async": true,
3+
"crossDomain": true,
4+
"url": "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C",
5+
"method": "POST",
6+
"headers": {
7+
"squote-value-test": "'",
8+
"dquote-value-test": "\"",
9+
"backtick-value-test": "`",
10+
"dollar-parenthesis-value-test": "$(",
11+
"hash-brace-value-test": "#{",
12+
"percent-parenthesis-value-test": "%(",
13+
"percent-brace-value-test": "%{",
14+
"double-brace-value-test": "{{",
15+
"null-value-test": "\\0",
16+
"string-fmt-value-test": "%s",
17+
"slash-value-test": "\\"
18+
},
19+
"data": "' \" ` $( #{ %( %{ {{ \\0 %s \\"
20+
};
21+
22+
$.ajax(settings).done(function (response) {
23+
console.log(response);
24+
});

0 commit comments

Comments
 (0)