Fix R test cases for in-depth escaping scenario

pimterry · pimterry · commit ebf709c31238 · 2024-07-02T18:10:50.000+02:00
diff --git a/src/targets/r/httr.js b/src/targets/r/httr.js
@@ -41,10 +41,14 @@ module.exports = function (source, options) {
     code.push('queryString <- list(')
 
     for (const query in qs) {
+      const safeKey = query.match(/^[a-zA-Z][\w._]*$/)
+        ? query
+        : '"' + escape(query) + '"'
+
       if (count++ !== queryCount - 1) {
-        code.push('  %s = "%s",', query, qs[query].toString())
+        code.push('  %s = "%qd",', safeKey, qs[query].toString())
       } else {
-        code.push('  %s = "%s"', query, qs[query].toString())
+        code.push('  %s = "%qd"', safeKey, qs[query].toString())
       }
     }
 
diff --git a/test/fixtures/output/r/httr/malicious.r b/test/fixtures/output/r/httr/malicious.r
@@ -0,0 +1,36 @@
+library(httr)
+
+url <- "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//"
+
+queryString <- list(
+  "'" = "squote-key-test",
+  "squote-value-test" = "'",
+  "\"" = "dquote-key-test",
+  "dquote-value-test" = "\"",
+  "`" = "backtick-key-test",
+  "backtick-value-test" = "`",
+  "$(" = "dollar-parenthesis-key-test",
+  "dollar-parenthesis-value-test" = "$(",
+  "#{" = "hash-brace-key-test",
+  "hash-brace-value-test" = "#{",
+  "%(" = "percent-parenthesis-key-test",
+  "percent-parenthesis-value-test" = "%(",
+  "%{" = "percent-brace-key-test",
+  "percent-brace-value-test" = "%{",
+  "{{" = "double-brace-key-test",
+  "double-brace-value-test" = "{{",
+  "\\0" = "null-key-test",
+  "null-value-test" = "\\0",
+  "%s" = "string-fmt-key-test",
+  "string-fmt-value-test" = "%s",
+  "\\" = "slash-key-test"
+  "slash-value-test" = "\\",
+)
+
+payload <- "' \" ` $( #{ %( %{ {{ \\0 %s \\"
+
+encode <- "raw"
+
+response <- VERB("POST", url, body = payload, query = queryString, add_headers(squote_value_test = '\'', dquote_value_test = '"', backtick_value_test = '`', dollar_parenthesis_value_test = '$(', hash_brace_value_test = '#{', percent_parenthesis_value_test = '%(', percent_brace_value_test = '%{', double_brace_value_test = '{{', null_value_test = '\\0', string_fmt_value_test = '%s', slash_value_test = '\\'), content_type("text/plain"), encode = encode)
+
+content(response, "text")
diff --git a/test/fixtures/output/r/httr/nested.r b/test/fixtures/output/r/httr/nested.r
@@ -3,7 +3,7 @@ library(httr)
 url <- "http://mockbin.com/har"
 
 queryString <- list(
-  foo[bar] = "baz,zap",
+  "foo[bar]" = "baz,zap",
   fiz = "buz"
 )
 
diff --git a/test/targets.js b/test/targets.js
@@ -44,9 +44,6 @@ const skipMe = {
   clojure: {
     clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
   },
-  r: {
-    httr: ['malicious']
-  },
   '*': {
     '*': []
   }

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ library(httr)`
`3`	`3`	`url <- "http://mockbin.com/har"`
`4`	`4`
`5`	`5`	`queryString <- list(`
`6`		`- foo[bar] = "baz,zap",`
	`6`	`+ "foo[bar]" = "baz,zap",`
`7`	`7`	`fiz = "buz"`
`8`	`8`	`)`
`9`	`9`