From dc00caa88de5b162cb8bf6aa26071f17c6457de7 Mon Sep 17 00:00:00 2001
From: Christopher Hiller <boneskull@boneskull.com>
Date: Fri, 27 Oct 2023 15:35:18 -0700
Subject: [PATCH] fix(evasive-transform): replace homoglyphs with boring ascii

---
 .../evasive-transform/src/transform-comment.js  |   6 +++---
 .../test/snapshots/test-evade-censor.js.md      |  12 ++++++------
 .../test/snapshots/test-evade-censor.js.snap    | Bin 963 -> 955 bytes
 .../test/test-transform-comment.js              |   6 ++----
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/packages/evasive-transform/src/transform-comment.js b/packages/evasive-transform/src/transform-comment.js
index 87df3ff237..99764b31ed 100644
--- a/packages/evasive-transform/src/transform-comment.js
+++ b/packages/evasive-transform/src/transform-comment.js
@@ -35,11 +35,11 @@ export function transformComment(node, unmapLoc) {
     // ...strip extraneous comment whitespace
     .replace(/^\s+/gm, ' ')
     // ...replace HTML comments with a defanged version to pass SES restrictions.
-    .replace(HTML_COMMENT_START_RE, '<!\u{2010}-')
-    .replace(HTML_COMMENT_END_RE, '-\u{2010}>')
+    .replace(HTML_COMMENT_START_RE, '<!=-')
+    .replace(HTML_COMMENT_END_RE, '-=>')
     // ...replace import expressions with a defanged version to pass SES restrictions
     // (featuring homoglyphs for @kriskowal)
-    .replace(IMPORT_RE, 'im\u{440}ort$2')
+    .replace(IMPORT_RE, 'IMPORT$2')
     // ...replace end-of-comment markers
     .replace(/\*\//g, '*X/');
   if (unmapLoc) {
diff --git a/packages/evasive-transform/test/snapshots/test-evade-censor.js.md b/packages/evasive-transform/test/snapshots/test-evade-censor.js.md
index 7709d4d60b..94af869fa9 100644
--- a/packages/evasive-transform/test/snapshots/test-evade-censor.js.md
+++ b/packages/evasive-transform/test/snapshots/test-evade-censor.js.md
@@ -8,19 +8,19 @@ Generated by [AVA](https://avajs.dev).
 
 > Snapshot 1
 
-    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 ## evadeCensor() - successful source transform w/ source map
 
 > Snapshot 1
 
-    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 ## evadeCensor() - successful source transform w/ source map & source URL
 
 > Snapshot 1
 
-    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 > Snapshot 2
 
@@ -45,7 +45,7 @@ Generated by [AVA](https://avajs.dev).
 
 > Snapshot 1
 
-    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';var node_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 > Snapshot 2
 
@@ -70,13 +70,13 @@ Generated by [AVA](https://avajs.dev).
 
 > Snapshot 1
 
-    '\'use strict\';varnode_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';varnode_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 ## evadeCensor() - successful source transform w/ source map, source URL & unmapping
 
 > Snapshot 1
 
-    '\'use strict\';varnode_fs=require(\'node:fs\');/** * @returns {imрort(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!‐- this should become less evil -‐> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
+    '\'use strict\';varnode_fs=require(\'node:fs\');/** * @returns {IMPORT(\'node:fs\').constants.F_OK} */function bambalam(){return node_fs.constants.F_OK;}/** * <!=- this should become less evil -=> */function monkey(){return true;}exports.bambalam=bambalam;exports.monkey=monkey;/*# sourceMappingURL=index.cjs.map*/'
 
 > Snapshot 2
 
diff --git a/packages/evasive-transform/test/snapshots/test-evade-censor.js.snap b/packages/evasive-transform/test/snapshots/test-evade-censor.js.snap
index bf397da7ea77821f10de2639122c784bbb888b3c..391945013cc63bcfc35b67a62354e0a7d158408e 100644
GIT binary patch
literal 955
zcmV;s14R5mRzV<BZeeh9Xm4~Nb~6eC09&aWtvkT$E@F>N%-OQ-5m5EIg+HoQACSvc
zs7qg_86S%X00000000B+R?BYFKos>PO&<vQ5PZN?l}H=hb^$`7X`o}L4FRf@QY2Va
zjx(WdV>`^)p$~Nd5_H8Mu%P7|kdRpL3oKai2dvnzWWgQV6Pr-+XbT$>>5gyi<IH&O
z%st+(R~xRm!Ji#a&+-~{^8#%dHL6pGyKH;{Ph#$yCgr^DH!yd7W>V}i!{K$8*%o(<
zCSP+s{&>GuGd$xy($h+xB7P{NjHE81tj{Ut9<xj@n{OEmJ8q4x)_H-^hrY$=cvcu@
z>O4D<pU&lQ4$m>_`OM*Xr@XjSSzbv*Oqs63J;U+%)WT}z<}S`n*L}zIEZ4zR!>$?)
z!ycd52?69x9ZC7!aGKfC!X)<AERNv?{6-B|sp;AjH{e|{ZCMRGS-6^<z;>Mtx)sBF
z%%}NXy4iFYK+EY1QprnCm{$lN@Q!2AHZB^?rsX`iyL_u)IW@XDWv)Z8(acTDQe63i
zQs76^(gqma!u-|3EF8Ho_`LiB@Nt!%bgOi7Rf_g9J<#6Eew3Mk=N!mWq$n>yUW1%P
zy(6f%QeCH}hfrG`9v)WE83pwyXb56b=TI8TF@pN-a7rE-Qe%j~FP|r5o~R{4%0$(L
zMXeB05o$?qtGarJkfP9-7G}VpCkFL4A$Rl$0Q41go)A|PzJ{hQ0?a}Ox?U2P%R=4I
zbhS*#b`V|+@QXjgUySfKf`qjYU%g4lQUV~c_!}ZSn90@xBqvBD<v64$FoF<E3no|(
zLliWK&<EIUxs4geuqhABBdOTj7nYTGY<gddG7je__}?Rje$;;%@@7F+Kx~jbkOPo6
zAn#LAVKam=V+*CEHZ(LOl2e}`;B!Y%`n#Z03hGnPX|arWdC_%<><G0T(M^<&__)ZU
zEIn!I8E9WA>FSZL9&yK{H6yLP;pvz5-uB$lB?*>{I+r}qz8A+Nly0l)wyJKc>b9zX
z*{bG`^NHm<(fL2*J6QX!ZC(7KZFRfWZ+`~gK5~uJ1hpJquP5Dloixj&z8uCfP3U)f
zATLjVWd;*06Ey#jW%O7TG$6DEF?143<tN0l{R6RtfF+4Y?gqTFu7O_M665uYT7pwb
zo%k`afI)91h(#dyfptwwtUX{B60a^)%W*)!D<p;w3FY14gz^;~jZj8`53(TFK<<Gs
dkmn$;K;Hg}P(DDw$N!5^z5!57HEiJ$000JK$0q;)

literal 963
zcmV;!13dgeRzV<BZeeh9Xm4~Nb~6eC09$aO#rE@1GSmqoN{^C6>E|nQjOLBL_``GT
z>}+oJiXV#z00000000B+R?TkHKoIsOO@9#3R`39eDv>t0?Ewiv(*kR!O$$_^v`BEO
z9A`t_#&+1XLw{7MRDzz6cmNLkJOdIE2VMcBo;Y&j#DyaVW^Hfmrd1Iwa3PUqJ(-#P
zcD%DYpI=qWHP>9>PhV5d@@jPT0&N%-s#Ax%Y;Xt<WA2+K<-F?GFn4`sQtUCq;Z>K}
z7I%y~UvfSE_*JE1c*cD+omRRO@k1G<KXnCVeNHj=m}Pp|e8XVaaVvDO$|o3o=v#~q
zW`$v_%CkfH(OeGa@O4H#pE(?FSoWtamwAbh5z}?JXE+`onOZE}+{C%js_&Sd<vO@*
z*kz+;*n>kGA%a}0Wm0}KTxa~;m#yc+*jutVhIjC56<nsKYg1f<*TuA9)$lNcTum-w
zyUq$-i<j`2PxG5}wGMgm5t+h-RPxdj&YK7y@S+3JUd|fzy5&5$d*{}K<y7eEh`9{G
zMm;ww>v82b>VY4PN*iFbtMm7(Gj-(Z;Pdhiz{jQ9ZkOs0mnz!ObWd|byHREgp4UO1
zAVqlr@)qO_>g-3IrSdX0J%pNSUtgbsPARBELA?-@I*Za!lYZ1~hfDIvkQzV)e)&8h
zlSC~NGDB2dSkw|BC7~AermCy+gcO9vv~UItdSX!L2$|O-0MHlINkUvr_-dLu3ouhH
z=z39L-Vy4GrmHiAtOwzR0Kae;{%nN55=>YM@ztAz+)e-_lD{El2P@fHfaC-d$xIwl
z5Ewy-r3DKthan0&jnFRaw%o>yW7w1j=KfS{?h4DwTQ<F`K^ceh6a4QGLpSQa1oOs0
z7C>x}9gx=`??67LqQYhfW5yavNv*fHS4>WQg@A7@LFqj~Clu7BppznvIKAjfM0SLl
zj_5i{M|@o5QI?*x^z<~Zm2`DTSBJP~(wdRh&hYe0duMa)=#m5}qt=vrn)l+E)Y9%(
z?S9qnSM7fF&->NnaXz+uCp!NJd=?k?^sdYMdRM!3{oYsc+>r~VCP?PsqHVW}_E-2O
z_5C2esYB=60eSfc_~vwiZvq+!`9_abK?p*d5<@G+ln$Yo^?ei*0v07Axf?LdvIcr#
zO^nkQwFJ8qTk&Ix0fXL1P>ewE1M8BO$UWc~5@#2xGjTw`FeHW#spZ4L)baxzjatqD
lGh{)of!qUOAkRSFfV}?|wd_K`=l_dZege5pVpsnX005fh)NTL(

diff --git a/packages/evasive-transform/test/test-transform-comment.js b/packages/evasive-transform/test/test-transform-comment.js
index 0e0318ec5c..6a13033836 100644
--- a/packages/evasive-transform/test/test-transform-comment.js
+++ b/packages/evasive-transform/test/test-transform-comment.js
@@ -24,7 +24,7 @@ test('transformComment() - defang HTML comment', async t => {
     value: '<!-- evil code -->',
   });
   transformComment(comment);
-  t.is(comment.value, '<!\u{2010}- evil code -\u{2010}>');
+  t.is(comment.value, '<!=- evil code -=>');
 });
 
 test('transformComment() - rewrite suspicious import(...)', async t => {
@@ -37,9 +37,7 @@ test('transformComment() - rewrite suspicious import(...)', async t => {
   transformComment(comment);
   t.regex(
     comment.value,
-    new RegExp(
-      "\\* @type \\{im\u{440}ort\\('c:\\\\My Documents\\\\user\\.js'\\)",
-    ),
+    new RegExp("\\* @type \\{IMPORT\\('c:\\\\My Documents\\\\user\\.js'\\)"),
   );
 });