Fix python test cases for in-depth escaping scenario

httptoolkit · Jul 2, 2024 · 0a7fa5d · 0a7fa5d
1 parent 24847f2
commit 0a7fa5d
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 4 deletions.
diff --git a/src/targets/python/helpers.js b/src/targets/python/helpers.js
@@ -62,7 +62,12 @@ module.exports = {
       case '[object Object]': {
         const keyValuePairs = []
         for (const k in value) {
-          keyValuePairs.push(util.format('"%s": %s', k, this.literalRepresentation(value[k], opts, indentLevel)))
+          keyValuePairs.push(
+            util.format('%s: %s',
+              this.literalRepresentation(k, opts, indentLevel),
+              this.literalRepresentation(value[k], opts, indentLevel)
+            )
+          )
         }
         return concatValues('object', keyValuePairs, opts.pretty && keyValuePairs.length > 1, opts.indent, indentLevel)
       }

diff --git a/test/fixtures/output/python/requests/malicious.py b/test/fixtures/output/python/requests/malicious.py
@@ -0,0 +1,47 @@
+import requests
+
+url = "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//"
+
+querystring = {
+    "'": "squote-key-test",
+    "squote-value-test": "'",
+    "\"": "dquote-key-test",
+    "dquote-value-test": "\"",
+    "`": "backtick-key-test",
+    "backtick-value-test": "`",
+    "$(": "dollar-parenthesis-key-test",
+    "dollar-parenthesis-value-test": "$(",
+    "#{": "hash-brace-key-test",
+    "hash-brace-value-test": "#{",
+    "%(": "percent-parenthesis-key-test",
+    "percent-parenthesis-value-test": "%(",
+    "%{": "percent-brace-key-test",
+    "percent-brace-value-test": "%{",
+    "{{": "double-brace-key-test",
+    "double-brace-value-test": "{{",
+    "\\0": "null-key-test",
+    "null-value-test": "\\0",
+    "%s": "string-fmt-key-test",
+    "string-fmt-value-test": "%s",
+    "\\": "slash-key-test",
+    "slash-value-test": "\\"
+}
+
+payload = "' \" ` $( #{ %( %{ {{ \\0 %s \\"
+headers = {
+    "squote-value-test": "'",
+    "dquote-value-test": "\"",
+    "backtick-value-test": "`",
+    "dollar-parenthesis-value-test": "$(",
+    "hash-brace-value-test": "#{",
+    "percent-parenthesis-value-test": "%(",
+    "percent-brace-value-test": "%{",
+    "double-brace-value-test": "{{",
+    "null-value-test": "\\0",
+    "string-fmt-value-test": "%s",
+    "slash-value-test": "\\"
+}
+
+response = requests.post(url, data=payload, headers=headers, params=querystring)
+
+print(response.text)
diff --git a/test/targets.js b/test/targets.js
@@ -44,9 +44,6 @@ const skipMe = {
   clojure: {
     clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
   },
-  python: {
-    requests: ['malicious']
-  },
   r: {
     httr: ['malicious']
   },