Fix Swift test cases for in-depth escaping scenario (and others)

httptoolkit · Jul 2, 2024 · b3a3ff7 · b3a3ff7
1 parent 0a7fa5d
commit b3a3ff7
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 10 deletions.
diff --git a/src/targets/swift/helpers.js b/src/targets/swift/helpers.js
@@ -1,6 +1,7 @@
 'use strict'
 
 const util = require('util')
+const { escape } = require('../../helpers/format')
 
 /**
  * Create an string of given length filled with blank spaces
@@ -72,7 +73,12 @@ module.exports = {
       case '[object Object]': {
         const keyValuePairs = []
         for (const k in value) {
-          keyValuePairs.push(util.format('"%s": %s', k, this.literalRepresentation(value[k], opts, indentLevel)))
+          keyValuePairs.push(
+            util.format('%s: %s',
+              this.literalRepresentation(k, opts, indentLevel),
+              this.literalRepresentation(value[k], opts, indentLevel)
+            )
+          )
         }
         return concatArray(keyValuePairs, opts.pretty && keyValuePairs.length > 1, opts.indent, indentLevel)
       }
@@ -84,7 +90,7 @@ module.exports = {
         if (value === null || value === undefined) {
           return ''
         }
-        return '"' + value.toString().replace(/"/g, '\\"') + '"'
+        return '"' + escape(value.toString()) + '"'
     }
   }
 }
diff --git a/src/targets/swift/nsurlsession.js b/src/targets/swift/nsurlsession.js
@@ -46,9 +46,9 @@ module.exports = function (source, options) {
         // we make it easier for the user to edit it according to his or her needs after pasting.
         // The user can just add/remove lines adding/removing body parameters.
         code.blank()
-          .push('let postData = NSMutableData(data: "%s=%s".data(using: String.Encoding.utf8)!)', source.postData.params[0].name, source.postData.params[0].value)
+          .push('let postData = NSMutableData(data: "%qd=%qd".data(using: String.Encoding.utf8)!)', source.postData.params[0].name, source.postData.params[0].value)
         for (let i = 1, len = source.postData.params.length; i < len; i++) {
-          code.push('postData.append("&%s=%s".data(using: String.Encoding.utf8)!)', source.postData.params[i].name, source.postData.params[i].value)
+          code.push('postData.append("&%qd=%qd".data(using: String.Encoding.utf8)!)', source.postData.params[i].name, source.postData.params[i].value)
         }
         break
 
@@ -68,7 +68,7 @@ module.exports = function (source, options) {
         */
         code.push(helpers.literalDeclaration('parameters', source.postData.params, opts))
           .blank()
-          .push('let boundary = "%s"', source.postData.boundary)
+          .push('let boundary = "%qd"', source.postData.boundary)
           .blank()
           .push('var body = ""')
           .push('var error: NSError? = nil')
@@ -93,13 +93,13 @@ module.exports = function (source, options) {
 
       default:
         code.blank()
-          .push('let postData = NSData(data: "%s".data(using: String.Encoding.utf8)!)', source.postData.text)
+          .push('let postData = NSData(data: "%qd".data(using: String.Encoding.utf8)!)', source.postData.text)
     }
   }
 
   code.blank()
     // NSURLRequestUseProtocolCachePolicy is the default policy, let's just always set it to avoid confusion.
-    .push('let request = NSMutableURLRequest(url: NSURL(string: "%s")! as URL,', source.fullUrl)
+    .push('let request = NSMutableURLRequest(url: NSURL(string: "%qd")! as URL,', source.fullUrl)
     .push('                                        cachePolicy: .useProtocolCachePolicy,')
     .push('                                    timeoutInterval: %s)', parseInt(opts.timeout, 10).toFixed(1))
     .push('request.httpMethod = "%s"', source.method)

diff --git a/test/fixtures/output/swift/nsurlsession/malicious.swift b/test/fixtures/output/swift/nsurlsession/malicious.swift
@@ -0,0 +1,36 @@
+import Foundation
+
+let headers = [
+  "squote-value-test": "'",
+  "dquote-value-test": "\"",
+  "backtick-value-test": "`",
+  "dollar-parenthesis-value-test": "$(",
+  "hash-brace-value-test": "#{",
+  "percent-parenthesis-value-test": "%(",
+  "percent-brace-value-test": "%{",
+  "double-brace-value-test": "{{",
+  "null-value-test": "\\0",
+  "string-fmt-value-test": "%s",
+  "slash-value-test": "\\"
+]
+
+let postData = NSData(data: "' \" ` $( #{ %( %{ {{ \\0 %s \\".data(using: String.Encoding.utf8)!)
+
+let request = NSMutableURLRequest(url: NSURL(string: "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")! as URL,
+                                        cachePolicy: .useProtocolCachePolicy,
+                                    timeoutInterval: 10.0)
+request.httpMethod = "POST"
+request.allHTTPHeaderFields = headers
+request.httpBody = postData as Data
+
+let session = URLSession.shared
+let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
+  if (error != nil) {
+    print(error)
+  } else {
+    let httpResponse = response as? HTTPURLResponse
+    print(httpResponse)
+  }
+})
+
+dataTask.resume()
diff --git a/test/targets.js b/test/targets.js
@@ -47,9 +47,6 @@ const skipMe = {
   r: {
     httr: ['malicious']
   },
-  swift: {
-    nsurlsession: ['malicious']
-  },
   '*': {
     '*': []
   }