From ebf709c31238e4c47c70060092db7d4873c1e676 Mon Sep 17 00:00:00 2001
From: Tim Perry <pimterry@gmail.com>
Date: Tue, 2 Jul 2024 17:02:10 +0200
Subject: [PATCH] Fix R test cases for in-depth escaping scenario

---
 src/targets/r/httr.js                   |  8 ++++--
 test/fixtures/output/r/httr/malicious.r | 36 +++++++++++++++++++++++++
 test/fixtures/output/r/httr/nested.r    |  2 +-
 test/targets.js                         |  3 ---
 4 files changed, 43 insertions(+), 6 deletions(-)
 create mode 100644 test/fixtures/output/r/httr/malicious.r

diff --git a/src/targets/r/httr.js b/src/targets/r/httr.js
index 5a7f557..11ba99a 100644
--- a/src/targets/r/httr.js
+++ b/src/targets/r/httr.js
@@ -41,10 +41,14 @@ module.exports = function (source, options) {
     code.push('queryString <- list(')
 
     for (const query in qs) {
+      const safeKey = query.match(/^[a-zA-Z][\w._]*$/)
+        ? query
+        : '"' + escape(query) + '"'
+
       if (count++ !== queryCount - 1) {
-        code.push('  %s = "%s",', query, qs[query].toString())
+        code.push('  %s = "%qd",', safeKey, qs[query].toString())
       } else {
-        code.push('  %s = "%s"', query, qs[query].toString())
+        code.push('  %s = "%qd"', safeKey, qs[query].toString())
       }
     }
 
diff --git a/test/fixtures/output/r/httr/malicious.r b/test/fixtures/output/r/httr/malicious.r
new file mode 100644
index 0000000..8275064
--- /dev/null
+++ b/test/fixtures/output/r/httr/malicious.r
@@ -0,0 +1,36 @@
+library(httr)
+
+url <- "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//"
+
+queryString <- list(
+  "'" = "squote-key-test",
+  "squote-value-test" = "'",
+  "\"" = "dquote-key-test",
+  "dquote-value-test" = "\"",
+  "`" = "backtick-key-test",
+  "backtick-value-test" = "`",
+  "$(" = "dollar-parenthesis-key-test",
+  "dollar-parenthesis-value-test" = "$(",
+  "#{" = "hash-brace-key-test",
+  "hash-brace-value-test" = "#{",
+  "%(" = "percent-parenthesis-key-test",
+  "percent-parenthesis-value-test" = "%(",
+  "%{" = "percent-brace-key-test",
+  "percent-brace-value-test" = "%{",
+  "{{" = "double-brace-key-test",
+  "double-brace-value-test" = "{{",
+  "\\0" = "null-key-test",
+  "null-value-test" = "\\0",
+  "%s" = "string-fmt-key-test",
+  "string-fmt-value-test" = "%s",
+  "\\" = "slash-key-test"
+  "slash-value-test" = "\\",
+)
+
+payload <- "' \" ` $( #{ %( %{ {{ \\0 %s \\"
+
+encode <- "raw"
+
+response <- VERB("POST", url, body = payload, query = queryString, add_headers(squote_value_test = '\'', dquote_value_test = '"', backtick_value_test = '`', dollar_parenthesis_value_test = '$(', hash_brace_value_test = '#{', percent_parenthesis_value_test = '%(', percent_brace_value_test = '%{', double_brace_value_test = '{{', null_value_test = '\\0', string_fmt_value_test = '%s', slash_value_test = '\\'), content_type("text/plain"), encode = encode)
+
+content(response, "text")
\ No newline at end of file
diff --git a/test/fixtures/output/r/httr/nested.r b/test/fixtures/output/r/httr/nested.r
index 669352c..07aa1a1 100644
--- a/test/fixtures/output/r/httr/nested.r
+++ b/test/fixtures/output/r/httr/nested.r
@@ -3,7 +3,7 @@ library(httr)
 url <- "http://mockbin.com/har"
 
 queryString <- list(
-  foo[bar] = "baz,zap",
+  "foo[bar]" = "baz,zap",
   fiz = "buz"
 )
 
diff --git a/test/targets.js b/test/targets.js
index ce38024..58d77e3 100644
--- a/test/targets.js
+++ b/test/targets.js
@@ -44,9 +44,6 @@ const skipMe = {
   clojure: {
     clj_http: ['jsonObj-null-value', 'jsonObj-multiline']
   },
-  r: {
-    httr: ['malicious']
-  },
   '*': {
     '*': []
   }