Merge pull request #12 from SpeakapBV/master

Fix #11: Support double quotes in strings
cshaa · Aug 26, 2019 · 08f60d3 · 08f60d3
2 parents 3bb172a + 82d3eda
commit 08f60d3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 8 deletions.
diff --git a/src/filtrex.js b/src/filtrex.js
@@ -140,12 +140,10 @@ function filtrexParser() {
                   return "SYMBOL";`
                 ], // 'some-symbol'
 
-                ['"(?:[^"])*"',
-                 `yytext = JSON.stringify(
-                     yytext.substr(1, yyleng-2)
-                  );
+                [`"(?:\\\\"|\\\\\\\\|[^"\\\\])*"`,
+                 `yytext = JSON.stringify(""+JSON.parse(yytext));
                   return "STRING";`
-                ], // "foo"
+                ], // "any \"escaped\" string"
 
                 // End
                 ['$', 'return "EOF";'],

diff --git a/test/security.js b/test/security.js
@@ -57,9 +57,24 @@ describe('Security', () => {
     });
 
 
-    it('does backslash escaping', () =>
-        expect( compileExpression(`"\\" + '\\'`)({'\\':'good'}) ).equals('\\good')
-    );
+    it('does backslash escaping', () => {
+        expect( compileExpression('"\\\\"')({}) ).equals('\\');
+        expect( compileExpression(`"\\\\" + '\\'`)({'\\':'good'}) ).equals('\\good');
+        expect( compileExpression(`"\\\\" + '\\\\'`)({'\\\\':'good'}) ).equals('\\good');
+
+        // Invalid escape sequences:
+        expect( () => compileExpression('"\\"') ).throws(); 
+        expect( () => compileExpression('"a\\"') ).throws();
+        expect( () => compileExpression('"a\\" == "; global.p0wned = true; //"') ).throws();
+
+        // JS escape sequences other than \" and \\ are not allowed in Filtrex strings:
+        expect( () => compileExpression('"\\r"') ).throws(); 
+        expect( () => compileExpression('"\\n"') ).throws(); 
+        expect( () => compileExpression('"\\x13"') ).throws(); 
+        expect( () => compileExpression('"\\u0013"') ).throws(); 
+
+        expect( global.p0wned ).equals(false);
+    });
 
 
     it('in() is not vulnerable to Object.prototype extensions ', () => {
@@ -76,4 +91,8 @@ describe('Security', () => {
         ).equals(undefined);
     })
 
+
+    it('supports double quotes inside strings', () => {
+        expect( compileExpression('"\\"test\\""')({}) ).equals('"test"');
+    });
 });