From 584632f3aed8cb844a9f6f2afd32e5e41f035e40 Mon Sep 17 00:00:00 2001 From: Tim Perry Date: Tue, 2 Jul 2024 19:54:52 +0200 Subject: [PATCH] Add more escaping cases for header keys Most examples already handle this correctly, just tweaks required for R and HTTPie. I had assumed these were invalid header names, but apparently that's not actually correct! --- src/targets/r/httr.js | 7 ++++++- src/targets/shell/httpie.js | 9 +++++++-- test/fixtures/output/c/libcurl/malicious.c | 5 +++++ .../output/clojure/clj_http/malicious.clj | 7 ++++++- .../output/csharp/httpclient/malicious.cs | 5 +++++ .../output/csharp/restsharp/malicious.cs | 5 +++++ test/fixtures/output/go/native/malicious.go | 5 +++++ test/fixtures/output/http/1.1/malicious | 5 +++++ .../output/java/asynchttp/malicious.java | 5 +++++ .../output/java/nethttp/malicious.java | 5 +++++ .../output/java/okhttp/malicious.java | 5 +++++ .../output/java/unirest/malicious.java | 5 +++++ .../output/javascript/axios/malicious.js | 5 +++++ .../output/javascript/fetch/malicious.js | 5 +++++ .../output/javascript/jquery/malicious.js | 5 +++++ .../output/javascript/xhr/malicious.js | 5 +++++ .../output/kotlin/okhttp/malicious.kt | 5 +++++ test/fixtures/output/node/axios/malicious.js | 5 +++++ test/fixtures/output/node/fetch/malicious.js | 5 +++++ test/fixtures/output/node/native/malicious.js | 5 +++++ .../fixtures/output/node/request/malicious.js | 5 +++++ .../fixtures/output/node/unirest/malicious.js | 5 +++++ .../output/objc/nsurlsession/malicious.m | 7 ++++++- .../fixtures/output/ocaml/cohttp/malicious.ml | 5 +++++ test/fixtures/output/php/curl/malicious.php | 5 +++++ test/fixtures/output/php/http1/malicious.php | 5 +++++ test/fixtures/output/php/http2/malicious.php | 5 +++++ .../powershell/restmethod/malicious.ps1 | 5 +++++ .../powershell/webrequest/malicious.ps1 | 5 +++++ .../output/python/python3/malicious.py | 5 +++++ .../output/python/requests/malicious.py | 5 +++++ test/fixtures/output/r/httr/malicious.r | 2 +- test/fixtures/output/ruby/native/malicious.rb | 5 +++++ test/fixtures/output/shell/curl/malicious.sh | 5 +++++ .../output/shell/httpie/application-json.sh | 2 +- .../fixtures/output/shell/httpie/malicious.sh | 7 ++++++- test/fixtures/output/shell/wget/malicious.sh | 5 +++++ .../output/swift/nsurlsession/malicious.swift | 5 +++++ test/fixtures/requests/malicious.json | 20 +++++++++++++++++++ 39 files changed, 208 insertions(+), 8 deletions(-) diff --git a/src/targets/r/httr.js b/src/targets/r/httr.js index 11ba99a..0b815a6 100644 --- a/src/targets/r/httr.js +++ b/src/targets/r/httr.js @@ -106,7 +106,12 @@ module.exports = function (source, options) { const otherHeaders = Object.entries(source.allHeaders) // These headers are all handled separately: .filter(([key]) => !['cookie', 'accept', 'content-type'].includes(key.toLowerCase())) - .map(([key, value]) => `${key.replace(/-/g, '_')} = '${escape(value, { delimiter: "'" })}'`) + .map(([key, value]) => { + const safeKey = key.match(/^[a-zA-Z][a-zA-Z0-9_.-]*$/) + ? key.replace(/-/g, '_') + : '"' + escape(key) + '"' + return `${safeKey} = '${escape(value, { delimiter: "'" })}'` + }) .join(', ') const setHeaders = otherHeaders diff --git a/src/targets/shell/httpie.js b/src/targets/shell/httpie.js index 40b0338..0836ff2 100644 --- a/src/targets/shell/httpie.js +++ b/src/targets/shell/httpie.js @@ -90,7 +90,7 @@ module.exports = function (source, options) { // construct headers Object.keys(source.allHeaders).sort().forEach(function (key) { - code.push('%s:%s', key, shell.quote(source.allHeaders[key])) + code.push('%s:%s', shell.quote(key), shell.quote(source.allHeaders[key])) }) if (source.postData.mimeType === 'application/x-www-form-urlencoded') { @@ -109,7 +109,12 @@ module.exports = function (source, options) { code.unshift('http %s%s %s', flags.length ? flags.join(' ') + ' ' : '', source.method, shell.quote(opts.queryParams ? source.url : source.fullUrl)) if (raw && source.postData.text) { - code.unshift('echo %s | ', shell.quote(source.postData.text)) + if (source.postData.text.includes('\\')) { + // Printf handles escape characters more clearly & portably than echo + code.unshift("printf '%%s' %s | ", shell.quote(source.postData.text)) + } else { + code.unshift('echo %s | ', shell.quote(source.postData.text)) + } } return code.join() diff --git a/test/fixtures/output/c/libcurl/malicious.c b/test/fixtures/output/c/libcurl/malicious.c index 21f004d..b521db5 100644 --- a/test/fixtures/output/c/libcurl/malicious.c +++ b/test/fixtures/output/c/libcurl/malicious.c @@ -4,11 +4,16 @@ curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST"); curl_easy_setopt(hnd, CURLOPT_URL, "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"); struct curl_slist *headers = NULL; +headers = curl_slist_append(headers, "': squote-key-test"); headers = curl_slist_append(headers, "squote-value-test: '"); headers = curl_slist_append(headers, "dquote-value-test: \""); +headers = curl_slist_append(headers, "`: backtick-key-test"); headers = curl_slist_append(headers, "backtick-value-test: `"); +headers = curl_slist_append(headers, "$: dollar-key-test"); headers = curl_slist_append(headers, "dollar-parenthesis-value-test: $("); +headers = curl_slist_append(headers, "#: hash-key-test"); headers = curl_slist_append(headers, "hash-brace-value-test: #{"); +headers = curl_slist_append(headers, "%: percent-key-test"); headers = curl_slist_append(headers, "percent-parenthesis-value-test: %("); headers = curl_slist_append(headers, "percent-brace-value-test: %{"); headers = curl_slist_append(headers, "double-brace-value-test: {{"); diff --git a/test/fixtures/output/clojure/clj_http/malicious.clj b/test/fixtures/output/clojure/clj_http/malicious.clj index 9c99ba8..9f74137 100644 --- a/test/fixtures/output/clojure/clj_http/malicious.clj +++ b/test/fixtures/output/clojure/clj_http/malicious.clj @@ -1,10 +1,15 @@ (require '[clj-http.client :as client]) -(client/post "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//" {:headers {:squote-value-test "'" +(client/post "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//" {:headers {"'" "squote-key-test" + :squote-value-test "'" :dquote-value-test "\"" + "`" "backtick-key-test" :backtick-value-test "`" + "$" "dollar-key-test" :dollar-parenthesis-value-test "$(" + "#" "hash-key-test" :hash-brace-value-test "#{" + "%" "percent-key-test" :percent-parenthesis-value-test "%(" :percent-brace-value-test "%{" :double-brace-value-test "{{" diff --git a/test/fixtures/output/csharp/httpclient/malicious.cs b/test/fixtures/output/csharp/httpclient/malicious.cs index b88e5e2..7524b59 100644 --- a/test/fixtures/output/csharp/httpclient/malicious.cs +++ b/test/fixtures/output/csharp/httpclient/malicious.cs @@ -5,11 +5,16 @@ RequestUri = new Uri("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"), Headers = { + { "'", "squote-key-test" }, { "squote-value-test", "'" }, { "dquote-value-test", "\"" }, + { "`", "backtick-key-test" }, { "backtick-value-test", "`" }, + { "$", "dollar-key-test" }, { "dollar-parenthesis-value-test", "$(" }, + { "#", "hash-key-test" }, { "hash-brace-value-test", "#{" }, + { "%", "percent-key-test" }, { "percent-parenthesis-value-test", "%(" }, { "percent-brace-value-test", "%{" }, { "double-brace-value-test", "{{" }, diff --git a/test/fixtures/output/csharp/restsharp/malicious.cs b/test/fixtures/output/csharp/restsharp/malicious.cs index 91dca32..02140dd 100644 --- a/test/fixtures/output/csharp/restsharp/malicious.cs +++ b/test/fixtures/output/csharp/restsharp/malicious.cs @@ -1,10 +1,15 @@ var client = new RestClient("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"); var request = new RestRequest(Method.POST); +request.AddHeader("'", "squote-key-test"); request.AddHeader("squote-value-test", "'"); request.AddHeader("dquote-value-test", "\""); +request.AddHeader("`", "backtick-key-test"); request.AddHeader("backtick-value-test", "`"); +request.AddHeader("$", "dollar-key-test"); request.AddHeader("dollar-parenthesis-value-test", "$("); +request.AddHeader("#", "hash-key-test"); request.AddHeader("hash-brace-value-test", "#{"); +request.AddHeader("%", "percent-key-test"); request.AddHeader("percent-parenthesis-value-test", "%("); request.AddHeader("percent-brace-value-test", "%{"); request.AddHeader("double-brace-value-test", "{{"); diff --git a/test/fixtures/output/go/native/malicious.go b/test/fixtures/output/go/native/malicious.go index 70c67a9..0e89205 100644 --- a/test/fixtures/output/go/native/malicious.go +++ b/test/fixtures/output/go/native/malicious.go @@ -15,11 +15,16 @@ func main() { req, _ := http.NewRequest("POST", url, payload) + req.Header.Add("'", "squote-key-test") req.Header.Add("squote-value-test", "'") req.Header.Add("dquote-value-test", "\"") + req.Header.Add("`", "backtick-key-test") req.Header.Add("backtick-value-test", "`") + req.Header.Add("$", "dollar-key-test") req.Header.Add("dollar-parenthesis-value-test", "$(") + req.Header.Add("#", "hash-key-test") req.Header.Add("hash-brace-value-test", "#{") + req.Header.Add("%", "percent-key-test") req.Header.Add("percent-parenthesis-value-test", "%(") req.Header.Add("percent-brace-value-test", "%{") req.Header.Add("double-brace-value-test", "{{") diff --git a/test/fixtures/output/http/1.1/malicious b/test/fixtures/output/http/1.1/malicious index 114186f..107f1af 100644 --- a/test/fixtures/output/http/1.1/malicious +++ b/test/fixtures/output/http/1.1/malicious @@ -1,9 +1,14 @@ POST /%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C HTTP/1.1 +': squote-key-test Squote-Value-Test: ' Dquote-Value-Test: " +`: backtick-key-test Backtick-Value-Test: ` +$: dollar-key-test Dollar-Parenthesis-Value-Test: $( +#: hash-key-test Hash-Brace-Value-Test: #{ +%: percent-key-test Percent-Parenthesis-Value-Test: %( Percent-Brace-Value-Test: %{ Double-Brace-Value-Test: {{ diff --git a/test/fixtures/output/java/asynchttp/malicious.java b/test/fixtures/output/java/asynchttp/malicious.java index 7ff3d80..763dab9 100644 --- a/test/fixtures/output/java/asynchttp/malicious.java +++ b/test/fixtures/output/java/asynchttp/malicious.java @@ -1,10 +1,15 @@ AsyncHttpClient client = new DefaultAsyncHttpClient(); client.prepare("POST", "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C") + .setHeader("'", "squote-key-test") .setHeader("squote-value-test", "'") .setHeader("dquote-value-test", "\"") + .setHeader("`", "backtick-key-test") .setHeader("backtick-value-test", "`") + .setHeader("$", "dollar-key-test") .setHeader("dollar-parenthesis-value-test", "$(") + .setHeader("#", "hash-key-test") .setHeader("hash-brace-value-test", "#{") + .setHeader("%", "percent-key-test") .setHeader("percent-parenthesis-value-test", "%(") .setHeader("percent-brace-value-test", "%{") .setHeader("double-brace-value-test", "{{") diff --git a/test/fixtures/output/java/nethttp/malicious.java b/test/fixtures/output/java/nethttp/malicious.java index cd72894..e227616 100644 --- a/test/fixtures/output/java/nethttp/malicious.java +++ b/test/fixtures/output/java/nethttp/malicious.java @@ -1,10 +1,15 @@ HttpRequest request = HttpRequest.newBuilder() .uri(URI.create("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")) + .header("'", "squote-key-test") .header("squote-value-test", "'") .header("dquote-value-test", "\"") + .header("`", "backtick-key-test") .header("backtick-value-test", "`") + .header("$", "dollar-key-test") .header("dollar-parenthesis-value-test", "$(") + .header("#", "hash-key-test") .header("hash-brace-value-test", "#{") + .header("%", "percent-key-test") .header("percent-parenthesis-value-test", "%(") .header("percent-brace-value-test", "%{") .header("double-brace-value-test", "{{") diff --git a/test/fixtures/output/java/okhttp/malicious.java b/test/fixtures/output/java/okhttp/malicious.java index 13d2499..008bb7c 100644 --- a/test/fixtures/output/java/okhttp/malicious.java +++ b/test/fixtures/output/java/okhttp/malicious.java @@ -5,11 +5,16 @@ Request request = new Request.Builder() .url("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C") .post(body) + .addHeader("'", "squote-key-test") .addHeader("squote-value-test", "'") .addHeader("dquote-value-test", "\"") + .addHeader("`", "backtick-key-test") .addHeader("backtick-value-test", "`") + .addHeader("$", "dollar-key-test") .addHeader("dollar-parenthesis-value-test", "$(") + .addHeader("#", "hash-key-test") .addHeader("hash-brace-value-test", "#{") + .addHeader("%", "percent-key-test") .addHeader("percent-parenthesis-value-test", "%(") .addHeader("percent-brace-value-test", "%{") .addHeader("double-brace-value-test", "{{") diff --git a/test/fixtures/output/java/unirest/malicious.java b/test/fixtures/output/java/unirest/malicious.java index 346a5ce..85f1906 100644 --- a/test/fixtures/output/java/unirest/malicious.java +++ b/test/fixtures/output/java/unirest/malicious.java @@ -1,9 +1,14 @@ HttpResponse response = Unirest.post("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C") + .header("'", "squote-key-test") .header("squote-value-test", "'") .header("dquote-value-test", "\"") + .header("`", "backtick-key-test") .header("backtick-value-test", "`") + .header("$", "dollar-key-test") .header("dollar-parenthesis-value-test", "$(") + .header("#", "hash-key-test") .header("hash-brace-value-test", "#{") + .header("%", "percent-key-test") .header("percent-parenthesis-value-test", "%(") .header("percent-brace-value-test", "%{") .header("double-brace-value-test", "{{") diff --git a/test/fixtures/output/javascript/axios/malicious.js b/test/fixtures/output/javascript/axios/malicious.js index c6a440e..c0435b0 100644 --- a/test/fixtures/output/javascript/axios/malicious.js +++ b/test/fixtures/output/javascript/axios/malicious.js @@ -28,11 +28,16 @@ const options = { 'slash-value-test': '\\' }, headers: { + '\'': 'squote-key-test', 'squote-value-test': '\'', 'dquote-value-test': '"', + '`': 'backtick-key-test', 'backtick-value-test': '`', + $: 'dollar-key-test', 'dollar-parenthesis-value-test': '$(', + '#': 'hash-key-test', 'hash-brace-value-test': '#{', + '%': 'percent-key-test', 'percent-parenthesis-value-test': '%(', 'percent-brace-value-test': '%{', 'double-brace-value-test': '{{', diff --git a/test/fixtures/output/javascript/fetch/malicious.js b/test/fixtures/output/javascript/fetch/malicious.js index 3a02317..4fd3ce1 100644 --- a/test/fixtures/output/javascript/fetch/malicious.js +++ b/test/fixtures/output/javascript/fetch/malicious.js @@ -1,11 +1,16 @@ const options = { method: 'POST', headers: { + '\'': 'squote-key-test', 'squote-value-test': '\'', 'dquote-value-test': '"', + '`': 'backtick-key-test', 'backtick-value-test': '`', + $: 'dollar-key-test', 'dollar-parenthesis-value-test': '$(', + '#': 'hash-key-test', 'hash-brace-value-test': '#{', + '%': 'percent-key-test', 'percent-parenthesis-value-test': '%(', 'percent-brace-value-test': '%{', 'double-brace-value-test': '{{', diff --git a/test/fixtures/output/javascript/jquery/malicious.js b/test/fixtures/output/javascript/jquery/malicious.js index 476209e..b6ccbb6 100644 --- a/test/fixtures/output/javascript/jquery/malicious.js +++ b/test/fixtures/output/javascript/jquery/malicious.js @@ -4,11 +4,16 @@ const settings = { "url": "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C", "method": "POST", "headers": { + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/output/javascript/xhr/malicious.js b/test/fixtures/output/javascript/xhr/malicious.js index d998152..08c9797 100644 --- a/test/fixtures/output/javascript/xhr/malicious.js +++ b/test/fixtures/output/javascript/xhr/malicious.js @@ -10,11 +10,16 @@ xhr.addEventListener("readystatechange", function () { }); xhr.open("POST", "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"); +xhr.setRequestHeader("'", "squote-key-test"); xhr.setRequestHeader("squote-value-test", "'"); xhr.setRequestHeader("dquote-value-test", "\""); +xhr.setRequestHeader("`", "backtick-key-test"); xhr.setRequestHeader("backtick-value-test", "`"); +xhr.setRequestHeader("$", "dollar-key-test"); xhr.setRequestHeader("dollar-parenthesis-value-test", "$("); +xhr.setRequestHeader("#", "hash-key-test"); xhr.setRequestHeader("hash-brace-value-test", "#{"); +xhr.setRequestHeader("%", "percent-key-test"); xhr.setRequestHeader("percent-parenthesis-value-test", "%("); xhr.setRequestHeader("percent-brace-value-test", "%{"); xhr.setRequestHeader("double-brace-value-test", "{{"); diff --git a/test/fixtures/output/kotlin/okhttp/malicious.kt b/test/fixtures/output/kotlin/okhttp/malicious.kt index ccd65e0..95d5e9f 100644 --- a/test/fixtures/output/kotlin/okhttp/malicious.kt +++ b/test/fixtures/output/kotlin/okhttp/malicious.kt @@ -5,11 +5,16 @@ val body = RequestBody.create(mediaType, "' \" ` $( #{ %( %{ {{ \\0 %s \\") val request = Request.Builder() .url("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C") .post(body) + .addHeader("'", "squote-key-test") .addHeader("squote-value-test", "'") .addHeader("dquote-value-test", "\"") + .addHeader("`", "backtick-key-test") .addHeader("backtick-value-test", "`") + .addHeader("$", "dollar-key-test") .addHeader("dollar-parenthesis-value-test", "$(") + .addHeader("#", "hash-key-test") .addHeader("hash-brace-value-test", "#{") + .addHeader("%", "percent-key-test") .addHeader("percent-parenthesis-value-test", "%(") .addHeader("percent-brace-value-test", "%{") .addHeader("double-brace-value-test", "{{") diff --git a/test/fixtures/output/node/axios/malicious.js b/test/fixtures/output/node/axios/malicious.js index c0c381f..0c3bc7c 100644 --- a/test/fixtures/output/node/axios/malicious.js +++ b/test/fixtures/output/node/axios/malicious.js @@ -28,11 +28,16 @@ var options = { 'slash-value-test': '\\' }, headers: { + '\'': 'squote-key-test', 'squote-value-test': '\'', 'dquote-value-test': '"', + '`': 'backtick-key-test', 'backtick-value-test': '`', + $: 'dollar-key-test', 'dollar-parenthesis-value-test': '$(', + '#': 'hash-key-test', 'hash-brace-value-test': '#{', + '%': 'percent-key-test', 'percent-parenthesis-value-test': '%(', 'percent-brace-value-test': '%{', 'double-brace-value-test': '{{', diff --git a/test/fixtures/output/node/fetch/malicious.js b/test/fixtures/output/node/fetch/malicious.js index 6f286b7..a50f8e9 100644 --- a/test/fixtures/output/node/fetch/malicious.js +++ b/test/fixtures/output/node/fetch/malicious.js @@ -5,11 +5,16 @@ let url = 'http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?\'=squote-key-test& let options = { method: 'POST', headers: { + '\'': 'squote-key-test', 'squote-value-test': '\'', 'dquote-value-test': '"', + '`': 'backtick-key-test', 'backtick-value-test': '`', + $: 'dollar-key-test', 'dollar-parenthesis-value-test': '$(', + '#': 'hash-key-test', 'hash-brace-value-test': '#{', + '%': 'percent-key-test', 'percent-parenthesis-value-test': '%(', 'percent-brace-value-test': '%{', 'double-brace-value-test': '{{', diff --git a/test/fixtures/output/node/native/malicious.js b/test/fixtures/output/node/native/malicious.js index 830baac..13db86e 100644 --- a/test/fixtures/output/node/native/malicious.js +++ b/test/fixtures/output/node/native/malicious.js @@ -6,11 +6,16 @@ const options = { "port": null, "path": "/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C", "headers": { + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/output/node/request/malicious.js b/test/fixtures/output/node/request/malicious.js index f502254..e289ee6 100644 --- a/test/fixtures/output/node/request/malicious.js +++ b/test/fixtures/output/node/request/malicious.js @@ -28,11 +28,16 @@ const options = { 'slash-value-test': '\\' }, headers: { + '\'': 'squote-key-test', 'squote-value-test': '\'', 'dquote-value-test': '"', + '`': 'backtick-key-test', 'backtick-value-test': '`', + $: 'dollar-key-test', 'dollar-parenthesis-value-test': '$(', + '#': 'hash-key-test', 'hash-brace-value-test': '#{', + '%': 'percent-key-test', 'percent-parenthesis-value-test': '%(', 'percent-brace-value-test': '%{', 'double-brace-value-test': '{{', diff --git a/test/fixtures/output/node/unirest/malicious.js b/test/fixtures/output/node/unirest/malicious.js index 58f76fd..d082c42 100644 --- a/test/fixtures/output/node/unirest/malicious.js +++ b/test/fixtures/output/node/unirest/malicious.js @@ -28,11 +28,16 @@ req.query({ }); req.headers({ + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/output/objc/nsurlsession/malicious.m b/test/fixtures/output/objc/nsurlsession/malicious.m index 9c5ff77..66f2cc5 100644 --- a/test/fixtures/output/objc/nsurlsession/malicious.m +++ b/test/fixtures/output/objc/nsurlsession/malicious.m @@ -1,10 +1,15 @@ #import -NSDictionary *headers = @{ @"squote-value-test": @"'", +NSDictionary *headers = @{ @"'": @"squote-key-test", + @"squote-value-test": @"'", @"dquote-value-test": @"\"", + @"`": @"backtick-key-test", @"backtick-value-test": @"`", + @"$": @"dollar-key-test", @"dollar-parenthesis-value-test": @"$(", + @"#": @"hash-key-test", @"hash-brace-value-test": @"#{", + @"%": @"percent-key-test", @"percent-parenthesis-value-test": @"%(", @"percent-brace-value-test": @"%{", @"double-brace-value-test": @"{{", diff --git a/test/fixtures/output/ocaml/cohttp/malicious.ml b/test/fixtures/output/ocaml/cohttp/malicious.ml index 20b0757..ada920e 100644 --- a/test/fixtures/output/ocaml/cohttp/malicious.ml +++ b/test/fixtures/output/ocaml/cohttp/malicious.ml @@ -4,11 +4,16 @@ open Lwt let uri = Uri.of_string "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C" in let headers = Header.add_list (Header.init ()) [ + ("'", "squote-key-test"); ("squote-value-test", "'"); ("dquote-value-test", "\""); + ("`", "backtick-key-test"); ("backtick-value-test", "`"); + ("$", "dollar-key-test"); ("dollar-parenthesis-value-test", "$("); + ("#", "hash-key-test"); ("hash-brace-value-test", "#{"); + ("%", "percent-key-test"); ("percent-parenthesis-value-test", "%("); ("percent-brace-value-test", "%{"); ("double-brace-value-test", "{{"); diff --git a/test/fixtures/output/php/curl/malicious.php b/test/fixtures/output/php/curl/malicious.php index 10b4e54..11012f6 100644 --- a/test/fixtures/output/php/curl/malicious.php +++ b/test/fixtures/output/php/curl/malicious.php @@ -12,6 +12,11 @@ CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => "' \" ` $( #{ %( %{ {{ \\0 %s \\", CURLOPT_HTTPHEADER => [ + "#: hash-key-test", + "$: dollar-key-test", + "%: percent-key-test", + "': squote-key-test", + "`: backtick-key-test", "backtick-value-test: `", "dollar-parenthesis-value-test: $(", "double-brace-value-test: {{", diff --git a/test/fixtures/output/php/http1/malicious.php b/test/fixtures/output/php/http1/malicious.php index de63752..99ba255 100644 --- a/test/fixtures/output/php/http1/malicious.php +++ b/test/fixtures/output/php/http1/malicious.php @@ -30,11 +30,16 @@ ]); $request->setHeaders([ + '\'' => 'squote-key-test', 'squote-value-test' => '\'', 'dquote-value-test' => '"', + '`' => 'backtick-key-test', 'backtick-value-test' => '`', + '$' => 'dollar-key-test', 'dollar-parenthesis-value-test' => '$(', + '#' => 'hash-key-test', 'hash-brace-value-test' => '#{', + '%' => 'percent-key-test', 'percent-parenthesis-value-test' => '%(', 'percent-brace-value-test' => '%{', 'double-brace-value-test' => '{{', diff --git a/test/fixtures/output/php/http2/malicious.php b/test/fixtures/output/php/http2/malicious.php index 0dea61b..b21bac8 100644 --- a/test/fixtures/output/php/http2/malicious.php +++ b/test/fixtures/output/php/http2/malicious.php @@ -36,11 +36,16 @@ ])); $request->setHeaders([ + '\'' => 'squote-key-test', 'squote-value-test' => '\'', 'dquote-value-test' => '"', + '`' => 'backtick-key-test', 'backtick-value-test' => '`', + '$' => 'dollar-key-test', 'dollar-parenthesis-value-test' => '$(', + '#' => 'hash-key-test', 'hash-brace-value-test' => '#{', + '%' => 'percent-key-test', 'percent-parenthesis-value-test' => '%(', 'percent-brace-value-test' => '%{', 'double-brace-value-test' => '{{', diff --git a/test/fixtures/output/powershell/restmethod/malicious.ps1 b/test/fixtures/output/powershell/restmethod/malicious.ps1 index da17c73..1ede1d0 100644 --- a/test/fixtures/output/powershell/restmethod/malicious.ps1 +++ b/test/fixtures/output/powershell/restmethod/malicious.ps1 @@ -1,9 +1,14 @@ $headers=@{} +$headers.Add('''', 'squote-key-test') $headers.Add('squote-value-test', '''') $headers.Add('dquote-value-test', '"') +$headers.Add('`', 'backtick-key-test') $headers.Add('backtick-value-test', '`') +$headers.Add('$', 'dollar-key-test') $headers.Add('dollar-parenthesis-value-test', '$(') +$headers.Add('#', 'hash-key-test') $headers.Add('hash-brace-value-test', '#{') +$headers.Add('%', 'percent-key-test') $headers.Add('percent-parenthesis-value-test', '%(') $headers.Add('percent-brace-value-test', '%{') $headers.Add('double-brace-value-test', '{{') diff --git a/test/fixtures/output/powershell/webrequest/malicious.ps1 b/test/fixtures/output/powershell/webrequest/malicious.ps1 index 4676ad7..026ffb0 100644 --- a/test/fixtures/output/powershell/webrequest/malicious.ps1 +++ b/test/fixtures/output/powershell/webrequest/malicious.ps1 @@ -1,9 +1,14 @@ $headers=@{} +$headers.Add('''', 'squote-key-test') $headers.Add('squote-value-test', '''') $headers.Add('dquote-value-test', '"') +$headers.Add('`', 'backtick-key-test') $headers.Add('backtick-value-test', '`') +$headers.Add('$', 'dollar-key-test') $headers.Add('dollar-parenthesis-value-test', '$(') +$headers.Add('#', 'hash-key-test') $headers.Add('hash-brace-value-test', '#{') +$headers.Add('%', 'percent-key-test') $headers.Add('percent-parenthesis-value-test', '%(') $headers.Add('percent-brace-value-test', '%{') $headers.Add('double-brace-value-test', '{{') diff --git a/test/fixtures/output/python/python3/malicious.py b/test/fixtures/output/python/python3/malicious.py index 706ecd0..9d5ecd8 100644 --- a/test/fixtures/output/python/python3/malicious.py +++ b/test/fixtures/output/python/python3/malicious.py @@ -5,11 +5,16 @@ payload = "' \" ` $( #{ %( %{ {{ \\0 %s \\" headers = { + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/output/python/requests/malicious.py b/test/fixtures/output/python/requests/malicious.py index 0e9a043..14eb9dd 100644 --- a/test/fixtures/output/python/requests/malicious.py +++ b/test/fixtures/output/python/requests/malicious.py @@ -29,11 +29,16 @@ payload = "' \" ` $( #{ %( %{ {{ \\0 %s \\" headers = { + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/output/r/httr/malicious.r b/test/fixtures/output/r/httr/malicious.r index 8275064..ac36ea6 100644 --- a/test/fixtures/output/r/httr/malicious.r +++ b/test/fixtures/output/r/httr/malicious.r @@ -31,6 +31,6 @@ payload <- "' \" ` $( #{ %( %{ {{ \\0 %s \\" encode <- "raw" -response <- VERB("POST", url, body = payload, query = queryString, add_headers(squote_value_test = '\'', dquote_value_test = '"', backtick_value_test = '`', dollar_parenthesis_value_test = '$(', hash_brace_value_test = '#{', percent_parenthesis_value_test = '%(', percent_brace_value_test = '%{', double_brace_value_test = '{{', null_value_test = '\\0', string_fmt_value_test = '%s', slash_value_test = '\\'), content_type("text/plain"), encode = encode) +response <- VERB("POST", url, body = payload, query = queryString, add_headers("'" = 'squote-key-test', squote_value_test = '\'', dquote_value_test = '"', "`" = 'backtick-key-test', backtick_value_test = '`', "$" = 'dollar-key-test', dollar_parenthesis_value_test = '$(', "#" = 'hash-key-test', hash_brace_value_test = '#{', "%" = 'percent-key-test', percent_parenthesis_value_test = '%(', percent_brace_value_test = '%{', double_brace_value_test = '{{', null_value_test = '\\0', string_fmt_value_test = '%s', slash_value_test = '\\'), content_type("text/plain"), encode = encode) content(response, "text") \ No newline at end of file diff --git a/test/fixtures/output/ruby/native/malicious.rb b/test/fixtures/output/ruby/native/malicious.rb index 9755a8a..6294fb8 100644 --- a/test/fixtures/output/ruby/native/malicious.rb +++ b/test/fixtures/output/ruby/native/malicious.rb @@ -6,11 +6,16 @@ http = Net::HTTP.new(url.host, url.port) request = Net::HTTP::Post.new(url) +request["'"] = 'squote-key-test' request["squote-value-test"] = '\'' request["dquote-value-test"] = '"' +request["`"] = 'backtick-key-test' request["backtick-value-test"] = '`' +request["$"] = 'dollar-key-test' request["dollar-parenthesis-value-test"] = '$(' +request["#"] = 'hash-key-test' request["hash-brace-value-test"] = '#{' +request["%"] = 'percent-key-test' request["percent-parenthesis-value-test"] = '%(' request["percent-brace-value-test"] = '%{' request["double-brace-value-test"] = '{{' diff --git a/test/fixtures/output/shell/curl/malicious.sh b/test/fixtures/output/shell/curl/malicious.sh index 19c1c8d..ee64132 100644 --- a/test/fixtures/output/shell/curl/malicious.sh +++ b/test/fixtures/output/shell/curl/malicious.sh @@ -1,5 +1,10 @@ curl --request POST \ --url 'http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'\''=squote-key-test&squote-value-test='\''&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C' \ + --header '#: hash-key-test' \ + --header '$: dollar-key-test' \ + --header '%: percent-key-test' \ + --header ''\'': squote-key-test' \ + --header '`: backtick-key-test' \ --header 'backtick-value-test: `' \ --header 'dollar-parenthesis-value-test: $(' \ --header 'double-brace-value-test: {{' \ diff --git a/test/fixtures/output/shell/httpie/application-json.sh b/test/fixtures/output/shell/httpie/application-json.sh index 073a258..979ef3a 100644 --- a/test/fixtures/output/shell/httpie/application-json.sh +++ b/test/fixtures/output/shell/httpie/application-json.sh @@ -1,3 +1,3 @@ -echo '{"number":1,"string":"f\"oo","arr":[1,2,3],"nested":{"a":"b"},"arr_mix":[1,"a",{"arr_mix_nested":{}}],"boolean":false}' | \ +printf '%s' '{"number":1,"string":"f\"oo","arr":[1,2,3],"nested":{"a":"b"},"arr_mix":[1,"a",{"arr_mix_nested":{}}],"boolean":false}' | \ http POST http://mockbin.com/har \ content-type:application/json diff --git a/test/fixtures/output/shell/httpie/malicious.sh b/test/fixtures/output/shell/httpie/malicious.sh index 5a44864..e9e64d3 100644 --- a/test/fixtures/output/shell/httpie/malicious.sh +++ b/test/fixtures/output/shell/httpie/malicious.sh @@ -1,5 +1,10 @@ -echo ''\'' " ` $( #{ %( %{ {{ \0 %s \' | \ +printf '%s' ''\'' " ` $( #{ %( %{ {{ \0 %s \' | \ http POST 'http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'\''=squote-key-test&squote-value-test='\''&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C' \ + '#':hash-key-test \ + '$':dollar-key-test \ + %:percent-key-test \ + ''\''':squote-key-test \ + '`':backtick-key-test \ backtick-value-test:'`' \ dollar-parenthesis-value-test:'$(' \ double-brace-value-test:'{{' \ diff --git a/test/fixtures/output/shell/wget/malicious.sh b/test/fixtures/output/shell/wget/malicious.sh index cdd5905..3649342 100644 --- a/test/fixtures/output/shell/wget/malicious.sh +++ b/test/fixtures/output/shell/wget/malicious.sh @@ -1,10 +1,15 @@ wget --quiet \ --method POST \ + --header ''\'': squote-key-test' \ --header 'squote-value-test: '\''' \ --header 'dquote-value-test: "' \ + --header '`: backtick-key-test' \ --header 'backtick-value-test: `' \ + --header '$: dollar-key-test' \ --header 'dollar-parenthesis-value-test: $(' \ + --header '#: hash-key-test' \ --header 'hash-brace-value-test: #{' \ + --header '%: percent-key-test' \ --header 'percent-parenthesis-value-test: %(' \ --header 'percent-brace-value-test: %{' \ --header 'double-brace-value-test: {{' \ diff --git a/test/fixtures/output/swift/nsurlsession/malicious.swift b/test/fixtures/output/swift/nsurlsession/malicious.swift index a6c5ff6..7dd4777 100644 --- a/test/fixtures/output/swift/nsurlsession/malicious.swift +++ b/test/fixtures/output/swift/nsurlsession/malicious.swift @@ -1,11 +1,16 @@ import Foundation let headers = [ + "'": "squote-key-test", "squote-value-test": "'", "dquote-value-test": "\"", + "`": "backtick-key-test", "backtick-value-test": "`", + "$": "dollar-key-test", "dollar-parenthesis-value-test": "$(", + "#": "hash-key-test", "hash-brace-value-test": "#{", + "%": "percent-key-test", "percent-parenthesis-value-test": "%(", "percent-brace-value-test": "%{", "double-brace-value-test": "{{", diff --git a/test/fixtures/requests/malicious.json b/test/fixtures/requests/malicious.json index 1ad354e..a701153 100644 --- a/test/fixtures/requests/malicious.json +++ b/test/fixtures/requests/malicious.json @@ -92,6 +92,10 @@ } ], "headers": [ + { + "name": "'", + "value": "squote-key-test" + }, { "name": "squote-value-test", "value": "'" @@ -100,18 +104,34 @@ "name": "dquote-value-test", "value": "\"" }, + { + "name": "`", + "value": "backtick-key-test" + }, { "name": "backtick-value-test", "value": "`" }, + { + "name": "$", + "value": "dollar-key-test" + }, { "name": "dollar-parenthesis-value-test", "value": "$(" }, + { + "name": "#", + "value": "hash-key-test" + }, { "name": "hash-brace-value-test", "value": "#{" }, + { + "name": "%", + "value": "percent-key-test" + }, { "name": "percent-parenthesis-value-test", "value": "%("