From 511c6f79859a38e8c9da48744c11f267298ae772 Mon Sep 17 00:00:00 2001
From: John Berlin <n0tan3rd@gmail.com>
Date: Wed, 31 Jul 2019 18:03:42 -0400
Subject: [PATCH] ensured that the regular expressions for rewriting JavaScript
 eval usage do not match "$eval", only "eval" identifier (#493)

added tests for new JS eval rewriting regex tweaks
---
 pywb/rewrite/regex_rewriters.py           |  4 ++--
 pywb/rewrite/test/test_regex_rewriters.py | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/pywb/rewrite/regex_rewriters.py b/pywb/rewrite/regex_rewriters.py
index 29bb7d9c..2bcf42d9 100644
--- a/pywb/rewrite/regex_rewriters.py
+++ b/pywb/rewrite/regex_rewriters.py
@@ -103,9 +103,9 @@ if (thisObj && thisObj._WB_wombat_obj_proxy) return thisObj._WB_wombat_obj_proxy
 
         rules = [
             # rewriting 'eval(....)' - invocation
-            (r'\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
+            (r'(?<![$])\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
             # rewriting 'x = eval' - no invocation
-            (r'\beval\b', self.add_prefix('WB_wombat_'), 0),
+            (r'(?<![$])\beval\b', self.add_prefix('WB_wombat_'), 0),
             (r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
             (r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
             # rewriting 'return this'
diff --git a/pywb/rewrite/test/test_regex_rewriters.py b/pywb/rewrite/test/test_regex_rewriters.py
index ecb927e4..786b9fd8 100644
--- a/pywb/rewrite/test/test_regex_rewriters.py
+++ b/pywb/rewrite/test/test_regex_rewriters.py
@@ -212,7 +212,23 @@ r"""
 >>> _test_js_obj_proxy(r'this. location = http://example.com/')
 'this. location = ((self.__WB_check_loc && self.__WB_check_loc(location)) || {}).href = http://example.com/'
 
+>>> _test_js_obj_proxy('eval(a)')
+'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'
 
+>>> _test_js_obj_proxy('this.$eval(a)')
+'this.$eval(a)'
+
+>>> _test_js_obj_proxy('x = this.$eval; x(a);')
+'x = this.$eval; x(a);'
+
+>>> _test_js_obj_proxy('x = eval; x(a);')
+'x = WB_wombat_eval; x(a);'
+
+>>> _test_js_obj_proxy('$eval = eval; $eval(a);')
+'$eval = WB_wombat_eval; $eval(a);'
+
+>>> _test_js_obj_proxy('window.eval(a);')
+'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);'
 
 #=================================================================
 # XML Rewriting