From 511c6f79859a38e8c9da48744c11f267298ae772 Mon Sep 17 00:00:00 2001 From: John Berlin Date: Wed, 31 Jul 2019 18:03:42 -0400 Subject: [PATCH] ensured that the regular expressions for rewriting JavaScript eval usage do not match "$eval", only "eval" identifier (#493) added tests for new JS eval rewriting regex tweaks --- pywb/rewrite/regex_rewriters.py | 4 ++-- pywb/rewrite/test/test_regex_rewriters.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/pywb/rewrite/regex_rewriters.py b/pywb/rewrite/regex_rewriters.py index 29bb7d9c..2bcf42d9 100644 --- a/pywb/rewrite/regex_rewriters.py +++ b/pywb/rewrite/regex_rewriters.py @@ -103,9 +103,9 @@ if (thisObj && thisObj._WB_wombat_obj_proxy) return thisObj._WB_wombat_obj_proxy rules = [ # rewriting 'eval(....)' - invocation - (r'\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0), + (r'(?>> _test_js_obj_proxy(r'this. location = http://example.com/') 'this. location = ((self.__WB_check_loc && self.__WB_check_loc(location)) || {}).href = http://example.com/' +>>> _test_js_obj_proxy('eval(a)') +'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)' +>>> _test_js_obj_proxy('this.$eval(a)') +'this.$eval(a)' + +>>> _test_js_obj_proxy('x = this.$eval; x(a);') +'x = this.$eval; x(a);' + +>>> _test_js_obj_proxy('x = eval; x(a);') +'x = WB_wombat_eval; x(a);' + +>>> _test_js_obj_proxy('$eval = eval; $eval(a);') +'$eval = WB_wombat_eval; $eval(a);' + +>>> _test_js_obj_proxy('window.eval(a);') +'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);' #================================================================= # XML Rewriting