backup/pywb
1
0
Fork 0
mirror of https://github.com/webrecorder/pywb.git synced 2025-03-15 00:03:28 +01:00
Code Issues Projects Releases Activity

Eval Rewriting + Scope Fix (#668)

Browse Source 
* eval fix: instead of rewriting to 'WB_wombat_eval', rewrite to 'self.eval' for non-top-level eval
the wombat object will handle rewriting the eval arg on 'self.eval'
tighten rewriting for top-level 'eval', add additional tests
part of fix for #663

* rewrite wrap: add extra {, } to avoid collisions, as suggested in webrecorder/wombat#72
eval rewrite: exclude ',eval' as more likely than not causing a false positive, as per #643

* update to latest wombat 3.3.0 with corresponding fixes
This commit is contained in:
Ilya Kreymer 2021-08-11 18:45:54 -07:00 committed by GitHub
parent b2a460c33c
commit b28c8f1748
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pywb/rewrite/regex_rewriters.py
View File

@ -13,8 +13,8 @@ class RxRules(object):
return string.replace("https", "http") return string.replace("https", "http")
@staticmethod @staticmethod
def replace_str(replacer): def replace_str(replacer, match='this'):
return lambda x, _: x.replace('this', replacer) return lambda x, _: x.replace(match, replacer)
@staticmethod @staticmethod
def format(template): def format(template):
@ -100,10 +100,10 @@ if (!self.__WB_pmw) {{ self.__WB_pmw = function(obj) {{ this.__WB_source = obj;
prop_str = '|'.join(self.local_objs) prop_str = '|'.join(self.local_objs)
rules = [ rules = [
# rewriting 'eval(....)' - invocation # rewriting 'eval(...)' - invocation
(r'(?<![$])\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0), (r'(?<!function\s)(?:^|[^,$])eval\s*\(', self.replace_str('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval', 'eval'), 0),
# rewriting 'x = eval' - no invocation # rewriting 'x = eval' - no invocation
(r'(?<![$])\beval\b', self.add_prefix('WB_wombat_'), 0), (r'(?<=[=,])\s*\beval\b\s*(?![(:.$])', self.replace_str('self.eval', 'eval'), 0),
(r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0), (r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
(r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0), (r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
# rewriting 'return this' # rewriting 'return this'
@ -122,9 +122,9 @@ if (!self.__WB_pmw) {{ self.__WB_pmw = function(obj) {{ this.__WB_source = obj;
super(JSWombatProxyRules, self).__init__(rules) super(JSWombatProxyRules, self).__init__(rules)
self.first_buff = local_init_func + local_declares + '\n\n' self.first_buff = local_init_func + local_declares + '\n\n{'
self.last_buff = '\n\n}' self.last_buff = '\n\n}}'
# ================================================================= # =================================================================

28
pywb/rewrite/test/test_regex_rewriters.py
View File

@ -218,6 +218,9 @@ r"""
>>> _test_js_obj_proxy('eval(a)') >>> _test_js_obj_proxy('eval(a)')
'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)' 'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'
>>> _test_js_obj_proxy(',eval(a)')
',eval(a)'
>>> _test_js_obj_proxy('this.$eval(a)') >>> _test_js_obj_proxy('this.$eval(a)')
'this.$eval(a)' 'this.$eval(a)'
@ -225,13 +228,32 @@ r"""
'x = this.$eval; x(a);' 'x = this.$eval; x(a);'
>>> _test_js_obj_proxy('x = eval; x(a);') >>> _test_js_obj_proxy('x = eval; x(a);')
'x = WB_wombat_eval; x(a);' 'x = self.eval; x(a);'
>>> _test_js_obj_proxy('$eval = eval; $eval(a);') >>> _test_js_obj_proxy('$eval = eval; $eval(a);')
'$eval = WB_wombat_eval; $eval(a);' '$eval = self.eval; $eval(a);'
>>> _test_js_obj_proxy('foo(a, eval(data));')
'foo(a, WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(data));'
>>> _test_js_obj_proxy('function eval() {}')
'function eval() {}'
>>> _test_js_obj_proxy('window.eval(a);') >>> _test_js_obj_proxy('window.eval(a);')
'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);' 'window.eval(a);'
>>> _test_js_obj_proxy('x = window.eval; x(a);')
'x = window.eval; x(a);'
>>> _test_js_obj_proxy('obj = { eval : 1 }')
'obj = { eval : 1 }'
>>> _test_js_obj_proxy('x = obj.eval')
'x = obj.eval'
>>> _test_js_obj_proxy('x = obj.eval(a)')
'x = obj.eval(a)'
#================================================================= #=================================================================
# XML Rewriting # XML Rewriting

2
pywb/static/autoFetchWorker.js
View File

@ -107,7 +107,7 @@ function fetchDone() {
} }
function fetchErrored(err) { function fetchErrored(err) {
console.warn("Fetch Failed: " + err); console.warn('Fetch Failed: ' + err);
fetchDone(); fetchDone();
} }

2
pywb/static/wombat.js
View File

File diff suppressed because one or more lines are too long

2
wombat

@ -1 +1 @@
Subproject commit 7e39214b6635d70930a15a911744176caceef644 Subproject commit 4edfa768fd20195644e6bff96c52aa0f50baa21f