1
0
mirror of https://github.com/webrecorder/pywb.git synced 2025-03-15 00:03:28 +01:00

Eval Rewriting + Scope Fix (#668)

* eval fix: instead of rewriting to 'WB_wombat_eval', rewrite to 'self.eval' for non-top-level eval
the wombat object will handle rewriting the eval arg on 'self.eval'
tighten rewriting for top-level 'eval', add additional tests
part of fix for #663

* rewrite wrap: add extra {, } to avoid collisions, as suggested in webrecorder/wombat#72
eval rewrite: exclude ',eval' as more likely than not causing a false positive, as per #643

* update to latest wombat 3.3.0 with corresponding fixes
This commit is contained in:
Ilya Kreymer 2021-08-11 18:45:54 -07:00 committed by GitHub
parent b2a460c33c
commit b28c8f1748
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 13 deletions

View File

@ -13,8 +13,8 @@ class RxRules(object):
return string.replace("https", "http")
@staticmethod
def replace_str(replacer):
return lambda x, _: x.replace('this', replacer)
def replace_str(replacer, match='this'):
return lambda x, _: x.replace(match, replacer)
@staticmethod
def format(template):
@ -100,10 +100,10 @@ if (!self.__WB_pmw) {{ self.__WB_pmw = function(obj) {{ this.__WB_source = obj;
prop_str = '|'.join(self.local_objs)
rules = [
# rewriting 'eval(....)' - invocation
(r'(?<![$])\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
# rewriting 'eval(...)' - invocation
(r'(?<!function\s)(?:^|[^,$])eval\s*\(', self.replace_str('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval', 'eval'), 0),
# rewriting 'x = eval' - no invocation
(r'(?<![$])\beval\b', self.add_prefix('WB_wombat_'), 0),
(r'(?<=[=,])\s*\beval\b\s*(?![(:.$])', self.replace_str('self.eval', 'eval'), 0),
(r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
(r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
# rewriting 'return this'
@ -122,9 +122,9 @@ if (!self.__WB_pmw) {{ self.__WB_pmw = function(obj) {{ this.__WB_source = obj;
super(JSWombatProxyRules, self).__init__(rules)
self.first_buff = local_init_func + local_declares + '\n\n'
self.first_buff = local_init_func + local_declares + '\n\n{'
self.last_buff = '\n\n}'
self.last_buff = '\n\n}}'
# =================================================================

View File

@ -218,6 +218,9 @@ r"""
>>> _test_js_obj_proxy('eval(a)')
'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'
>>> _test_js_obj_proxy(',eval(a)')
',eval(a)'
>>> _test_js_obj_proxy('this.$eval(a)')
'this.$eval(a)'
@ -225,13 +228,32 @@ r"""
'x = this.$eval; x(a);'
>>> _test_js_obj_proxy('x = eval; x(a);')
'x = WB_wombat_eval; x(a);'
'x = self.eval; x(a);'
>>> _test_js_obj_proxy('$eval = eval; $eval(a);')
'$eval = WB_wombat_eval; $eval(a);'
'$eval = self.eval; $eval(a);'
>>> _test_js_obj_proxy('foo(a, eval(data));')
'foo(a, WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(data));'
>>> _test_js_obj_proxy('function eval() {}')
'function eval() {}'
>>> _test_js_obj_proxy('window.eval(a);')
'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);'
'window.eval(a);'
>>> _test_js_obj_proxy('x = window.eval; x(a);')
'x = window.eval; x(a);'
>>> _test_js_obj_proxy('obj = { eval : 1 }')
'obj = { eval : 1 }'
>>> _test_js_obj_proxy('x = obj.eval')
'x = obj.eval'
>>> _test_js_obj_proxy('x = obj.eval(a)')
'x = obj.eval(a)'
#=================================================================
# XML Rewriting

View File

@ -107,7 +107,7 @@ function fetchDone() {
}
function fetchErrored(err) {
console.warn("Fetch Failed: " + err);
console.warn('Fetch Failed: ' + err);
fetchDone();
}

File diff suppressed because one or more lines are too long

2
wombat

@ -1 +1 @@
Subproject commit 7e39214b6635d70930a15a911744176caceef644
Subproject commit 4edfa768fd20195644e6bff96c52aa0f50baa21f