readmeio · erunion · Jun 16, 2023 · Apr 26, 2022 · May 13, 2022 · May 13, 2022
@@ -160,13 +160,15 @@ There are some major differences between this library and the [httpsnippet](http
 * Does not do any HAR schema validation. It's just assumed that the HAR you're supplying to the library is already valid.
 * The main `HTTPSnippet` export contains an `options` argument for an `harIsAlreadyEncoded` option for disabling [escaping](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent) of cookies and query strings in URLs.
   * We added this because all HARs that we interact with already have this data escaped and this option prevents them from being double encoded, thus corrupting the data.
+* Does not support the `insecureSkipVerify` option on `go:native`, `node:native`, `ruby:native`, and `shell:curl` as we don't want snippets generated for our users to bypass SSL certificate verification.
 * Node
   * `fetch`
-    * Body payloads are treated as an object literal and wrapped within `JSON.stringify()`. We do this to keep those targets looking nicer with those kinds of payloads. This also applies to the JS `fetch` target as wel.
+    * Body payloads are treated as an object literal and wrapped within `JSON.stringify()`. We do this to keep those targets looking nicer with those kinds of payloads. This also applies to the JS `fetch` target as well.
   * `request`
     * Does not provide query string parameters in a `params` argument due to complexities with query encoding.
-* PHP → `guzzle`
-  * Snippets have `require_once('vendor/autoload.php');` prefixed at the top.
+* PHP
+  * `guzzle`
+    * Snippets have `require_once('vendor/autoload.php');` prefixed at the top.
 * Python
   * `python3`
     * Does not ship this client due to its incompatibility with being able to support file uploads.

@@ -18,7 +18,7 @@ module.exports = {
           ],
           postData: {
             mimeType: 'application/json',
-            text: '{"number":1,"string":"f\\"oo","arr":[1,2,3],"nested":{"a":"b"},"arr_mix":[1,"a",{"arr_mix_nested":{}}],"boolean":false}',
+            text: '{"number":1,"string":"f\\"oo","arr":[1,2,3],"nested":{"a":"b"},"arr_mix":[1,"a",{"arr_mix_nested":[]}],"boolean":false}',
           },
         },
         response: {
@@ -36,7 +36,7 @@ module.exports = {
             mimeType: 'application/json',
             text: JSON.stringify({
               args: {},
-              data: '{\n  "number": 1,\n  "string": "f\\"oo",\n  "arr": [\n    1,\n    2,\n    3\n  ],\n  "nested": {\n    "a": "b"\n  },\n  "arr_mix": [\n    1,\n    "a",\n    {\n      "arr_mix_nested": {}\n    }\n  ],\n  "boolean": false\n}',
+              data: '{\n  "number": 1,\n  "string": "f\\"oo",\n  "arr": [\n    1,\n    2,\n    3\n  ],\n  "nested": {\n    "a": "b"\n  },\n  "arr_mix": [\n    1,\n    "a",\n    {\n      "arr_mix_nested": []\n    }\n  ],\n  "boolean": false\n}',
               files: {},
               form: {},
               headers: {
@@ -48,7 +48,7 @@ module.exports = {
                   1,
                   'a',
                   {
-                    arr_mix_nested: {},
+                    arr_mix_nested: [],
                   },
                 ],
                 boolean: false,

@@ -23,6 +23,10 @@ module.exports = {
               name: 'x-bar',
               value: 'Foo',
             },
+            {
+              name: 'quoted-value',
+              value: '"quoted" \'string\'',
+            },
           ],
         },
         response: {

@@ -0,0 +1,27 @@
+import { escapeString } from './escape';
+
+describe('Escape methods', () => {
+  describe('escapeString', () => {
+    it('does nothing to a safe string', () => {
+      expect(escapeString('hello world')).toBe('hello world');
+    });
+
+    it('escapes double quotes by default', () => {
+      expect(escapeString('"hello world"')).toBe('\\"hello world\\"');
+    });
+
+    it('escapes newlines by default', () => {
+      expect(escapeString('hello\r\nworld')).toBe('hello\\r\\nworld');
+    });
+
+    it('escapes backslashes', () => {
+      expect(escapeString('hello\\world')).toBe('hello\\\\world');
+    });
+
+    it('escapes unrepresentable characters', () => {
+      expect(
+        escapeString('hello \u0000') // 0 = ASCII 'null' character
+      ).toBe('hello \\u0000');
+    });
+  });
+});
@@ -0,0 +1,91 @@
+export interface EscapeOptions {
+  /**
+   * The delimiter that will be used to wrap the string (and so must be escaped
+   * when used within the string).
+   * Defaults to "
+   */
+  delimiter?: string;
+
+  /**
+   * The char to use to escape the delimiter and other special characters.
+   * Defaults to \
+   */
+  escapeChar?: string;
+
+  /**
+   * Whether newlines (\n and \r) should be escaped within the string.
+   * Defaults to true.
+   */
+  escapeNewlines?: boolean;
+}
+
+/**
+ * Escape characters within a value to make it safe to insert directly into a
+ * snippet. Takes options which define the escape requirements.
+ *
+ * This is closely based on the JSON-stringify string serialization algorithm,
+ * but generalized for other string delimiters (e.g. " or ') and different escape
+ * characters (e.g. Powershell uses `)
+ *
+ * See https://tc39.es/ecma262/multipage/structured-data.html#sec-quotejsonstring
+ * for the complete original algorithm.
+ */
+export function escapeString(rawValue: any, options: EscapeOptions = {}) {
+  const { delimiter = '"', escapeChar = '\\', escapeNewlines = true } = options;
+
+  const stringValue = rawValue.toString();
+
+  return [...stringValue]
+    .map(c => {
+      if (c === '\b') {
+        return `${escapeChar}b`;
+      } else if (c === '\t') {
+        return `${escapeChar}t`;
+      } else if (c === '\n') {
+        if (escapeNewlines) {
+          return `${escapeChar}n`;
+        }
+
+        return c; // Don't just continue, or this is caught by < \u0020
+      } else if (c === '\f') {
+        return `${escapeChar}f`;
+      } else if (c === '\r') {
+        if (escapeNewlines) {
+          return `${escapeChar}r`;
+        }
+
+        return c; // Don't just continue, or this is caught by < \u0020
+      } else if (c === escapeChar) {
+        return escapeChar + escapeChar;
+      } else if (c === delimiter) {
+        return escapeChar + delimiter;
+      } else if (c < '\u0020' || c > '\u007E') {
+        // Delegate the trickier non-ASCII cases to the normal algorithm. Some of these
+        // are escaped as \uXXXX, whilst others are represented literally. Since we're
+        // using this primarily for header values that are generally (though not 100%
+        // strictly?) ASCII-only, this should almost never happen.
+        return JSON.stringify(c).slice(1, -1);
+      }
+
+      return c;
+    })
+    .join('');
+}
+
+/**
+ * Make a string value safe to insert literally into a snippet within single quotes,
+ * by escaping problematic characters, including single quotes inside the string,
+ * backslashes, newlines, and other special characters.
+ *
+ * If value is not a string, it will be stringified with .toString() first.
+ */
+export const escapeForSingleQuotes = (value: any) => escapeString(value, { delimiter: "'" });
+
+/**
+ * Make a string value safe to insert literally into a snippet within double quotes,
+ * by escaping problematic characters, including double quotes inside the string,
+ * backslashes, newlines, and other special characters.
+ *
+ * If value is not a string, it will be stringified with .toString() first.
+ */
+export const escapeForDoubleQuotes = (value: any) => escapeString(value, { delimiter: '"' });
@@ -97,7 +97,7 @@ availableTargets()
   .filter(target => target.cli)
   .filter(testFilter('key', environmentFilter()))
   .forEach(({ key: targetId, cli: targetCLI, title, extname: fixtureExtension, clients }) => {
-    describe(`${title} integration tests`, () => {
+    (process.env.NODE_ENV === 'test' ? describe.skip : describe)(`${title} integration tests`, () => {
       clients.filter(testFilter('key', clientFilter(targetId))).forEach(({ key: clientId }) => {
         // If we're in an HTTPBin-powered Docker environment we only want to run tests for the
         // client that our Docker has been configured for.

@@ -1,6 +1,7 @@
 import type { Client } from '../../targets';
 
 import { CodeBuilder } from '../../../helpers/code-builder';
+import { escapeForDoubleQuotes } from '../../../helpers/escape';
 
 export const libcurl: Client = {
   info: {
@@ -26,7 +27,7 @@ export const libcurl: Client = {
       push('struct curl_slist *headers = NULL;');
 
       headers.forEach(header => {
-        push(`headers = curl_slist_append(headers, "${header}: ${headersObj[header]}");`);
+        push(`headers = curl_slist_append(headers, "${header}: ${escapeForDoubleQuotes(headersObj[header])}");`);
       });
 
       push('curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);');

@@ -7,6 +7,6 @@ struct curl_slist *headers = NULL;
 headers = curl_slist_append(headers, "content-type: application/json");
 curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
 
-curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":{}}],\"boolean\":false}");
+curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":[]}],\"boolean\":false}");
 
 CURLcode ret = curl_easy_perform(hnd);
@@ -7,6 +7,7 @@ struct curl_slist *headers = NULL;
 headers = curl_slist_append(headers, "accept: application/json");
 headers = curl_slist_append(headers, "x-foo: Bar");
 headers = curl_slist_append(headers, "x-bar: Foo");
+headers = curl_slist_append(headers, "quoted-value: \"quoted\" 'string'");
 curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
 
 CURLcode ret = curl_easy_perform(hnd);
@@ -5,5 +5,5 @@
                                                            :string "f\"oo"
                                                            :arr [1 2 3]
                                                            :nested {:a "b"}
-                                                           :arr_mix [1 "a" {:arr_mix_nested {}}]
+                                                           :arr_mix [1 "a" {:arr_mix_nested []}]
                                                            :boolean false}})
@@ -1,5 +1,6 @@
 (require '[clj-http.client :as client])
 
 (client/get "https://httpbin.org/headers" {:headers {:x-foo "Bar"
-                                                     :x-bar "Foo"}
+                                                     :x-bar "Foo"
+                                                     :quoted-value "\"quoted\" 'string'"}
                                            :accept :json})
@@ -2,6 +2,7 @@ import type { Request } from '../../..';
 import type { Client } from '../../targets';
 
 import { CodeBuilder } from '../../../helpers/code-builder';
+import { escapeForDoubleQuotes } from '../../../helpers/escape';
 import { getHeader } from '../../../helpers/headers';
 
 const getDecompressionMethods = (allHeaders: Request['allHeaders']) => {
@@ -103,7 +104,7 @@ export const httpclient: Client = {
       push('Headers =', 1);
       push('{', 1);
       headers.forEach(key => {
-        push(`{ "${String(key)}", "${allHeaders[key]}" },`, 2);
+        push(`{ "${key}", "${escapeForDoubleQuotes(allHeaders[key])}" },`, 2);
       });
       push('},', 1);
     }

@@ -4,7 +4,7 @@
 {
     Method = HttpMethod.Post,
     RequestUri = new Uri("https://httpbin.org/anything"),
-    Content = new StringContent("{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":{}}],\"boolean\":false}")
+    Content = new StringContent("{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":[]}],\"boolean\":false}")
     {
         Headers =
         {

@@ -9,6 +9,7 @@
         { "accept", "application/json" },
         { "x-foo", "Bar" },
         { "x-bar", "Foo" },
+        { "quoted-value", "\"quoted\" 'string'" },
     },
 };
 using (var response = await client.SendAsync(request))

@@ -1,6 +1,7 @@
 import type { Client } from '../../targets';
 
 import { CodeBuilder } from '../../../helpers/code-builder';
+import { escapeForDoubleQuotes } from '../../../helpers/escape';
 import { getHeader } from '../../../helpers/headers';
 
 export const restsharp: Client = {
@@ -26,7 +27,7 @@ export const restsharp: Client = {
     // Add headers, including the cookies
 
     Object.keys(headersObj).forEach(key => {
-      push(`request.AddHeader("${key}", "${headersObj[key]}");`);
+      push(`request.AddHeader("${key}", "${escapeForDoubleQuotes(headersObj[key])}");`);
     });
 
     cookies.forEach(({ name, value }) => {

@@ -1,5 +1,5 @@
 var client = new RestClient("https://httpbin.org/anything");
 var request = new RestRequest(Method.POST);
 request.AddHeader("content-type", "application/json");
-request.AddParameter("application/json", "{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":{}}],\"boolean\":false}", ParameterType.RequestBody);
+request.AddParameter("application/json", "{\"number\":1,\"string\":\"f\\\"oo\",\"arr\":[1,2,3],\"nested\":{\"a\":\"b\"},\"arr_mix\":[1,\"a\",{\"arr_mix_nested\":[]}],\"boolean\":false}", ParameterType.RequestBody);
 IRestResponse response = client.Execute(request);
@@ -3,4 +3,5 @@
 request.AddHeader("accept", "application/json");
 request.AddHeader("x-foo", "Bar");
 request.AddHeader("x-bar", "Foo");
+request.AddHeader("quoted-value", "\"quoted\" 'string'");
 IRestResponse response = client.Execute(request);