Prevent escaping in query parameter bindings

packages/server/src/integrations/rest.ts

@@ -48,7 +48,10 @@ module RestModule {
   const { performance } = require("perf_hooks")
   const FormData = require("form-data")
   const { URLSearchParams } = require("url")
-  const { parseStringPromise: xmlParser, Builder: XmlBuilder } = require("xml2js")
+  const {
+    parseStringPromise: xmlParser,
+    Builder: XmlBuilder,
+  } = require("xml2js")
 
   const SCHEMA: Integration = {
     docs: "https://github.com/node-fetch/node-fetch",
@@ -211,7 +214,7 @@ module RestModule {
           break
         case BodyTypes.XML:
           if (object != null) {
-            string = (new XmlBuilder()).buildObject(object)
+            string = new XmlBuilder().buildObject(object)
           }
           input.body = string
           input.headers["Content-Type"] = "application/xml"

packages/server/src/threads/utils.js

@@ -8,6 +8,9 @@ const { processStringSync } = require("@budibase/string-templates")
 const VARIABLE_TTL_SECONDS = 3600
 let client
 
+const IS_TRIPLE_BRACE = new RegExp(/^{{3}.*}{3}$/)
+const IS_HANDLEBARS = new RegExp(/^{{2}.*}{2}$/)
+
 async function getClient() {
   if (!client) {
     client = await new redis.Client(redis.utils.Databases.QUERY_VARS).init()
@@ -90,7 +93,12 @@ exports.enrichQueryFields = (fields, parameters = {}) => {
       enrichedQuery[key] = this.enrichQueryFields(fields[key], parameters)
     } else if (typeof fields[key] === "string") {
       // enrich string value as normal
-      enrichedQuery[key] = processStringSync(fields[key], parameters, {
+      let value = fields[key]
+      // add triple brace to avoid escaping e.g. '=' in cookie header
+      if (IS_HANDLEBARS.test(value) && !IS_TRIPLE_BRACE.test(value)) {
+        value = `{${value}}`
+      }
+      enrichedQuery[key] = processStringSync(value, parameters, {
         noHelpers: true,
       })
     } else {