From e6d8b81ac4610094e694a1c88b8906a16662cfb8 Mon Sep 17 00:00:00 2001 From: Rory Powell Date: Tue, 21 Dec 2021 13:48:54 -0500 Subject: [PATCH] Prevent escaping in query parameter bindings --- packages/server/src/integrations/rest.ts | 7 +++++-- packages/server/src/threads/utils.js | 10 +++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/packages/server/src/integrations/rest.ts b/packages/server/src/integrations/rest.ts index 1817f780d3..63d7795a6d 100644 --- a/packages/server/src/integrations/rest.ts +++ b/packages/server/src/integrations/rest.ts @@ -48,7 +48,10 @@ module RestModule { const { performance } = require("perf_hooks") const FormData = require("form-data") const { URLSearchParams } = require("url") - const { parseStringPromise: xmlParser, Builder: XmlBuilder } = require("xml2js") + const { + parseStringPromise: xmlParser, + Builder: XmlBuilder, + } = require("xml2js") const SCHEMA: Integration = { docs: "https://github.com/node-fetch/node-fetch", @@ -211,7 +214,7 @@ module RestModule { break case BodyTypes.XML: if (object != null) { - string = (new XmlBuilder()).buildObject(object) + string = new XmlBuilder().buildObject(object) } input.body = string input.headers["Content-Type"] = "application/xml" diff --git a/packages/server/src/threads/utils.js b/packages/server/src/threads/utils.js index fee1e19b67..ffea596abd 100644 --- a/packages/server/src/threads/utils.js +++ b/packages/server/src/threads/utils.js @@ -8,6 +8,9 @@ const { processStringSync } = require("@budibase/string-templates") const VARIABLE_TTL_SECONDS = 3600 let client +const IS_TRIPLE_BRACE = new RegExp(/^{{3}.*}{3}$/) +const IS_HANDLEBARS = new RegExp(/^{{2}.*}{2}$/) + async function getClient() { if (!client) { client = await new redis.Client(redis.utils.Databases.QUERY_VARS).init() @@ -90,7 +93,12 @@ exports.enrichQueryFields = (fields, parameters = {}) => { enrichedQuery[key] = this.enrichQueryFields(fields[key], parameters) } else if (typeof fields[key] === "string") { // enrich string value as normal - enrichedQuery[key] = processStringSync(fields[key], parameters, { + let value = fields[key] + // add triple brace to avoid escaping e.g. '=' in cookie header + if (IS_HANDLEBARS.test(value) && !IS_TRIPLE_BRACE.test(value)) { + value = `{${value}}` + } + enrichedQuery[key] = processStringSync(value, parameters, { noHelpers: true, }) } else {