Escape characters in scriptlet arguments

ghostery · Nov 9, 2023 · 0d7eee6 · 0d7eee6
1 parent 0fdf598
commit 0d7eee6
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 11 deletions.
diff --git a/packages/adblocker/package.json b/packages/adblocker/package.json
@@ -29,7 +29,7 @@
     "bundle": "tsc --build ./tsconfig.bundle.json && rollup --config ./rollup.config.ts --configPlugin typescript",
     "prepack": "yarn run bundle",
     "test": "nyc mocha --config ../../.mocharc.js",
-    "dev": "mocha --config ../../.mocharc.js --watch -f 'scriptlets arguments parsing'",
+    "dev": "mocha --config ../../.mocharc.js --watch",
     "bench-metadata": "ts-node --project ./tools/tsconfig.json ./tools/bench-metadata.ts",
     "bump-internal-engine-version": "ts-node --project ./tools/tsconfig.json ./tools/auto-bump-engine-version.ts",
     "generate-codebooks": "concurrently -n build: \"yarn:codebook-*\" && yarn bump-internal-engine-version",

diff --git a/packages/adblocker/src/filters/cosmetic.ts b/packages/adblocker/src/filters/cosmetic.ts
@@ -791,7 +791,9 @@ export default class CosmeticFilter implements IFilter {
     let script = js.get(name);
     if (script !== undefined) {
       for (let i = 0; i < args.length; i += 1) {
-        script = script.replace(`{{${i + 1}}}`, args[i]);
+        // escape some characters so they wont get evaluated with escape during script injection
+        const arg = args[i].replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        script = script.replace(`{{${i + 1}}}`, arg);
       }
 
       return script;

diff --git a/packages/adblocker/test/parsing.test.ts b/packages/adblocker/test/parsing.test.ts
@@ -1855,16 +1855,58 @@ describe('Cosmetic filters', () => {
   //   expect(CosmeticFilter.parse('###.selector /invalid/')).to.be.null;
   // });
 
-  it('#getScript', () => {
-    const parsed = CosmeticFilter.parse('foo.com##+js(script.js, arg1, arg2, arg3)');
-    expect(parsed).not.to.be.null;
-    if (parsed !== null) {
-      expect(parsed.getScript(new Map([['script.js', '{{1}},{{2}},{{3}}']]))).to.equal(
-        'arg1,arg2,arg3',
-      );
+  describe('#getScript', () => {
+    const simpleScriptlet = CosmeticFilter.parse('foo.com##+js(script.js, arg1, arg2, arg3)');
 
-      expect(parsed.getScript(new Map())).to.be.undefined;
-    }
+    it('returns undefined if script does not exist', () => {
+      expect(simpleScriptlet?.getScript(new Map())).to.be.undefined;
+    });
+
+    it('returns a script if one exists', () => {
+      expect(simpleScriptlet?.getScript(new Map([['script.js', 'test']]))).to.equal('test');
+    });
+
+    context('with arguments', () => {
+      it('inject values', () => {
+        expect(simpleScriptlet?.getScript(new Map([['script.js', '{{1}},{{2}},{{3}}']]))).to.equal(
+          'arg1,arg2,arg3',
+        );
+      });
+
+      it('escapes special characters', () => {
+        for (const character of [
+          '.',
+          '*',
+          '+',
+          '?',
+          '^',
+          '$',
+          '{',
+          '}',
+          '(',
+          ')',
+          '|',
+          '[',
+          ']',
+          '\\',
+        ]) {
+          const scriptlet = CosmeticFilter.parse(`foo.com##+js(script.js, ${character})`);
+          expect(scriptlet?.getScript(new Map([['script.js', '{{1}}']]))).to.equal(
+            `\\${character}`,
+          );
+        }
+      });
+
+      it('handles complex cases', () => {
+        for (const example of [
+          [String.raw`'\(a\)'`, String.raw`\\\(a\\\)`],
+          [String.raw`foo\*`, String.raw`foo\\\*`],
+        ]) {
+          const scriptlet = CosmeticFilter.parse(`foo.com##+js(script.js, ${example[0]})`);
+          expect(scriptlet?.getScript(new Map([['script.js', '{{1}}']]))).to.equal(example[1]);
+        }
+      });
+    });
   });
 
   describe('#getTokens', () => {