dependency: update to latest wombat (3.3.7) (#763)

eval: switch to new eval rewriting which catches global scope rxrewriting: remove lookbehind check so that 'return eval(...)' can be rewritten tests: add additional eval tests bump to 2.6.9
webrecorder · Sep 29, 2022 · 98378a8 · 98378a8
1 parent 6e7a8b1
commit 98378a8
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 12 deletions.
diff --git a/pywb/rewrite/regex_rewriters.py b/pywb/rewrite/regex_rewriters.py
@@ -16,6 +16,19 @@ def remove_https(string, _):
     def replace_str(replacer, match='this'):
         return lambda x, _: x.replace(match, replacer)
 
+    @staticmethod
+    def replace_prefix_from(prefix, match):
+        def do_replace(x, _):
+            start = x.find(match)
+            if start == 0:
+                return prefix
+            if start > 0:
+                return x[:start] + prefix
+            return x
+
+        return do_replace
+
+
     @staticmethod
     def format(template):
         return lambda string, _: template.format(string)
@@ -42,7 +55,7 @@ def compile_rules(rules):
         regex_str = '|'.join(['(' + rx + ')' for rx, op, count in rules])
 
         # ensure it's not middle of a word, wrap in non-capture group
-        regex_str = '(?<!\w)(?:' + regex_str + ')'
+        regex_str = '(?:' + regex_str + ')'
 
         return re.compile(regex_str, re.M)
 
@@ -84,7 +97,7 @@ def __init__(self):
 
         check_loc = '((self.__WB_check_loc && self.__WB_check_loc(location, arguments)) || {}).href = '
 
-        eval_str = 'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval'
+        eval_str = 'WB_wombat_runEval2((_______eval_arg, isGlobal) => { var ge = eval; return isGlobal ? ge(_______eval_arg) : eval(_______eval_arg); }).eval(this, (function() { return arguments })(),'
 
         self.local_objs = [
             'window',
@@ -104,15 +117,15 @@ def __init__(self):
 
         rules = [
             # rewriting 'eval(...)' - invocation
-            (r'(?<!function\s)(?:^|[^,$])\beval\s*\(', self.replace_str(eval_str, 'eval'), 0),
+            (r'(?<!function)(?:\s|^)\beval\s*\(', self.replace_prefix_from(eval_str, 'eval'), 0),
             # rewriting 'x = eval' - no invocation
             (r'(?<=[=,])\s*\beval\b\s*(?![(:.$])', self.replace_str('self.eval', 'eval'), 0),
             (r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
-            (r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
+            (r'(?<![$.])\s*\blocation\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
             # rewriting 'return this'
             (r'\breturn\s+this\b\s*(?![.$])', self.replace_str(this_rw), 0),
             # rewriting 'this.' special properties access on new line, with ; prepended
-            (r'(?<=[\n])\s*this\b(?=(?:\.(?:{0})\b))'.format(prop_str), self.replace_str(';' + this_rw), 0),
+            (r'\n\s*this\b(?=(?:\.(?:{0})\b))'.format(prop_str), self.replace_str(';' + this_rw), 0),
             # rewriting 'this.' special properties access, not on new line (no ;)
             (r'(?<![$.])\s*this\b(?=(?:\.(?:{0})\b))'.format(prop_str), self.replace_str(this_rw), 0),
             # rewrite '= this' or ', this'
@@ -346,7 +359,7 @@ class CSSRewriter(RegexRewriter):
 class XMLRules(RxRules):
     def __init__(self):
         rules = [
-            ('([A-Za-z:]+[\s=]+)?["\'\s]*(' +
+            ('(?<![\w])([A-Za-z:]+[\s=]+)?["\'\s]*(' +
              self.HTTPX_MATCH_STR + ')',
              self.archival_rewrite(), 2),
         ]

diff --git a/pywb/rewrite/test/test_regex_rewriters.py b/pywb/rewrite/test/test_regex_rewriters.py
@@ -216,7 +216,12 @@
 'this. location = ((self.__WB_check_loc && self.__WB_check_loc(location, arguments)) || {}).href = http://example.com/'
 
 >>> _test_js_obj_proxy('eval(a)')
-'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'
+'WB_wombat_runEval2((_______eval_arg, isGlobal) => { var ge = eval; return isGlobal ? ge(_______eval_arg) : eval(_______eval_arg); }).eval(this, (function() { return arguments })(),a)'
+
+>>> _test_js_obj_proxy('abc eval(a)')
+'abc WB_wombat_runEval2((_______eval_arg, isGlobal) => { var ge = eval; return isGlobal ? ge(_______eval_arg) : eval(_______eval_arg); }).eval(this, (function() { return arguments })(),a)'
+
+
 
 >>> _test_js_obj_proxy(',eval(a)')
 ',eval(a)'
@@ -234,7 +239,7 @@
 '$eval = self.eval; $eval(a);'
 
 >>> _test_js_obj_proxy('foo(a, eval(data));')
-'foo(a, WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(data));'
+'foo(a, WB_wombat_runEval2((_______eval_arg, isGlobal) => { var ge = eval; return isGlobal ? ge(_______eval_arg) : eval(_______eval_arg); }).eval(this, (function() { return arguments })(),data));'
 
 >>> _test_js_obj_proxy('function eval() {}')
 'function eval() {}'
@@ -362,7 +367,6 @@ def _test_xml(string):
 def _test_css(string):
     return CSSRewriter(urlrewriter).rewrite(string)
 
-
 if __name__ == "__main__":
     import doctest
     doctest.testmod()

diff --git a/pywb/static/wombat.js b/pywb/static/wombat.js
diff --git a/pywb/version.py b/pywb/version.py
@@ -1,4 +1,4 @@
-__version__ = '2.6.8'
+__version__ = '2.6.9'
 
 if __name__ == '__main__':
     print(__version__)
diff --git a/wombat b/wombat