Add more escaping cases for header keys

Most examples already handle this correctly, just tweaks required for R
and HTTPie. I had assumed these were invalid header names, but
apparently that's not actually correct!

Author: pimterry

src/targets/r/httr.js

@@ -106,7 +106,12 @@ module.exports = function (source, options) {
   const otherHeaders = Object.entries(source.allHeaders)
     // These headers are all handled separately:
     .filter(([key]) => !['cookie', 'accept', 'content-type'].includes(key.toLowerCase()))
-    .map(([key, value]) => `${key.replace(/-/g, '_')} = '${escape(value, { delimiter: "'" })}'`)
+    .map(([key, value]) => {
+      const safeKey = key.match(/^[a-zA-Z][a-zA-Z0-9_.-]*$/)
+        ? key.replace(/-/g, '_')
+        : '"' + escape(key) + '"'
+      return `${safeKey} = '${escape(value, { delimiter: "'" })}'`
+    })
     .join(', ')
 
   const setHeaders = otherHeaders

src/targets/shell/httpie.js

@@ -90,7 +90,7 @@ module.exports = function (source, options) {
 
   // construct headers
   Object.keys(source.allHeaders).sort().forEach(function (key) {
-    code.push('%s:%s', key, shell.quote(source.allHeaders[key]))
+    code.push('%s:%s', shell.quote(key), shell.quote(source.allHeaders[key]))
   })
 
   if (source.postData.mimeType === 'application/x-www-form-urlencoded') {
@@ -109,7 +109,12 @@ module.exports = function (source, options) {
   code.unshift('http %s%s %s', flags.length ? flags.join(' ') + ' ' : '', source.method, shell.quote(opts.queryParams ? source.url : source.fullUrl))
 
   if (raw && source.postData.text) {
-    code.unshift('echo %s | ', shell.quote(source.postData.text))
+    if (source.postData.text.includes('\\')) {
+      // Printf handles escape characters more clearly & portably than echo
+      code.unshift("printf '%%s' %s | ", shell.quote(source.postData.text))
+    } else {
+      code.unshift('echo %s | ', shell.quote(source.postData.text))
+    }
   }
 
   return code.join()

test/fixtures/output/c/libcurl/malicious.c

@@ -4,11 +4,16 @@ curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
 curl_easy_setopt(hnd, CURLOPT_URL, "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C");
 
 struct curl_slist *headers = NULL;
+headers = curl_slist_append(headers, "': squote-key-test");
 headers = curl_slist_append(headers, "squote-value-test: '");
 headers = curl_slist_append(headers, "dquote-value-test: \"");
+headers = curl_slist_append(headers, "`: backtick-key-test");
 headers = curl_slist_append(headers, "backtick-value-test: `");
+headers = curl_slist_append(headers, "$: dollar-key-test");
 headers = curl_slist_append(headers, "dollar-parenthesis-value-test: $(");
+headers = curl_slist_append(headers, "#: hash-key-test");
 headers = curl_slist_append(headers, "hash-brace-value-test: #{");
+headers = curl_slist_append(headers, "%: percent-key-test");
 headers = curl_slist_append(headers, "percent-parenthesis-value-test: %(");
 headers = curl_slist_append(headers, "percent-brace-value-test: %{");
 headers = curl_slist_append(headers, "double-brace-value-test: {{");

test/fixtures/output/clojure/clj_http/malicious.clj

@@ -1,10 +1,15 @@
 (require '[clj-http.client :as client])
 
-(client/post "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//" {:headers {:squote-value-test "'"
+(client/post "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//" {:headers {"'" "squote-key-test"
+                                                                            :squote-value-test "'"
                                                                             :dquote-value-test "\""
+                                                                            "`" "backtick-key-test"
                                                                             :backtick-value-test "`"
+                                                                            "$" "dollar-key-test"
                                                                             :dollar-parenthesis-value-test "$("
+                                                                            "#" "hash-key-test"
                                                                             :hash-brace-value-test "#{"
+                                                                            "%" "percent-key-test"
                                                                             :percent-parenthesis-value-test "%("
                                                                             :percent-brace-value-test "%{"
                                                                             :double-brace-value-test "{{"

test/fixtures/output/csharp/httpclient/malicious.cs

@@ -5,11 +5,16 @@
     RequestUri = new Uri("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"),
     Headers =
     {
+        { "'", "squote-key-test" },
         { "squote-value-test", "'" },
         { "dquote-value-test", "\"" },
+        { "`", "backtick-key-test" },
         { "backtick-value-test", "`" },
+        { "$", "dollar-key-test" },
         { "dollar-parenthesis-value-test", "$(" },
+        { "#", "hash-key-test" },
         { "hash-brace-value-test", "#{" },
+        { "%", "percent-key-test" },
         { "percent-parenthesis-value-test", "%(" },
         { "percent-brace-value-test", "%{" },
         { "double-brace-value-test", "{{" },

test/fixtures/output/csharp/restsharp/malicious.cs

@@ -1,10 +1,15 @@
 var client = new RestClient("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C");
 var request = new RestRequest(Method.POST);
+request.AddHeader("'", "squote-key-test");
 request.AddHeader("squote-value-test", "'");
 request.AddHeader("dquote-value-test", "\"");
+request.AddHeader("`", "backtick-key-test");
 request.AddHeader("backtick-value-test", "`");
+request.AddHeader("$", "dollar-key-test");
 request.AddHeader("dollar-parenthesis-value-test", "$(");
+request.AddHeader("#", "hash-key-test");
 request.AddHeader("hash-brace-value-test", "#{");
+request.AddHeader("%", "percent-key-test");
 request.AddHeader("percent-parenthesis-value-test", "%(");
 request.AddHeader("percent-brace-value-test", "%{");
 request.AddHeader("double-brace-value-test", "{{");

test/fixtures/output/go/native/malicious.go

@@ -15,11 +15,16 @@ func main() {
 
 	req, _ := http.NewRequest("POST", url, payload)
 
+	req.Header.Add("'", "squote-key-test")
 	req.Header.Add("squote-value-test", "'")
 	req.Header.Add("dquote-value-test", "\"")
+	req.Header.Add("`", "backtick-key-test")
 	req.Header.Add("backtick-value-test", "`")
+	req.Header.Add("$", "dollar-key-test")
 	req.Header.Add("dollar-parenthesis-value-test", "$(")
+	req.Header.Add("#", "hash-key-test")
 	req.Header.Add("hash-brace-value-test", "#{")
+	req.Header.Add("%", "percent-key-test")
 	req.Header.Add("percent-parenthesis-value-test", "%(")
 	req.Header.Add("percent-brace-value-test", "%{")
 	req.Header.Add("double-brace-value-test", "{{")

test/fixtures/output/http/1.1/malicious

@@ -1,9 +1,14 @@
 POST /%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C HTTP/1.1
+': squote-key-test
 Squote-Value-Test: '
 Dquote-Value-Test: "
+`: backtick-key-test
 Backtick-Value-Test: `
+$: dollar-key-test
 Dollar-Parenthesis-Value-Test: $(
+#: hash-key-test
 Hash-Brace-Value-Test: #{
+%: percent-key-test
 Percent-Parenthesis-Value-Test: %(
 Percent-Brace-Value-Test: %{
 Double-Brace-Value-Test: {{

test/fixtures/output/java/asynchttp/malicious.java

@@ -1,10 +1,15 @@
 AsyncHttpClient client = new DefaultAsyncHttpClient();
 client.prepare("POST", "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
+  .setHeader("'", "squote-key-test")
   .setHeader("squote-value-test", "'")
   .setHeader("dquote-value-test", "\"")
+  .setHeader("`", "backtick-key-test")
   .setHeader("backtick-value-test", "`")
+  .setHeader("$", "dollar-key-test")
   .setHeader("dollar-parenthesis-value-test", "$(")
+  .setHeader("#", "hash-key-test")
   .setHeader("hash-brace-value-test", "#{")
+  .setHeader("%", "percent-key-test")
   .setHeader("percent-parenthesis-value-test", "%(")
   .setHeader("percent-brace-value-test", "%{")
   .setHeader("double-brace-value-test", "{{")

test/fixtures/output/java/nethttp/malicious.java

@@ -1,10 +1,15 @@
 HttpRequest request = HttpRequest.newBuilder()
     .uri(URI.create("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C"))
+    .header("'", "squote-key-test")
     .header("squote-value-test", "'")
     .header("dquote-value-test", "\"")
+    .header("`", "backtick-key-test")
     .header("backtick-value-test", "`")
+    .header("$", "dollar-key-test")
     .header("dollar-parenthesis-value-test", "$(")
+    .header("#", "hash-key-test")
     .header("hash-brace-value-test", "#{")
+    .header("%", "percent-key-test")
     .header("percent-parenthesis-value-test", "%(")
     .header("percent-brace-value-test", "%{")
     .header("double-brace-value-test", "{{")

test/fixtures/output/java/okhttp/malicious.java

@@ -5,11 +5,16 @@
 Request request = new Request.Builder()
   .url("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
   .post(body)
+  .addHeader("'", "squote-key-test")
   .addHeader("squote-value-test", "'")
   .addHeader("dquote-value-test", "\"")
+  .addHeader("`", "backtick-key-test")
   .addHeader("backtick-value-test", "`")
+  .addHeader("$", "dollar-key-test")
   .addHeader("dollar-parenthesis-value-test", "$(")
+  .addHeader("#", "hash-key-test")
   .addHeader("hash-brace-value-test", "#{")
+  .addHeader("%", "percent-key-test")
   .addHeader("percent-parenthesis-value-test", "%(")
   .addHeader("percent-brace-value-test", "%{")
   .addHeader("double-brace-value-test", "{{")

test/fixtures/output/java/unirest/malicious.java

@@ -1,9 +1,14 @@
 HttpResponse<String> response = Unirest.post("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
+  .header("'", "squote-key-test")
   .header("squote-value-test", "'")
   .header("dquote-value-test", "\"")
+  .header("`", "backtick-key-test")
   .header("backtick-value-test", "`")
+  .header("$", "dollar-key-test")
   .header("dollar-parenthesis-value-test", "$(")
+  .header("#", "hash-key-test")
   .header("hash-brace-value-test", "#{")
+  .header("%", "percent-key-test")
   .header("percent-parenthesis-value-test", "%(")
   .header("percent-brace-value-test", "%{")
   .header("double-brace-value-test", "{{")

test/fixtures/output/javascript/axios/malicious.js

@@ -28,11 +28,16 @@ const options = {
     'slash-value-test': '\\'
   },
   headers: {
+    '\'': 'squote-key-test',
     'squote-value-test': '\'',
     'dquote-value-test': '"',
+    '`': 'backtick-key-test',
     'backtick-value-test': '`',
+    $: 'dollar-key-test',
     'dollar-parenthesis-value-test': '$(',
+    '#': 'hash-key-test',
     'hash-brace-value-test': '#{',
+    '%': 'percent-key-test',
     'percent-parenthesis-value-test': '%(',
     'percent-brace-value-test': '%{',
     'double-brace-value-test': '{{',

test/fixtures/output/javascript/fetch/malicious.js

@@ -1,11 +1,16 @@
 const options = {
   method: 'POST',
   headers: {
+    '\'': 'squote-key-test',
     'squote-value-test': '\'',
     'dquote-value-test': '"',
+    '`': 'backtick-key-test',
     'backtick-value-test': '`',
+    $: 'dollar-key-test',
     'dollar-parenthesis-value-test': '$(',
+    '#': 'hash-key-test',
     'hash-brace-value-test': '#{',
+    '%': 'percent-key-test',
     'percent-parenthesis-value-test': '%(',
     'percent-brace-value-test': '%{',
     'double-brace-value-test': '{{',

test/fixtures/output/javascript/jquery/malicious.js

@@ -4,11 +4,16 @@ const settings = {
   "url": "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C",
   "method": "POST",
   "headers": {
+    "'": "squote-key-test",
     "squote-value-test": "'",
     "dquote-value-test": "\"",
+    "`": "backtick-key-test",
     "backtick-value-test": "`",
+    "$": "dollar-key-test",
     "dollar-parenthesis-value-test": "$(",
+    "#": "hash-key-test",
     "hash-brace-value-test": "#{",
+    "%": "percent-key-test",
     "percent-parenthesis-value-test": "%(",
     "percent-brace-value-test": "%{",
     "double-brace-value-test": "{{",

test/fixtures/output/javascript/xhr/malicious.js

@@ -10,11 +10,16 @@ xhr.addEventListener("readystatechange", function () {
 });
 
 xhr.open("POST", "http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C");
+xhr.setRequestHeader("'", "squote-key-test");
 xhr.setRequestHeader("squote-value-test", "'");
 xhr.setRequestHeader("dquote-value-test", "\"");
+xhr.setRequestHeader("`", "backtick-key-test");
 xhr.setRequestHeader("backtick-value-test", "`");
+xhr.setRequestHeader("$", "dollar-key-test");
 xhr.setRequestHeader("dollar-parenthesis-value-test", "$(");
+xhr.setRequestHeader("#", "hash-key-test");
 xhr.setRequestHeader("hash-brace-value-test", "#{");
+xhr.setRequestHeader("%", "percent-key-test");
 xhr.setRequestHeader("percent-parenthesis-value-test", "%(");
 xhr.setRequestHeader("percent-brace-value-test", "%{");
 xhr.setRequestHeader("double-brace-value-test", "{{");

test/fixtures/output/kotlin/okhttp/malicious.kt

@@ -5,11 +5,16 @@ val body = RequestBody.create(mediaType, "' \" ` $( #{ %( %{ {{ \\0 %s \\")
 val request = Request.Builder()
   .url("http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C")
   .post(body)
+  .addHeader("'", "squote-key-test")
   .addHeader("squote-value-test", "'")
   .addHeader("dquote-value-test", "\"")
+  .addHeader("`", "backtick-key-test")
   .addHeader("backtick-value-test", "`")
+  .addHeader("$", "dollar-key-test")
   .addHeader("dollar-parenthesis-value-test", "$(")
+  .addHeader("#", "hash-key-test")
   .addHeader("hash-brace-value-test", "#{")
+  .addHeader("%", "percent-key-test")
   .addHeader("percent-parenthesis-value-test", "%(")
   .addHeader("percent-brace-value-test", "%{")
   .addHeader("double-brace-value-test", "{{")

test/fixtures/output/node/axios/malicious.js

@@ -28,11 +28,16 @@ var options = {
     'slash-value-test': '\\'
   },
   headers: {
+    '\'': 'squote-key-test',
     'squote-value-test': '\'',
     'dquote-value-test': '"',
+    '`': 'backtick-key-test',
     'backtick-value-test': '`',
+    $: 'dollar-key-test',
     'dollar-parenthesis-value-test': '$(',
+    '#': 'hash-key-test',
     'hash-brace-value-test': '#{',
+    '%': 'percent-key-test',
     'percent-parenthesis-value-test': '%(',
     'percent-brace-value-test': '%{',
     'double-brace-value-test': '{{',

test/fixtures/output/node/fetch/malicious.js

@@ -5,11 +5,16 @@ let url = 'http://example.test/%27%22%60$(%(%%7B%7B%7B/0%s//?\'=squote-key-test&
 let options = {
   method: 'POST',
   headers: {
+    '\'': 'squote-key-test',
     'squote-value-test': '\'',
     'dquote-value-test': '"',
+    '`': 'backtick-key-test',
     'backtick-value-test': '`',
+    $: 'dollar-key-test',
     'dollar-parenthesis-value-test': '$(',
+    '#': 'hash-key-test',
     'hash-brace-value-test': '#{',
+    '%': 'percent-key-test',
     'percent-parenthesis-value-test': '%(',
     'percent-brace-value-test': '%{',
     'double-brace-value-test': '{{',