Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(#9480): apply proper quote escapes for the datum access expression #9479

Merged
merged 4 commits into from
Dec 3, 2024

Conversation

yhoonkim
Copy link
Contributor

@yhoonkim yhoonkim commented Nov 23, 2024

PR Description

Problem

The expression like

`datum["${str}"]`

which is vulnerable when str has double quotes, such as 'hello, "world"'.

The expression with single quotes is the same

`datum['${str}']`

which is vulnerable when str has single quotes, such as "Vega's Favorite".

Solution
This PR fixes the existing datum access expression to have a proper quote escape by calling accessWithDatumToUnescapedPath

It fixes the issue of timeunit band position transforms which don't escape the field name correctly.

#9480

@yhoonkim yhoonkim requested a review from a team as a code owner November 23, 2024 00:39
Copy link

cloudflare-workers-and-pages bot commented Nov 23, 2024

Deploying vega-lite with  Cloudflare Pages  Cloudflare Pages

Latest commit: 29a88bc
Status: ✅  Deploy successful!
Preview URL: https://c68e1d5d.vega-lite.pages.dev
Branch Preview URL: https://fix-timeunitbandpositionexpr.vega-lite.pages.dev

View logs

@yhoonkim yhoonkim requested a review from kanitw November 23, 2024 00:39
@domoritz
Copy link
Member

Can you link to the issue?

@yhoonkim
Copy link
Contributor Author

Can you link to the issue?

Done! (edited the PR description)

@yhoonkim yhoonkim changed the title apply single quote escape fix: apply single quote escape for the transforms from timeUnit bandPosition Nov 23, 2024
@domoritz
Copy link
Member

If you say "fixes" or "closes" before it, GitHub will link it and auto close the issue when the pull request is merged.

@yhoonkim yhoonkim changed the title fix: apply single quote escape for the transforms from timeUnit bandPosition fix(#9480): apply single quote escape for the transforms from timeUnit bandPosition Nov 27, 2024
src/util.ts Outdated
@@ -297,6 +297,10 @@ function escapePathAccess(string: string) {
return string.replace(/(\[|\]|\.|'|")/g, '\\$1');
}

export function escapeSingleQuotes(value: string) {
Copy link
Member

@kanitw kanitw Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like a code smell that we need to add a new escapeSingleQuotes utility method.

Shouldn't we already have another escape utility in other places? (Also, shouldn't the escape handle all characters that need escaping, not just "single quotes"?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried other utility functions to re-escape the field name but could not find a good one. Maybe I will try to find again and ping you if I can't find.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There may be some similar logic in Vega (utils).

Copy link
Contributor Author

@yhoonkim yhoonkim Dec 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ended up with creating more generic function, accessWithDatumToUnescapedPath, to solve this (datum['${field}'], datum["${field}"]) case.
accessWithDatumToUnescapedPath is taking un-escaped string to build the datum-access expression, where it only escapes the single quotes as datum['${}'] using the single quotes.

@yhoonkim yhoonkim force-pushed the fix-timeunitBandPositionExpr branch 2 times, most recently from fff4bef to 29a88bc Compare December 2, 2024 20:08
@yhoonkim yhoonkim changed the title fix(#9480): apply single quote escape for the transforms from timeUnit bandPosition fix(#9480): apply proper quote escapes for the datum access expression Dec 2, 2024
@yhoonkim yhoonkim requested review from kanitw and domoritz December 2, 2024 20:14
@@ -556,7 +559,7 @@ function errorBarAggregationAndCalculation<
for (const postAggregateCalculate of postAggregateCalculates) {
tooltipSummary.push({
fieldPrefix: postAggregateCalculate.as.substring(0, 6),
titlePrefix: replaceAll(replaceAll(postAggregateCalculate.calculate, 'datum["', ''), '"]', '')
titlePrefix: replaceAll(replaceAll(postAggregateCalculate.calculate, "datum['", ''), "']", '')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we use accessWithDatumToUnescapedPath here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

  1. The existing logic peel off datum[" and "] from the calculate to create a prefix.
    E.g., datum["yh"] -> yh.

  2. I replaced the double quote datum expression with accessWithDatumToUnescapedPath using the single quote.

  3. To keep the existing logic, I changed the code to peel off datum[' and ']

@yhoonkim yhoonkim requested a review from domoritz December 3, 2024 17:17
Copy link
Member

@kanitw kanitw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving provided that you have sufficiently addressed @domoritz's concern.

(I haven't checked if you do, but at least you have sufficiently addressed mine.)

@yhoonkim yhoonkim merged commit 6a73892 into main Dec 3, 2024
10 checks passed
@yhoonkim yhoonkim deleted the fix-timeunitBandPositionExpr branch December 3, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

timeUnitBandPosition with escaped field (e.g., "\\'fieldName\\'") doesn't work.
3 participants