Be strict about escape sequences in bytes

Author: zeroSteiner

lib/rule_engine/parser/__init__.py

@@ -34,13 +34,28 @@
 import codecs
 import collections
 import types as pytypes
+import re
 
 from .. import ast
 from .. import errors
 from .base import ParserBase
 from .utilities import timedelta_regex
 
 literal_eval = pyast.literal_eval
+re
+def _repl_byte_escape(match):
+	token = match.group(1)
+	if token[0] == ord('x'):  # x
+		return bytes([int(token[1:], 16)])
+	table = {
+		b't':  '\t'.encode(),
+		b'n':  '\n'.encode(),
+		b'r':  '\r'.encode(),
+		b'"':  '\"'.encode(),
+		b"'":  '\''.encode(),
+		b'\\': '\\'.encode()
+	}
+	return table[token]
 
 class _DeferredAstNode(object):
 	__slots__ = ('cls', 'args', 'kwargs', 'method')
@@ -418,10 +433,17 @@ def p_expression_boolean(self, p):
 
 	def p_expression_bytes(self, p):
 		'object : BYTES'
+		value = p[1][1:-1]
 		try:
-			value = literal_eval('b' + p[1])
-		except Exception:
+			value = codecs.encode(value, 'unicode-escape').decode()
+		except UnicodeError:
 			raise errors.BytesSyntaxError('invalid bytes literal', p[1][1:-1]) from None
+		value = value.replace('\\\\', '\\')
+		if (match := re.search(r'(?<!\\)(?:\\\\)*\\(?!\\|t|n|r|"|\'|x[0-9A-Fa-f]{2}).?', value)):
+			raise errors.BytesSyntaxError(f"invalid bytes literal (invalid escape at position {match.start()})", p[1][1:-1])
+		value = value.encode()
+		value = re.sub(br'\\(x[0-9A-Fa-f]{2})', _repl_byte_escape, value)
+		value = re.sub(br'\\(.)', _repl_byte_escape, value)
 		p[0] = _DeferredAstNode(ast.BytesExpression, args=(self.context, value))
 
 	def p_expression_datetime(self, p):

tests/parser.py

@@ -313,11 +313,24 @@ def test_parse_boolean(self):
 
 	def test_parse_bytes(self):
 		self.assertLiteralStatementEqual('b""', ast.BytesExpression, b'')
-		self.assertLiteralStatementEqual('b"dead\x13\x37"', ast.BytesExpression, b'dead\x13\x37')
-		self.assertLiteralStatementEqual('b"\\xde\\xad"', ast.BytesExpression, b'\xde\xad')
-		self.assertLiteralStatementEqual('b"\\xDE\\xAD"', ast.BytesExpression, b'\xde\xad')
+
+	def test_parse_bytes_escape(self):
+		self.assertLiteralStatementEqual('b""', ast.BytesExpression, b'')
+		self.assertLiteralStatementEqual(r'b"foo\tbar"', ast.BytesExpression, b'foo\x09bar')
+		self.assertLiteralStatementEqual(r'b"foo\nbar"', ast.BytesExpression, b'foo\x0abar')
+		self.assertLiteralStatementEqual(r'b"foo\rbar"', ast.BytesExpression, b'foo\x0dbar')
+		self.assertLiteralStatementEqual(r'b"foo\"bar"', ast.BytesExpression, b'foo\x22bar')
+		self.assertLiteralStatementEqual(r'b"foo\'bar"', ast.BytesExpression, b'foo\x27bar')
+		self.assertLiteralStatementEqual(r'b"foo\\bar"', ast.BytesExpression, b'foo\x5cbar')
+		with self.assertRaises(errors.BytesSyntaxError):
+			self._parse(r'b"\u0123"', self.context)
+
+	def test_parse_bytes_escape_hexl(self):
+		self.assertLiteralStatementEqual(r'b"dead\x13\x37"', ast.BytesExpression, b'dead\x13\x37')
+		self.assertLiteralStatementEqual(r'b"\xde\xad"', ast.BytesExpression, b'\xde\xad')
+		self.assertLiteralStatementEqual(r'b"\xDE\xAD"', ast.BytesExpression, b'\xde\xad')
 		with self.assertRaises(errors.BytesSyntaxError):
-			self._parse('b"\\xyz"', self.context)
+			self._parse(r'b"\xyz"', self.context)
 
 	def test_parse_datetime(self):
 		self.assertLiteralStatementEqual('d"2016-10-15"', ast.DatetimeExpression, datetime.datetime(2016, 10, 15, tzinfo=dateutil.tz.tzlocal()))