@@ -8,7 +8,7 @@ use std::{
88} ;
99use stellar_xdr:: curr:: ScSpecEntry ;
1010
11- use super :: { generate, validate_npm_package_name} ;
11+ use super :: { generate, sanitize_string , validate_npm_package_name} ;
1212
1313static PROJECT_DIR : Dir < ' _ > = include_dir ! ( "$CARGO_MANIFEST_DIR/src/project_template" ) ;
1414
@@ -141,6 +141,8 @@ impl Project {
141141 NETWORK_PASSPHRASE_STANDALONE => "standalone" ,
142142 _ => "unknown" ,
143143 } ;
144+ let network_passphrase = sanitize_string ( network_passphrase) ;
145+ let contract_id = sanitize_string ( contract_id) ;
144146 format ! (
145147 r#"export const networks = {{
146148 {network}: {{
@@ -279,6 +281,27 @@ mod test {
279281 assert ! ( err. to_string( ) . contains( "not a valid npm package name" ) ) ;
280282 }
281283
284+ #[ test]
285+ fn test_format_networks_object_sanitizes_inputs ( ) {
286+ let malicious_passphrase =
287+ r#"Test SDF Network", }}; console.log("pwned"); const x = {{ a: ""# ;
288+ let malicious_contract_id = r#"CABC"; import("evil"); //"# ;
289+ let result = Project :: format_networks_object (
290+ Some ( malicious_contract_id) ,
291+ Some ( malicious_passphrase) ,
292+ ) ;
293+ assert ! (
294+ !result. contains( r#"console.log("pwned")"# ) ,
295+ "network_passphrase was not sanitized: {result}"
296+ ) ;
297+ assert ! (
298+ !result. contains( r#"import("evil")"# ) ,
299+ "contract_id was not sanitized: {result}"
300+ ) ;
301+ assert ! ( result. contains( r#"console.log(\"pwned\")"# ) ) ;
302+ assert ! ( result. contains( r#"import(\"evil\")"# ) ) ;
303+ }
304+
282305 fn assert_dirs_equal < P : AsRef < Path > > ( dir1 : P , dir2 : P ) {
283306 let walker1 = WalkDir :: new ( & dir1) ;
284307 let walker2 = WalkDir :: new ( & dir2) ;
0 commit comments