codegen: escape string default values to prevent code injection#8964
Open
KevinZhao wants to merge 1 commit intogoogle:masterfrom
Open
codegen: escape string default values to prevent code injection#8964KevinZhao wants to merge 1 commit intogoogle:masterfrom
KevinZhao wants to merge 1 commit intogoogle:masterfrom
Conversation
String default values parsed from .fbs schemas are un-escaped by the IDL parser (e.g., \x22 becomes a raw " byte), but code generators embed these raw values directly into generated source code string literals. This allows specially crafted .fbs files to break out of string literals and inject arbitrary code into generated C++, Rust, TypeScript, and Swift source. Fix by adding EscapeCodeGenString() helper that re-escapes string content before embedding, and applying it to all 7 affected injection points across 5 code generators (C++, Rust, TypeScript, Swift, FBS). Resolves the TODO comments in idl_gen_cpp.cpp and idl_gen_rust.cpp.
github-actions
bot
added
c++
javascript
rust
typescript
codegen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
String default values parsed from
.fbsschemas are un-escaped by the IDL parser (e.g.,\x22becomes a raw"byte), but code generators embed these raw values directly into generated source code string literals without re-escaping. This allows specially crafted.fbsfiles to inject arbitrary code into generated C++, Rust, TypeScript, and Swift source files.Changes
EscapeCodeGenString()helper inutil.hthat re-escapes string content for safe embedding in generated code, reusing the existingEscapeString()infrastructureidl_gen_cpp.cpp): bfbs_string literal + CreateString defaultidl_gen_rust.cpp): string default valueidl_gen_ts.cpp): string default valueidl_gen_swift.cpp): string reader default + 2 constructor defaultsidl_gen_fbs.cpp): schema regenerationTest plan
cmake --build build)\x22in string defaults is correctly escaped to\"in generated C++ codeResolves the TODO comments in
idl_gen_cpp.cpp:2782andidl_gen_rust.cpp:1141.