Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unicode values in require causing LibSass segaults #11

Open
xzyfer opened this issue Apr 20, 2016 · 5 comments
Open

Unicode values in require causing LibSass segaults #11

xzyfer opened this issue Apr 20, 2016 · 5 comments

Comments

@xzyfer
Copy link

xzyfer commented Apr 20, 2016
edited
Loading

@hugogiraudel ran into this issue and engaged my help in debugging.

evil.json

{
  "namespace":  "Classes and IDs must follow a specific grammar. And this thing here doesn’t."
}

test.scss

$foo: require('./evil');

test.js

require('sassport').render({
  file: './foo.scss'
}, function(err, result) {
  if (err) {
    console.log(err);
  } else {
    console.log(result.css.toString());
  }
});

Result

Assertion failed: (utf8_validate(str)), function emit_string, file ../src/libsass/src/json.cpp, line 1144.
[1]    43577 abort      node test.js

Firstly let me state that the abort is a bug in LibSass. However it occurs due to a bug in Sassport.

The custom function in utils.infer does not quote the jsValue when it's a String.

sassUtils.infer = (jsValue) => {
  let result;

  try {  
    sass.renderSync({
      data: `$_: ___((${jsValue}));`,
      functions: {
        '___($value)': (value) => {
          result = value;

          return value;
        }
      }
    });
  } catch(e) {
    return jsValue;
  }

  return result;
};

The resulting data passed to Node Sass ends up being

$_: ___((Classes and IDs must follow a specific grammar. And this thing here doesn't.));

The missing " around the function argument cause a (Ruby) Sass error.

Error: Invalid CSS after "...pecific grammar": expected ")", was ". And this thin..."
        on line 17 of test.scss
  Use --trace for backtrace.

This error is not handled by LibSass so instead the abort happens

Assertion failed: (utf8_validate(str)), function emit_string, file src/json.cpp, line 1144.
[1]    43551 abort      ~/Projects/Sass/sassc/bin/sassc test.scss
@xzyfer
Copy link
Author

xzyfer commented Apr 20, 2016

A simple fix that worked locally is

-data: `$_: ___((${jsValue}));`,
+data: `$_: ___(("${jsValue}"));`,

However I'm not familiar enough with Sassport to know what kind of unintended side effects that may have.

@davidkpiano
Copy link
Owner

Hmm interesting - the reason that it is unquoted (and instead surrounded by parentheses) is because infer is interpolating the raw value to get the actual Sass value, instead of just a string every time. That way, if you have this:

{
  "foo-height": "34px"
}

then "foo-height" will be interpreted as the length 34px instead of as the string "34px".

Actually, I may have a better fix:

@function ___($val) {
  @return $val;
}

$_: ___((Classes and IDs must follow a specific grammar\. And this thing here doesn\'t\.));

.foo {
  test: $_;
}

This will work. I just have to escape periods and quotes. Is there anything else I should escape that you can think of?

@xzyfer
Copy link
Author

xzyfer commented Apr 20, 2016

I couldn't say off the top of my head. I'm actually surprised that works :)

@xzyfer
Copy link
Author

xzyfer commented Apr 20, 2016

This might help you track down the correct escaping - https://github.com/minimaxir/big-list-of-naughty-strings

@xzyfer
Copy link
Author

xzyfer commented Apr 21, 2016

Bug for abort filed upstream sass/libsass#2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xzyfer @davidkpiano