Eval Rewriting + Scope Fix (#668)

* eval fix: instead of rewriting to 'WB_wombat_eval', rewrite to 'self.eval' for non-top-level eval
the wombat object will handle rewriting the eval arg on 'self.eval'
tighten rewriting for top-level 'eval', add additional tests
part of fix for #663

* rewrite wrap: add extra {, } to avoid collisions, as suggested in webrecorder/wombat#72
eval rewrite: exclude ',eval' as more likely than not causing a false positive, as per #643

* update to latest wombat 3.3.0 with corresponding fixes

Author: ikreymer

pywb/rewrite/regex_rewriters.py

@@ -13,8 +13,8 @@ def remove_https(string, _):
         return string.replace("https", "http")
 
     @staticmethod
-    def replace_str(replacer):
-        return lambda x, _: x.replace('this', replacer)
+    def replace_str(replacer, match='this'):
+        return lambda x, _: x.replace(match, replacer)
 
     @staticmethod
     def format(template):
@@ -100,10 +100,10 @@ def __init__(self):
         prop_str = '|'.join(self.local_objs)
 
         rules = [
-            # rewriting 'eval(....)' - invocation
-            (r'(?<![$])\beval\s*\(', self.add_prefix('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).'), 0),
+            # rewriting 'eval(...)' - invocation
+            (r'(?<!function\s)(?:^|[^,$])eval\s*\(', self.replace_str('WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval', 'eval'), 0),
             # rewriting 'x = eval' - no invocation
-            (r'(?<![$])\beval\b', self.add_prefix('WB_wombat_'), 0),
+            (r'(?<=[=,])\s*\beval\b\s*(?![(:.$])', self.replace_str('self.eval', 'eval'), 0),
             (r'(?<=\.)postMessage\b\(', self.add_prefix('__WB_pmw(self).'), 0),
             (r'(?<![$.])\s*location\b\s*[=]\s*(?![=])', self.add_suffix(check_loc), 0),
             # rewriting 'return this'
@@ -122,9 +122,9 @@ def __init__(self):
 
         super(JSWombatProxyRules, self).__init__(rules)
 
-        self.first_buff = local_init_func + local_declares + '\n\n'
+        self.first_buff = local_init_func + local_declares + '\n\n{'
 
-        self.last_buff = '\n\n}'
+        self.last_buff = '\n\n}}'
 
 
 # =================================================================

pywb/rewrite/test/test_regex_rewriters.py

@@ -218,20 +218,42 @@
 >>> _test_js_obj_proxy('eval(a)')
 'WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a)'
 
+>>> _test_js_obj_proxy(',eval(a)')
+',eval(a)'
+
 >>> _test_js_obj_proxy('this.$eval(a)')
 'this.$eval(a)'
 
 >>> _test_js_obj_proxy('x = this.$eval; x(a);')
 'x = this.$eval; x(a);'
 
 >>> _test_js_obj_proxy('x = eval; x(a);')
-'x = WB_wombat_eval; x(a);'
+'x = self.eval; x(a);'
 
 >>> _test_js_obj_proxy('$eval = eval; $eval(a);')
-'$eval = WB_wombat_eval; $eval(a);'
+'$eval = self.eval; $eval(a);'
+
+>>> _test_js_obj_proxy('foo(a, eval(data));')
+'foo(a, WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(data));'
+
+>>> _test_js_obj_proxy('function eval() {}')
+'function eval() {}'
 
 >>> _test_js_obj_proxy('window.eval(a);')
-'window.WB_wombat_runEval(function _____evalIsEvil(_______eval_arg$$) { return eval(_______eval_arg$$); }.bind(this)).eval(a);'
+'window.eval(a);'
+
+>>> _test_js_obj_proxy('x = window.eval; x(a);')
+'x = window.eval; x(a);'
+
+>>> _test_js_obj_proxy('obj = { eval : 1 }')
+'obj = { eval : 1 }'
+
+>>> _test_js_obj_proxy('x = obj.eval')
+'x = obj.eval'
+
+>>> _test_js_obj_proxy('x = obj.eval(a)')
+'x = obj.eval(a)'
+
 
 #=================================================================
 # XML Rewriting

pywb/static/autoFetchWorker.js

@@ -107,7 +107,7 @@ function fetchDone() {
 }
 
 function fetchErrored(err) {
-  console.warn("Fetch Failed: " + err);
+  console.warn('Fetch Failed: ' + err);
   fetchDone();
 }