From 225a915cf8a6d348c10d6569f677cf82b3f1e21d Mon Sep 17 00:00:00 2001
From: Alec Theriault <alec.theriault@gmail.com>
Date: Mon, 3 Aug 2020 12:07:06 -0400
Subject: [PATCH] fix: escape `$` in curl request bodies and headers (#6245)

This address a bug where a `$` character in a request body or header
would not be properly escaped in a string in the generated curl command.

Fixes #5390
---
 src/core/curlify.js        |  4 ++--
 test/mocha/core/curlify.js | 13 +++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/core/curlify.js b/src/core/curlify.js
index e707fa26..c4334cc0 100644
--- a/src/core/curlify.js
+++ b/src/core/curlify.js
@@ -26,7 +26,7 @@ export default function curl( request ){
     for( let p of request.get("headers").entries() ){
       let [ h,v ] = p
       curlified.push( "-H " )
-      curlified.push( `"${h}: ${v}"` )
+      curlified.push( `"${h}: ${v.replace("$", "\\$")}"` )
       isMultipartFormDataRequest = isMultipartFormDataRequest || /^content-type$/i.test(h) && /^multipart\/form-data$/i.test(v)
     }
   }
@@ -44,7 +44,7 @@ export default function curl( request ){
       }
     } else {
       curlified.push( "-d" )
-      curlified.push( JSON.stringify( request.get("body") ).replace(/\\n/g, "") )
+      curlified.push( JSON.stringify( request.get("body") ).replace(/\\n/g, "").replace("$", "\\$") )
     }
   } else if(!request.get("body") && request.get("method") === "POST") {
     curlified.push( "-d" )
diff --git a/test/mocha/core/curlify.js b/test/mocha/core/curlify.js
index b492c804..fd83cea6 100644
--- a/test/mocha/core/curlify.js
+++ b/test/mocha/core/curlify.js
@@ -319,4 +319,17 @@ describe("curlify", function () {
       expect(curlified).toEqual("curl -X POST \"http://example.com\" -H  \"x-custom-name: multipart/form-data\" -d {\"id\":\"123\",\"file\":{\"name\":\"file.txt\",\"type\":\"text/plain\"}}")
     })
   })
+
+  it("should escape dollar signs in headers and request body", function () {
+    let req = {
+      url: "http://example.com",
+      method: "POST",
+      headers: { "X-DOLLAR": "token/123$" },
+      body: "CREATE ($props)"
+    }
+
+    let curlified = curl(Im.fromJS(req))
+
+    expect(curlified).toEqual("curl -X POST \"http://example.com\" -H  \"X-DOLLAR: token/123\\$\" -d \"CREATE (\\$props)\"")
+  })
 })