fix: escape `$` in curl request bodies and headers (#6245)

This address a bug where a `$` character in a request body or header
would not be properly escaped in a string in the generated curl command.

Fixes #5390

src/core/curlify.js

@@ -26,7 +26,7 @@ export default function curl( request ){
     for( let p of request.get("headers").entries() ){
       let [ h,v ] = p
       curlified.push( "-H " )
-      curlified.push( `"${h}: ${v}"` )
+      curlified.push( `"${h}: ${v.replace("$", "\\$")}"` )
       isMultipartFormDataRequest = isMultipartFormDataRequest || /^content-type$/i.test(h) && /^multipart\/form-data$/i.test(v)
     }
   }
@@ -44,7 +44,7 @@ export default function curl( request ){
       }
     } else {
       curlified.push( "-d" )
-      curlified.push( JSON.stringify( request.get("body") ).replace(/\\n/g, "") )
+      curlified.push( JSON.stringify( request.get("body") ).replace(/\\n/g, "").replace("$", "\\$") )
     }
   } else if(!request.get("body") && request.get("method") === "POST") {
     curlified.push( "-d" )

test/mocha/core/curlify.js

@@ -319,4 +319,17 @@ describe("curlify", function () {
       expect(curlified).toEqual("curl -X POST \"http://example.com\" -H  \"x-custom-name: multipart/form-data\" -d {\"id\":\"123\",\"file\":{\"name\":\"file.txt\",\"type\":\"text/plain\"}}")
     })
   })
+
+  it("should escape dollar signs in headers and request body", function () {
+    let req = {
+      url: "http://example.com",
+      method: "POST",
+      headers: { "X-DOLLAR": "token/123$" },
+      body: "CREATE ($props)"
+    }
+
+    let curlified = curl(Im.fromJS(req))
+
+    expect(curlified).toEqual("curl -X POST \"http://example.com\" -H  \"X-DOLLAR: token/123\\$\" -d \"CREATE (\\$props)\"")
+  })
 })