Avoid escaping HTML sensitive characters when writing configuration to file (#1691)

Aniruddh25 · abhishekkumams · web-flow · commit 1b82fb882703 · 2023-09-07T06:05:29.000Z
## Why make this change? - Closes #1687 ## What is this change? - Set the Encoder for JsonSerializationOptions to be [`JavaScriptEncoder.UnsafeRelaxedJsonEscaping`](https://learn.microsoft.com/en-us/dotnet/api/system.text.encodings.web.javascriptencoder.unsaferelaxedjsonescaping?view=net-7.0) instead of the default encoder. - Although [this article](https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/character-encoding#serialize-all-characters) mentions use this encoder with caution, since we are sure the file contents will be deserialized as UTF-8 JSON, we should be safe to use this encoder. - We were using this encoder previously from the fix in #1386, but with #1402, that original fix was essentially not being used since #1402 introduced usage of the new `GetJsonSerializerOptions()` function in `RuntimeConfigLoader`. ## How was this tested? - [X] Unit Tests. `TestSpecialCharactersInConnectionString` is moved to the `ConfigGeneratorTests` since keeping it as part of `InitTests` with the Verify framework wasn't really testing the scenario since we ignore connection strings in the snapshots. - This regression from #1402 was not caught because this test scenario was effectively being skipped. - Note, this test is modified to explicitly compare the expected and actual json string from file since any usage of JsonSerializer/JObject.Parse would require using the same encoder to deserialize making the test itself run similar code which it is testing. Parsing into JSON objects would treat `\u0027` and `'` as equal whereas string comparison wont. Hence, comparison using string is necessary to catch regressions here. ## Sample Request(s) BEFORE: `dab init --host-mode development --database-type mssql --connection-string "@env('my-connection-string')"` creates the configuration file as follows: ``` { "$schema": "https://github.com/Azure/data-api-builder/releases/download/v0.8.49/dab.draft.schema.json", "data-source": { "database-type": "mssql", "connection-string": "@env(\u0027my-connection-string\u0027)", "options": { "set-session-context": false } } ``` Note, the value of connection string. AFTER: Same command creates the following file: ``` { "$schema": "https://github.com/Azure/data-api-builder/releases/download/v0.8.49/dab.draft.schema.json", "data-source": { "database-type": "mssql", "connection-string": "@env('my-connection-string')", "options": { "set-session-context": false } } ``` --------- Co-authored-by: Abhishek Kumar <abhishekkuma@microsoft.com>
diff --git a/src/Cli.Tests/ConfigGeneratorTests.cs b/src/Cli.Tests/ConfigGeneratorTests.cs
@@ -1,6 +1,8 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
+using System.Text;
+
 namespace Cli.Tests;
 
 /// <summary>
@@ -119,6 +121,77 @@ public void TryGenerateConfig_UsingEnvironmentVariable(
         }
     }
 
+    /// <summary>
+    /// Test to verify creation of initial config with special characters
+    /// such as [!,@,#,$,%,^,&,*, ,(,)] in connection-string or graphql api
+    /// </summary>
+    [TestMethod]
+    public void TestSpecialCharactersInConnectionString()
+    {
+        HandleConfigFileCreationAndDeletion(TEST_RUNTIME_CONFIG_FILE, configFilePresent: false);
+        InitOptions options = new(
+            databaseType: DatabaseType.MSSQL,
+            connectionString: "A!string@with#some$special%characters^to&check*proper(serialization).'",
+            cosmosNoSqlDatabase: null,
+            cosmosNoSqlContainer: null,
+            graphQLSchemaPath: null,
+            graphQLPath: "/An_",
+            setSessionContext: false,
+            hostMode: HostMode.Production,
+            corsOrigin: null,
+            authenticationProvider: EasyAuthType.StaticWebApps.ToString(),
+            config: TEST_RUNTIME_CONFIG_FILE);
+
+        StringBuilder expectedRuntimeConfigJson = new(
+        @"{" +
+            @"""$schema"": """ + DAB_DRAFT_SCHEMA_TEST_PATH + @"""" + "," +
+            @"""data-source"": {
+                    ""database-type"": ""mssql"",
+                    ""connection-string"": ""A!string@with#some$special%characters^to&check*proper(serialization).'"",
+                    ""options"":{
+                        ""set-session-context"": false
+                    }
+                },
+           ""runtime"": {
+                ""rest"": {
+                  ""enabled"": true,
+                  ""path"": ""/api""
+                  },
+                ""graphql"": {
+                  ""enabled"": true,
+                  ""path"": ""/An_"",
+                  ""allow-introspection"": true
+                  },
+                ""host"": {
+                  ""cors"": {
+                    ""origins"": [],
+                    ""allow-credentials"": false
+                        },
+                  ""authentication"": {
+                    ""provider"": ""StaticWebApps""
+                        },
+                  ""mode"": ""production""
+                  }
+              },
+              ""entities"": {}
+            }");
+
+        expectedRuntimeConfigJson = expectedRuntimeConfigJson.Replace(" ", string.Empty);
+        expectedRuntimeConfigJson = expectedRuntimeConfigJson.Replace("\n", string.Empty);
+        expectedRuntimeConfigJson = expectedRuntimeConfigJson.Replace("\r\n", string.Empty);
+
+        Assert.IsTrue(TryGenerateConfig(options, _runtimeConfigLoader!, _fileSystem!));
+
+        StringBuilder actualRuntimeConfigJson = new(_fileSystem!.File.ReadAllText(TEST_RUNTIME_CONFIG_FILE, Encoding.Default));
+        actualRuntimeConfigJson = actualRuntimeConfigJson.Replace(" ", string.Empty);
+        actualRuntimeConfigJson = actualRuntimeConfigJson.Replace("\r\n", string.Empty);
+        actualRuntimeConfigJson = actualRuntimeConfigJson.Replace("\n", string.Empty);
+
+        // Comparing explicit strings here since parsing these into JSON would lose
+        // the test scenario of verifying escaped chars are not written to the file system.
+        Assert.AreEqual(expectedRuntimeConfigJson.ToString(), actualRuntimeConfigJson.ToString());
+    }
+
     /// <summary>
     /// This method handles the creation and deletion of a configuration file.
     /// </summary>
diff --git a/src/Cli.Tests/InitTests.cs b/src/Cli.Tests/InitTests.cs
@@ -223,28 +223,6 @@ public void EnsureFailureWhenBothRestAndGraphQLAreDisabled(
             Assert.AreEqual(expectedResult, TryCreateRuntimeConfig(options, _runtimeConfigLoader!, _fileSystem!, out RuntimeConfig? _));
         }
 
-        /// <summary>
-        /// Test to verify creation of initial config with special characters
-        /// such as [!,@,#,$,%,^,&,*, ,(,)] in connection-string.
-        /// </summary>
-        [TestMethod]
-        public Task TestSpecialCharactersInConnectionString()
-        {
-            InitOptions options = new(
-                databaseType: DatabaseType.MSSQL,
-                connectionString: "A!string@with#some$special%characters^to&check*proper(serialization)including space.",
-                cosmosNoSqlDatabase: null,
-                cosmosNoSqlContainer: null,
-                graphQLSchemaPath: null,
-                setSessionContext: false,
-                hostMode: HostMode.Production,
-                corsOrigin: null,
-                authenticationProvider: EasyAuthType.StaticWebApps.ToString(),
-                config: TEST_RUNTIME_CONFIG_FILE);
-
-            return ExecuteVerifyTest(options);
-        }
-
         /// <summary>
         /// Test to verify that an error is thrown when user tries to
         /// initialize a config with a file name that already exists.
diff --git a/src/Cli/Utils.cs b/src/Cli/Utils.cs
@@ -3,9 +3,7 @@
 
 using System.Diagnostics.CodeAnalysis;
 using System.IO.Abstractions;
-using System.Text.Encodings.Web;
 using System.Text.Json;
-using System.Text.Json.Serialization;
 using Azure.DataApiBuilder.Config;
 using Azure.DataApiBuilder.Config.Converters;
 using Azure.DataApiBuilder.Config.ObjectModel;
@@ -132,30 +130,6 @@ public class LowerCaseNamingPolicy : JsonNamingPolicy
             public static string ConvertName(Enum name) => name.ToString().ToLower();
         }
 
-        /// <summary>
-        /// Returns the Serialization option used to convert objects into JSON.
-        /// Not escaping any special unicode characters.
-        /// Ignoring properties with null values.
-        /// Keeping all the keys in lowercase.
-        /// </summary>
-        public static JsonSerializerOptions GetSerializationOptions()
-        {
-            JsonSerializerOptions? options = new()
-            {
-                Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
-                WriteIndented = true,
-                DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
-                PropertyNamingPolicy = new LowerCaseNamingPolicy(),
-                // As of .NET Core 7, JsonDocument and JsonSerializer only support skipping or disallowing
-                // of comments; they do not support loading them. If we set JsonCommentHandling.Allow for either,
-                // it will throw an exception.
-                ReadCommentHandling = JsonCommentHandling.Skip
-            };
-
-            options.Converters.Add(new JsonStringEnumConverter(namingPolicy: new LowerCaseNamingPolicy()));
-            return options;
-        }
-
         /// <summary>
         /// Returns true on successful parsing of mappings Dictionary from IEnumerable list.
         /// Returns false in case the format of the input is not correct.
diff --git a/src/Config/RuntimeConfigLoader.cs b/src/Config/RuntimeConfigLoader.cs
@@ -4,6 +4,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
 using System.Runtime.CompilerServices;
+using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 using Azure.DataApiBuilder.Config.Converters;
@@ -155,7 +156,8 @@ public static JsonSerializerOptions GetSerializationOptions(bool replaceEnvVar =
             PropertyNamingPolicy = new HyphenatedNamingPolicy(),
             ReadCommentHandling = JsonCommentHandling.Skip,
             WriteIndented = true,
-            DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull
+            DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
+            Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
         };
         options.Converters.Add(new EnumMemberJsonEnumConverterFactory());
         options.Converters.Add(new RestRuntimeOptionsConverterFactory());
