Skip to content

Prathmesh/typescript ambient modules #2528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
prathmesh-stripe wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Prathmesh/typescript ambient modules #2528

prathmesh-stripe wants to merge 2 commits into from

Conversation

@prathmesh-stripe
Copy link
Contributor

@prathmesh-stripe prathmesh-stripe commented Dec 18, 2025

Why?

What?

See Also

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 18, 2025
View reviewed changes
cjs/utils.js
'\u2029': '\\u2029',
};
return (str) => {
const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 18 days ago

To correctly escape characters for safe string interpolation, we should ensure that all relevant special characters, especially backslashes, are handled. The best way here is to also escape backslashes before other replacements, ensuring that any pre-existing backslashes in the input don't "escape" the subsequently added escape characters or otherwise cause malformed output.

  • Add '\\': '\\\\' to the rc replacement table.
  • Update the regular expression in str.replace to also match backslashes (\\), i.e., ["\\",...otherchars].
  • No change in existing functionality—just an additional safeguard for edge cases.
  • All changes are within the block beginning at line 47 (exports.makeURLInterpolator = ...)
  • No new library imports are required.
Suggested changeset 1
cjs/utils.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cjs/utils.js b/cjs/utils.js
--- a/cjs/utils.js
+++ b/cjs/utils.js
@@ -46,13 +46,14 @@
  */
 exports.makeURLInterpolator = (() => {
     const rc = {
+        '\\': '\\\\',
         '\n': '\\n',
         '"': '\\"',
         '\u2028': '\\u2028',
         '\u2029': '\\u2029',
     };
     return (str) => {
-        const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);
+        const cleanString = str.replace(/["\\\n\r\u2028\u2029]/g, ($0) => rc[$0]);
         return (outputs) => {
             return cleanString.replace(/\{([\s\S]+?)\}/g, ($0, $1) => {
                 const output = outputs[$1];
EOF
@@ -46,13 +46,14 @@
*/
exports.makeURLInterpolator = (() => {
const rc = {
'\\': '\\\\',
'\n': '\\n',
'"': '\\"',
'\u2028': '\\u2028',
'\u2029': '\\u2029',
};
return (str) => {
const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);
const cleanString = str.replace(/["\\\n\r\u2028\u2029]/g, ($0) => rc[$0]);
return (outputs) => {
return cleanString.replace(/\{([\s\S]+?)\}/g, ($0, $1) => {
const output = outputs[$1];
Copilot is powered by AI and may make mistakes. Always verify output.
esm/utils.js
'\u2029': '\\u2029',
};
return (str) => {
const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI 18 days ago

The correct fix is to ensure that all backslash (\) characters in the input string are escaped before escaping the other special characters. This is most reliably done by modifying the regular expression used in str.replace to include backslashes and ensuring that backslashes are handled in the replacement callback. This means adding '\\': '\\\\' to the replacement map (rc) and including \\ in the regex: /["\\\n\r\u2028\u2029]/g. This change should be made directly at line 50, adjusting both the regex and the mapping to escape backslashes before any other character, thereby preventing double-escaping.

Only the code in esm/utils.js is affected—specifically, the makeURLInterpolator function.

Suggested changeset 1
esm/utils.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/esm/utils.js b/esm/utils.js
--- a/esm/utils.js
+++ b/esm/utils.js
@@ -41,13 +41,14 @@
  */
 export const makeURLInterpolator = (() => {
     const rc = {
+        '\\': '\\\\',
         '\n': '\\n',
         '"': '\\"',
         '\u2028': '\\u2028',
         '\u2029': '\\u2029',
     };
     return (str) => {
-        const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);
+        const cleanString = str.replace(/["\\\n\r\u2028\u2029]/g, ($0) => rc[$0]);
         return (outputs) => {
             return cleanString.replace(/\{([\s\S]+?)\}/g, ($0, $1) => {
                 const output = outputs[$1];
EOF
@@ -41,13 +41,14 @@
*/
export const makeURLInterpolator = (() => {
const rc = {
'\\': '\\\\',
'\n': '\\n',
'"': '\\"',
'\u2028': '\\u2028',
'\u2029': '\\u2029',
};
return (str) => {
const cleanString = str.replace(/["\n\r\u2028\u2029]/g, ($0) => rc[$0]);
const cleanString = str.replace(/["\\\n\r\u2028\u2029]/g, ($0) => rc[$0]);
return (outputs) => {
return cleanString.replace(/\{([\s\S]+?)\}/g, ($0, $1) => {
const output = outputs[$1];
Copilot is powered by AI and may make mistakes. Always verify output.
@prathmesh-stripe prathmesh-stripe force-pushed the prathmesh/typescript-ambient-modules branch from bf87616 to cbd5996 Compare December 18, 2025 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prathmesh-stripe