openapi: Fix escaping in curl command generation.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

zerver/openapi/curl_param_value_generators.py

@@ -6,7 +6,6 @@
 # fetching of appropriate parameter values to use when running the
 # cURL examples as part of the tools/test-api test suite.
 
-import urllib.parse
 from functools import wraps
 from typing import Any, Callable, Dict, List, Optional, Set, Tuple
 
@@ -79,11 +78,10 @@ def patch_openapi_example_values(
 def fetch_api_key() -> Dict[str, object]:
     email = helpers.example_email("iago")
     password = initial_password(email)
-    assert password is not None
 
     return {
         "username": email,
-        "password": urllib.parse.quote(password),
+        "password": password,
     }
 
 @openapi_param_value_generator(["/messages/{message_id}:get", "/messages/{message_id}/history:get",

zerver/openapi/markdown_extension.py

@@ -8,6 +8,7 @@
 import inspect
 import json
 import re
+import shlex
 from typing import Any, Dict, List, Optional, Pattern, Tuple
 
 import markdown
@@ -213,7 +214,7 @@ cURL example."""
         # We currently don't have any non-JSON encoded arrays.
         assert(jsonify)
         if curl_argument:
-            return f"    --data-urlencode {param_name}='{ordered_ex_val_str}'"
+            return "    --data-urlencode " + shlex.quote(f"{param_name}={ordered_ex_val_str}")
         return ordered_ex_val_str  # nocoverage
     else:
         example_value = param.get("example", DEFAULT_EXAMPLE[param_type])
@@ -222,7 +223,7 @@ cURL example."""
         if jsonify:
             example_value = json.dumps(example_value)
         if curl_argument:
-            return f"    -d '{param_name}={example_value}'"
+            return "    --data-urlencode " + shlex.quote(f"{param_name}={example_value}")
         return example_value
 
 def generate_curl_example(endpoint: str, method: str,
@@ -258,7 +259,7 @@ def generate_curl_example(endpoint: str, method: str,
 
     curl_first_line_parts = ["curl", *curl_method_arguments(example_endpoint, method,
                                                             api_url)]
-    lines.append(" ".join(curl_first_line_parts))
+    lines.append(" ".join(map(shlex.quote, curl_first_line_parts)))
 
     insecure_operations = ['/dev_fetch_api_key:post', '/fetch_api_key:post']
     if operation_security is None:
@@ -277,7 +278,7 @@ def generate_curl_example(endpoint: str, method: str,
         raise AssertionError("Unhandled securityScheme. Please update the code to handle this scheme.")
 
     if authentication_required:
-        lines.append(f"    -u {auth_email}:{auth_api_key}")
+        lines.append("    -u " + shlex.quote(f"{auth_email}:{auth_api_key}"))
 
     for param in operation_params:
         if param["in"] == "path":
@@ -297,7 +298,7 @@ def generate_curl_example(endpoint: str, method: str,
     if "requestBody" in operation_entry:
         properties = operation_entry["requestBody"]["content"]["multipart/form-data"]["schema"]["properties"]
         for key, property in properties.items():
-            lines.append('    -F "{}=@{}"'.format(key, property["example"]))
+            lines.append('    -F ' + shlex.quote('{}=@{}'.format(key, property["example"])))
 
     for i in range(1, len(lines)-1):
         lines[i] = lines[i] + " \\"

zerver/tests/test_openapi.py

@@ -855,7 +855,7 @@ class TestCurlExampleGeneration(ZulipTestCase):
             "```curl",
             "curl -sSX GET -G http://localhost:9991/api/v1/get_stream_id \\",
             "    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\",
-            "    -d 'stream=Denmark'",
+            "    --data-urlencode stream=Denmark",
             "```",
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -871,7 +871,7 @@ class TestCurlExampleGeneration(ZulipTestCase):
         expected_curl_example = [
             "```curl",
             "curl -sSX POST http://localhost:9991/api/v1/dev_fetch_api_key \\",
-            "    -d 'username=iago@zulip.com'",
+            "    --data-urlencode username=iago@zulip.com",
             "```",
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -884,8 +884,8 @@ class TestCurlExampleGeneration(ZulipTestCase):
             "```curl",
             "curl -sSX POST http://localhost:9991/api/v1/mark_stream_as_read \\",
             "    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\",
-            "    -d 'stream_id=1' \\",
-            "    -d 'bool_param=false'",
+            "    --data-urlencode stream_id=1 \\",
+            "    --data-urlencode bool_param=false",
             "```",
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -902,13 +902,13 @@ class TestCurlExampleGeneration(ZulipTestCase):
             '```curl',
             'curl -sSX GET -G http://localhost:9991/api/v1/messages \\',
             '    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\',
-            "    -d 'anchor=42' \\",
-            "    -d 'num_before=4' \\",
-            "    -d 'num_after=8' \\",
-            '    --data-urlencode narrow=\'[{"operand": "Denmark", "operator": "stream"}]\' \\',
-            "    -d 'client_gravatar=true' \\",
-            "    -d 'apply_markdown=false' \\",
-            "    -d 'use_first_unread_anchor=true'",
+            "    --data-urlencode anchor=42 \\",
+            "    --data-urlencode num_before=4 \\",
+            "    --data-urlencode num_after=8 \\",
+            '    --data-urlencode \'narrow=[{"operand": "Denmark", "operator": "stream"}]\' \\',
+            "    --data-urlencode client_gravatar=true \\",
+            "    --data-urlencode apply_markdown=false \\",
+            "    --data-urlencode use_first_unread_anchor=true",
             '```',
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -921,7 +921,7 @@ class TestCurlExampleGeneration(ZulipTestCase):
             '```curl',
             'curl -sSX GET -G http://localhost:9991/api/v1/endpoint \\',
             '    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\',
-            '    --data-urlencode param1=\'{"key": "value"}\'',
+            '    --data-urlencode \'param1={"key": "value"}\'',
             '```',
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -946,7 +946,7 @@ class TestCurlExampleGeneration(ZulipTestCase):
             '```curl',
             'curl -sSX GET -G http://localhost:9991/api/v1/endpoint/35 \\',
             '    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\',
-            '    --data-urlencode param2=\'{"key": "value"}\'',
+            '    --data-urlencode \'param2={"key": "value"}\'',
             '```',
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -958,7 +958,7 @@ class TestCurlExampleGeneration(ZulipTestCase):
             "```curl",
             "curl -sSX GET -G https://zulip.example.com/api/v1/get_stream_id \\",
             "    -u email:key \\",
-            "    -d 'stream=Denmark'",
+            "    --data-urlencode stream=Denmark",
             "```",
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)
@@ -970,11 +970,11 @@ class TestCurlExampleGeneration(ZulipTestCase):
             '```curl',
             'curl -sSX GET -G http://localhost:9991/api/v1/messages \\',
             '    -u BOT_EMAIL_ADDRESS:BOT_API_KEY \\',
-            "    -d 'anchor=42' \\",
-            "    -d 'num_before=4' \\",
-            "    -d 'num_after=8' \\",
-            '    --data-urlencode narrow=\'[{"operand": "Denmark", "operator": "stream"}]\' \\',
-            "    -d 'use_first_unread_anchor=true'",
+            "    --data-urlencode anchor=42 \\",
+            "    --data-urlencode num_before=4 \\",
+            "    --data-urlencode num_after=8 \\",
+            '    --data-urlencode \'narrow=[{"operand": "Denmark", "operator": "stream"}]\' \\',
+            "    --data-urlencode use_first_unread_anchor=true",
             '```',
         ]
         self.assertEqual(generated_curl_example, expected_curl_example)