Lab shell-injection: Move answers to JavaScript

Signed-off-by: David A. Wheeler <[email protected]>
ossf · Jan 29, 2025 · dfb4e06 · dfb4e06
1 parent 0cb2e8e
commit dfb4e06
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 34 deletions.
diff --git a/docs/labs/shell-injection.html b/docs/labs/shell-injection.html
@@ -12,39 +12,6 @@
 
 <!-- See create_labs.md for how to create your own lab! -->
 
-<!-- Sample expected answer -->
-<script id="expected0" type="plain/text">
-  clean_dir = re.sub(r'[^a-zA-Z0-9]', '', dir_to_list)
-</script>
-<!--
--->
-<script id="expected1" type="plain/text">
-  subprocess.run(["ls", "-l", clean_dir])
-</script>
-
-<!-- Full pattern of correct answer.
-  In Python, newline and carriage return are whitespace but are *meaningful*
-  outside of (...). So we match specifically on space (\x20) instead.
-  This makes our patterns harder to read, unfortunately.
-  It's conventional to use raw strings in Python for regexes, so we allow
-  and encourage them, but we'll accept *not* using raw strings since they
-  don't add value in this situation.
--->
-<script id="correct0" type="plain/text">
-[\n\r]*\x20\x20clean_dir\x20*=\x20*re\x20*\.\x20*sub\x20*\(
-     r?('\[\^a-zA-Z0-9\]'|"\[\^a-zA-Z0-9\]") ,
-     r?(''|"") , dir_to_list \)
-\s*
-</script>
-
-<script id="correct1" type="plain/text">
-[\n\r]*\x20\x20subprocess\x20*\.\x20*run\x20*\(
-    \[ ('ls'|"ls") , ('-l'|"-l") , clean_dir \]
-    ( , shell = False )?
-    \)
-\s*
-</script>
-
 </head>
 <body>
 <!-- For GitHub Pages formatting: -->

diff --git a/docs/labs/shell-injection.js b/docs/labs/shell-injection.js
@@ -241,5 +241,24 @@ info =
       "   clean_dir = re . sub( r'[^a-zA-Z0-9]' , '' , dir_to_list )",
       "   subprocess . run ( [ \"ls\" , \"-l\" , clean_dir ] )"
     ]
-  ]
+  ],
+  expected: [
+    String.raw`  clean_dir = re.sub(r'[^a-zA-Z0-9]', '', dir_to_list)`,
+    String.raw`  subprocess.run(["ls", "-l", clean_dir])`
+  ],
+  // In Python, newline and carriage return are whitespace but are *meaningful*
+  // outside of (...). So we match specifically on space (\x20) instead.
+  // This makes our patterns harder to read, unfortunately.
+  // It's conventional to use raw strings in Python for regexes, so we allow
+  // and encourage them, but we'll accept *not* using raw strings since they
+  // don't add value in this situation.
+  correct: [
+    String.raw`[\n\r]*\x20\x20clean_dir\x20*=\x20*re\x20*\.\x20*sub\x20*\(
+      r?('\[\^a-zA-Z0-9\]'|"\[\^a-zA-Z0-9\]") ,
+      r?(''|"") , dir_to_list \) \s*`,
+    String.raw`[\n\r]*\x20\x20subprocess\x20*\.\x20*run\x20*\(
+      \[ ('ls'|"ls") , ('-l'|"-l") , clean_dir \]
+      ( , shell = False )? \) \s*`
+  ],
+  debug: true,
 }