codegen: escape string default values to prevent code injection (#8964)

String default values parsed from .fbs schemas are un-escaped by the IDL parser (e.g., \x22 becomes a raw " byte), but code generators embed these raw values directly into generated source code string literals. This allows specially crafted .fbs files to break out of string literals and inject arbitrary code into generated C++, Rust, TypeScript, and Swift source. Fix by adding EscapeCodeGenString() helper that re-escapes string content before embedding, and applying it to all 7 affected injection points across 5 code generators (C++, Rust, TypeScript, Swift, FBS). Resolves the TODO comments in idl_gen_cpp.cpp and idl_gen_rust.cpp.
2026-06-13 00:04:29 +00:00 · 2026-03-19 10:01:23 +08:00
parent 2e07f269b9
commit 8afb68f074
5 changed files with 54 additions and 18 deletions
--- a/src/idl_gen_swift.cpp
+++ b/src/idl_gen_swift.cpp
@@ -859,7 +859,10 @@ class SwiftGenerator : public BaseGenerator {
        break;

      case BASE_TYPE_STRING: {
-        const auto default_string = "\"" + SwiftConstant(field) + "\"";
+        const auto sc = SwiftConstant(field);
+        std::string default_string;
+        flatbuffers::EscapeString(sc.c_str(), sc.length(), &default_string,
+                                  true, false);
        code_.SetValue("VALUETYPE", GenType(field.value.type));
        code_.SetValue("CONSTANT", field.IsDefault() ? default_string : "nil");
        code_ += GenReaderMainBody(is_required) + GenOffset() +
@@ -1649,15 +1652,23 @@ class SwiftGenerator : public BaseGenerator {
        buffer_constructor.push_back(field_var + " = _t." + field_field);

        if (field.IsRequired()) {
-          std::string default_value =
-              field.IsDefault() ? SwiftConstant(field) : "";
-          base_constructor.push_back(field_var + " = \"" + default_value +
-                                     "\"");
+          std::string default_value;
+          if (field.IsDefault()) {
+            const auto sc = SwiftConstant(field);
+            flatbuffers::EscapeString(sc.c_str(), sc.length(), &default_value,
+                                      true, false);
+          } else {
+            default_value = "\"\"";
+          }
+          base_constructor.push_back(field_var + " = " + default_value);
          break;
        }
        if (field.IsDefault() && !field.IsRequired()) {
-          std::string value = field.IsDefault() ? SwiftConstant(field) : "nil";
-          base_constructor.push_back(field_var + " = \"" + value + "\"");
+          const auto sc = SwiftConstant(field);
+          std::string value;
+          flatbuffers::EscapeString(sc.c_str(), sc.length(), &value,
+                                    true, false);
+          base_constructor.push_back(field_var + " = " + value);
        }
        break;
      }