escapeAssertion does not respect string literals

[kevinresol]

Currently escapeAssertion does a rather brutal regex replace operation to convert r.*/p.* into r_*/p_* respectively. However it does not consider the case where the expression could contain a string literal. So if you have a rule that have some sort of string literal like p.obj == "r.something" it will fail in a very subtle manner.

const { newEnforcer, newModel } = require("casbin");

const MY_RESOURCE_NAME = "r.my_resource"; // change this to e.g. "a.my_resource" and it will work

(async function () {
  const model = newModel();
  model.addDef("r", "r", "act, obj");
  model.addDef("p", "p", "act, obj, rule");
  model.addDef("e", "e", "some(where (p.eft == allow))");
  model.addDef("m", "m", "r.act == p.act && r.obj == p.obj && eval(p.rule)");

  const enforcer = await newEnforcer(model);
  enforcer.addPolicy(
    "alice",
    MY_RESOURCE_NAME,
    `p.obj == "${MY_RESOURCE_NAME}"`
  );

  // does not work because internally it becomes `p_obj == "r_my_resource"`
  console.log(await enforcer.enforce("alice", MY_RESOURCE_NAME));
})();

[casbin-bot]

@nodece @Shivansh-yadav13

[hsluoyz]

@kevinresol can you see that if Go Casbin has already fixed this?

[kevinresol]

Not a golang speaker but apparently the implementation is identical there: https://github.com/casbin/casbin/blob/64efe3d122bfe68c9cf68e1bd174173a61f11743/util/util.go#L39