sanitize @-prefixed refs in debugger expression compiler

Author: watson

packages/debugger/src/domain/expression.ts

@@ -142,11 +142,11 @@ export function compile(node: ExpressionNode): string | number | boolean | null
       ? `(typeof ${compile(target)} === '${typeName}')`
       : `Function.prototype[Symbol.hasInstance].call(${assertIdentifier(typeName)}, ${compile(target)})`
   } else if (type === 'ref') {
-    const refValue = value as string
+    const refValue = assertIdentifier(value as string)
     if (refValue.startsWith('@')) {
       return `$dd_${refValue.slice(1)}`
     }
-    return assertIdentifier(refValue)
+    return refValue
   } else if (Array.isArray(value)) {
     const args = value.map((v) => compile(v as ExpressionNode))
     switch (type) {

packages/debugger/test/expressionTestCases.ts

@@ -121,6 +121,26 @@ export const references: TestCase[] = [
     expected: new SyntaxError('Illegal identifier: throw new Error()'),
     execute: false,
   },
+  {
+    ast: { ref: '@x; throw new Error("injected"); //' },
+    expected: new SyntaxError('Illegal identifier: @x; throw new Error("injected"); //'),
+    execute: false,
+  },
+  {
+    ast: { ref: '@x.y' },
+    expected: new SyntaxError('Illegal identifier: @x.y'),
+    execute: false,
+  },
+  {
+    ast: { ref: '@x-y' },
+    expected: new SyntaxError('Illegal identifier: @x-y'),
+    execute: false,
+  },
+  {
+    ast: { ref: '@(1)' },
+    expected: new SyntaxError('Illegal identifier: @(1)'),
+    execute: false,
+  },
 ]
 
 export const propertyAccess: TestCase[] = [