google · mohammadmseet-hue · Mar 25, 2026
@@ -708,6 +708,27 @@ inline bool EscapeString(const char* s, size_t length, std::string* _text,
   return true;
 }
 
+// Sanitize a string for safe embedding in generated source code string
+// literals. Escapes backslashes, quotes, and newlines to prevent code
+// injection via crafted .fbs schema fields (file_extension, native_include,
+// native_type).
+inline std::string SanitizeStringForCodeGen(const std::string& s) {
+  std::string result;
+  result.reserve(s.size());
+  for (char c : s) {
+    switch (c) {
+      case '\\': result += "\\\\"; break;
+      case '"':  result += "\\\""; break;
+      case '\n': result += "\\n"; break;
+      case '\r': result += "\\r"; break;
+      case '\t': result += "\\t"; break;
+      case '\0': result += "\\0"; break;
+      default:   result += c; break;
+    }
+  }
+  return result;
+}
+
 inline std::string BufferToHexText(const void* buffer, size_t buffer_size,
                                    size_t max_length,
                                    const std::string& wrapped_line_prefix,

@@ -263,7 +263,7 @@ class CppGenerator : public BaseGenerator {
     if (opts_.generate_object_based_api) {
       for (const std::string& native_included_file :
            parser_.native_included_files_) {
-        code_ += "#include \"" + native_included_file + "\"";
+        code_ += "#include \"" + flatbuffers::SanitizeStringForCodeGen(native_included_file) + "\"";
       }
     }
 
@@ -702,7 +702,7 @@ class CppGenerator : public BaseGenerator {
       if (parser_.file_extension_.length()) {
         // Return the extension
         code_ += "inline const char *{{STRUCT_NAME}}Extension() {";
-        code_ += "  return \"" + parser_.file_extension_ + "\";";
+        code_ += "  return \"" + flatbuffers::SanitizeStringForCodeGen(parser_.file_extension_) + "\";";
         code_ += "}";
         code_ += "";
       }

@@ -798,7 +798,7 @@ class PhpGenerator : public BaseGenerator {
         code += Indent + "public static function " + struct_def.name;
         code += "Extension()\n";
         code += Indent + "{\n";
-        code += Indent + Indent + "return \"" + parser_.file_extension_;
+        code += Indent + Indent + "return \"" + flatbuffers::SanitizeStringForCodeGen(parser_.file_extension_);
         code += "\";\n";
         code += Indent + "}\n\n";
       }

@@ -2657,7 +2657,7 @@ class RustGenerator : public BaseGenerator {
     if (parser_.file_extension_.length()) {
       // Return the extension
       code_ += "pub const {{STRUCT_CONST}}_EXTENSION: &str = \\";
-      code_ += "\"" + parser_.file_extension_ + "\";";
+      code_ += "\"" + flatbuffers::SanitizeStringForCodeGen(parser_.file_extension_) + "\";";
       code_ += "";
     }