Unable to match csrf-token in Lua

Question

Gone around the houses on this one tonight. All I want to do is pull out the csrf-token in the following script however it returns nil

local html = '<meta content="authenticity_token" name="csrf-param" /><meta content="ndcZ+Vp8MuM/hF6LizdrvJqgcRh22zF8w/DnIX0DvR0=" name="csrf-token" />'

local csrf_token = string.match(html, 'content="(.*)" name="csrf-token"')

If I modify the script and take off the "-token" part it matches something, but not the right thing of course.

I know it is the hyphen because if I modify the string to be "csrftoken" and the match it finds works as expected.

I attempted to escape the - like so \- but that threw an error...

elp...

score 2 · Accepted Answer · edited May 23 '17 at 12:18

2

There are two problems:

The - does need to be escaped, but Lua uses % instead of \.
Further, the reason why you get something odd is due to the fact the . can match anything, including across tags (or attributes) and tries to take as much as possible (since the engine will return the left-most possible match, ungreedy quantifiers wouldn't help either). What you should do is restrict the allowed characters, so that the captured thing cannot go outside of the attribute quotes - like [^"] (any character except quotes):

Taking all of that together:

local csrf_token = string.match(html, 'content="([^"]*)" name="csrf%-token"')

In any case, you shouldn't actually be matching HTML with regular expressions.

edited May 23 '17 at 12:18

Community

1
1

answered Jun 11 '13 at 21:06

Martin Ender

43,427
11
90
130

Ah ha! It was the % escaping I was needing! I now have another problem, which is that I'm using regex for matching HTML but as this is a throw away loadimpact test, I can cope with that. – johnwards Jun 11 '13 at 21:12
@johnwards yeah, probably... I also don't know about an established DOM parser in Lua... – Martin Ender Jun 11 '13 at 21:13
@m.buettner you probably wanted to put in a different link at the end – dualed Jun 13 '13 at 00:43

score 0 · Answer 2 · answered Jun 11 '13 at 21:04

0

name="csrf-token'"

You have an extra apostrophe at the end of this line.

I would also escape " = and the hyphen, though this may not be necessary for all these characters.

answered Jun 11 '13 at 21:04

Andy G

19,232
5
47
69

Although, I hope that this is for a legitimate purpose? – Andy G Jun 11 '13 at 21:05
Sorry that was a typo in my example. – johnwards Jun 11 '13 at 21:05
Yeah I'm doing load testing for a rails app with loadimpact.com :) – johnwards Jun 11 '13 at 21:05
Also, I've attempted to escape the - with a \ but that throws an error on http://trylua.org/ (But not on loadimpact.com, it just doesn't match) – johnwards Jun 11 '13 at 21:07

Unable to match csrf-token in Lua

2 Answers2