Fully escape JSON strings when using InjectJSONProperties

base/util.go

@@ -1307,10 +1307,11 @@ func InjectJSONProperties(b []byte, kvPairs ...KVPair) (new []byte, err error) {
 			valBytes = []byte(strconv.FormatUint(uint64(v), 10))
 		case uint64:
 			valBytes = []byte(strconv.FormatUint(v, 10))
-		case string:
-			valBytes = []byte(`"` + v + `"`)
 		case bool:
 			valBytes = []byte(strconv.FormatBool(v))
+		case string:
+			// it's not safe to use strings without marshalling
+			valBytes = []byte(ConvertToJSONString(v))
 		default:
 			valBytes, err = JSONMarshal(kv.Val)
 		}

base/util_test.go

@@ -801,10 +801,7 @@ func TestInjectJSONProperties(t *testing.T) {
 			}
 
 			assert.Equal(tt, test.expectedOutput, string(output))
-
-			var m map[string]interface{}
-			err = JSONUnmarshal(output, &m)
-			assert.NoError(tt, err, "produced invalid JSON")
+			assert.NoError(tt, JSONUnmarshal(output, &map[string]interface{}{}), "produced invalid JSON")
 		})
 	}
 }
@@ -904,13 +901,38 @@ func TestInjectJSONPropertiesDiffTypes(t *testing.T) {
 				true,
 			},
 		},
+		{
+			input:  `{"foo": "bar"}`,
+			output: `{"foo": "bar","quoted_string":"\"quoted\""}`,
+			pair: KVPair{
+				"quoted_string",
+				`"quoted"`,
+			},
+		},
+		{
+			input:  `{"foo": "bar"}`,
+			output: `{"foo": "bar","reverse_solidus":"C:\\something\\that\\contains\\backslashes"}`,
+			pair: KVPair{
+				"reverse_solidus",
+				`C:\something\that\contains\backslashes`,
+			},
+		},
+		{
+			input:  `{"foo": "bar"}`,
+			output: `{"foo": "bar","escape":"foo\u0000bar"}`,
+			pair: KVPair{
+				"escape",
+				"foo\x00bar",
+			},
+		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.output, func(t *testing.T) {
 			output, err := InjectJSONProperties([]byte(test.input), test.pair)
 			assert.NoError(t, err)
 			assert.Equal(t, test.output, string(output))
+			assert.NoErrorf(t, JSONUnmarshal(output, &map[string]interface{}{}), "produced invalid JSON")
 		})
 	}
 }