forked from extern/nushell
Sanitize arguments to external commands a bit better (#4157)
* fix #4140 We are passing commands into a shell underneath but we were not escaping arguments correctly. This new version of the code also takes into consideration the ";" and "&" characters, which have special meaning in shells. We would probably benefit from a more robust way to join arguments to shell programs. Python's stdlib has shlex.join, and perhaps we can take that implementation as a reference. * clean up escaping of posix shell args I believe the right place to do escaping of arguments was in the spawn_sh_command function. Note that this change prevents things like: ^echo "$(ls)" from executing the ls command. Instead, this will just print $(ls) The regex has been taken from the python stdlib implementation of shlex.quote * fix non-literal parameters and single quotes * address clippy's comments * fixup! address clippy's comments * test that subshell commands are sanitized properly
This commit is contained in:
Braulio Valdivielso Martínez
committed by
GitHub
GitHub
parent
fb197f562a
commit
1794ad51bd
@ -401,4 +401,48 @@ mod external_command_arguments {
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
#[cfg(not(windows))]
|
||||
#[test]
|
||||
fn semicolons_are_sanitized_before_passing_to_subshell() {
|
||||
let actual = nu!(
|
||||
cwd: ".",
|
||||
"^echo \"a;b\""
|
||||
);
|
||||
|
||||
assert_eq!(actual.out, "a;b");
|
||||
}
|
||||
|
||||
#[cfg(not(windows))]
|
||||
#[test]
|
||||
fn ampersands_are_sanitized_before_passing_to_subshell() {
|
||||
let actual = nu!(
|
||||
cwd: ".",
|
||||
"^echo \"a&b\""
|
||||
);
|
||||
|
||||
assert_eq!(actual.out, "a&b");
|
||||
}
|
||||
|
||||
#[cfg(not(windows))]
|
||||
#[test]
|
||||
fn subcommands_are_sanitized_before_passing_to_subshell() {
|
||||
let actual = nu!(
|
||||
cwd: ",",
|
||||
"^echo \"$(ls)\""
|
||||
);
|
||||
|
||||
assert_eq!(actual.out, "$(ls)");
|
||||
}
|
||||
|
||||
#[cfg(not(windows))]
|
||||
#[test]
|
||||
fn shell_arguments_are_sanitized_even_if_coming_from_other_commands() {
|
||||
let actual = nu!(
|
||||
cwd: ",",
|
||||
"^echo (echo \"a;&$(hello)\")"
|
||||
);
|
||||
|
||||
assert_eq!(actual.out, "a;&$(hello)");
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user