Skip to content

fix: escape shell arg single quotes#106

Merged
killagu merged 3 commits into
masterfrom
codex/fix-escape-shell-arg-master
Jul 15, 2026
Merged

fix: escape shell arg single quotes#106
killagu merged 3 commits into
masterfrom
codex/fix-escape-shell-arg-master

Conversation

@killagu

@killagu killagu commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fix escapeShellArg so embedded single quotes use the POSIX-safe '\'' quoting pattern instead of \', which does not escape single quotes inside POSIX shell single-quoted strings.

Why

The previous output could terminate the quoted argument and allow a following shell metacharacter sequence to execute when callers used the documented child_process.exec() string-concatenation pattern.

Changes

  • Replace the single quote escaping logic with the POSIX standard '\'' sequence.
  • Add a POSIX shell regression test that verifies a payload containing '; echo ...; # remains one argument.
  • Update the helper docs to clarify that this is POSIX shell single-argument escaping and recommend execFile() / spawn() argument arrays where possible.

Validation

  • npm run lint -- --fix via npm test -- --grep escapeShellArg
  • git diff --check
  • Direct helper regression with node --loader ts-node/esm: payload '; echo EGG_SECURITY_INJECTED; # is printed as one argument and does not execute the injected echo.

Note: npm test -- --grep escapeShellArg could not complete on this checkout because an existing unrelated type error blocks test startup: src/lib/utils.ts(197,47): Type 'URL' is not assignable to type 'string'.

Summary by CodeRabbit

  • Documentation

    • Clarified POSIX shell usage and limitations for shell argument escaping.
    • Recommended safer process-spawning APIs when possible.
  • Bug Fixes

    • Improved handling of embedded single quotes and shell metacharacters in escaped arguments.
    • Refined URL utility return type information for more accurate usage.
  • Tests

    • Added coverage validating shell argument escaping with special characters.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d9f7e51-d57a-46c4-91c7-bf44e7eba433

📥 Commits

Reviewing files that changed from the base of the PR and between b7693f1 and 21c4b58.

📒 Files selected for processing (7)
  • README.md
  • README.zh-CN.md
  • package.json
  • src/lib/helper/escapeShellArg.ts
  • src/lib/utils.ts
  • test/app/extends/escapeShellArg.test.ts
  • test/fixtures/apps/helper-escapeShellArg-app/app/router.js

📝 Walkthrough

Walkthrough

Updates POSIX shell argument escaping and its documentation, adds execution-based tests, refines getFromUrl TypeScript overloads, and pins fflate and urllib through package overrides.

Changes

POSIX shell escaping

Layer / File(s) Summary
Shell quoting implementation and validation
src/lib/helper/escapeShellArg.ts, test/app/extends/escapeShellArg.test.ts, test/fixtures/apps/helper-escapeShellArg-app/app/router.js
Single quotes are escaped with a POSIX-safe quoting sequence, with POSIX shell execution coverage and updated fixture expectations.
Shell helper documentation
README.md, README.zh-CN.md
Documentation specifies POSIX single-argument scope, excludes Windows shells, and recommends execFile() or spawn() with argument arrays.

URL helper typings

Layer / File(s) Summary
getFromUrl overload contract
src/lib/utils.ts
Overloads distinguish `URL

Dependency version overrides

Layer / File(s) Summary
Transitive dependency pins
package.json
Adds overrides for fflate 0.8.2 and urllib 4.4.0.

Estimated code review effort: 2 (Simple) | ~10 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-escape-shell-arg-master

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: private package registry requires authentication. Disable ESLint in CodeRabbit settings or use public packages.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the escapeShellArg helper to correctly escape single quotes for POSIX shells by closing the single quote, appending an escaped single quote, and reopening the single quote, rather than incorrectly escaping backslashes and single quotes inside single quotes. It also updates the English and Chinese documentation to clarify that this helper is designed for POSIX shells and recommends using child_process.execFile or child_process.spawn when possible. Additionally, the test suite has been updated with a new POSIX-specific test to verify the escaping behavior. I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@pkg-pr-new

pkg-pr-new Bot commented Jul 15, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@eggjs/security@106

commit: 21c4b58

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.77%. Comparing base (2d1a44b) to head (21c4b58).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #106   +/-   ##
=======================================
  Coverage   95.77%   95.77%           
=======================================
  Files          32       32           
  Lines        1798     1800    +2     
  Branches      308      308           
=======================================
+ Hits         1722     1724    +2     
  Misses         76       76           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@killagu killagu marked this pull request as ready for review July 15, 2026 14:44
Copilot AI review requested due to automatic review settings July 15, 2026 14:44
@killagu killagu merged commit 5b22e0e into master Jul 15, 2026
17 of 18 checks passed
@killagu killagu deleted the codex/fix-escape-shell-arg-master branch July 15, 2026 14:44

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens POSIX shell-argument escaping by fixing escapeShellArg to use the POSIX-safe '\'' pattern for embedded single quotes, and adds regression coverage/documentation to reduce shell-injection risk when callers concatenate commands for child_process.exec().

Changes:

  • Fix escapeShellArg to escape embedded ' using the POSIX-safe '\'' sequence.
  • Add a POSIX-only regression test that ensures an injection-shaped payload remains a single argument.
  • Clarify documentation to scope the helper to POSIX shells and recommend execFile()/spawn() argument arrays.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
test/fixtures/apps/helper-escapeShellArg-app/app/router.js Updates fixture expectation to match POSIX-safe single-quote escaping output.
test/app/extends/escapeShellArg.test.ts Adds a POSIX-only exec-based regression test for embedded single quotes/injection-shaped payloads.
src/lib/utils.ts Updates getFromUrl overloads/typing (note: see API contract comment).
src/lib/helper/escapeShellArg.ts Implements the POSIX-safe single-quote escaping pattern.
README.zh-CN.md Clarifies POSIX-only scope and recommends safer process APIs.
README.md Clarifies POSIX-only scope and recommends safer process APIs.
package.json Adds npm overrides (needs rationale alignment with PR description).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/lib/utils.ts
Comment on lines +195 to 199
export function getFromUrl(url: string, prop: string): string | null;
export function getFromUrl(url: string, prop?: string): URL | string | null {
try {
const parsed = new URL(url);
return prop ? Reflect.get(parsed, prop) : parsed;
Comment thread package.json
Comment on lines +78 to +81
"overrides": {
"fflate": "0.8.2",
"urllib": "4.4.0"
},
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants