New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow multiple string arguments for exec() #103
Comments
👍 |
+1 |
@nzakas would this syntax work for you? exec(['npm', 'run-script', 'test'].join(' ')); // run "npm run-script test" The concern is that this makes parsing slightly harder, since |
No, that's what I want to avoid. I implemented something similar here: Feel free to use that code if you'd like. |
I'll look into this option. Unfortunately, there's also some people who would like to be able to run multiple commands from one exec('git status', 'git add .', 'git commit -am message'); as an alternative for exec('git status');
exec('git add .');
// etc... |
shelljs pulls directly from the typical unix command set, and in unix exec() with a list of strings means command in the first place and separate argument strings following. The main reason to use exec() like this is so that you don't have to do any kind of shell escaping on the arguments. People get this wrong all the time and it leads to severe security problems like: https://www.owasp.org/index.php/Command_Injection I strongly recommend that exec() with a list of strings be a safe way to build and run commands. |
I don't really care at this point, I have my own wrapper that does what I need. I opened this issue two years ago, so feel free to close it if you don't want to address it. |
There's been some discussion of this in #143 as well. @sedwards2009 What do you mean that # assume an empty directory
$ touch a.txt
$ touch b.txt
$ echo * # the star gets expanded by the shell
a.txt b.txt
$ (exec echo *) # use exec (wrap this in a subshell so that we can see the output)
a.txt b.txt
# * still gets expanded, even though we used exec I agree that the posix system call, exec(3), doesn't do any sort of shell globbing, but that's because it's a syscall, not a shell command. I can't think of any system call that supports glob characters, except |
@nfischer Sorry for being unclear. I was actually specifically thinking of the posix family of exec*() calls. The point being, it is a good idea to offer safe ways to use commands like exec, maybe even make that the default way of working with some commands. For example, you could make commands accept a single string argument which is parsed the way a shell would, and also offer a safer array-of-strings way which doesn't perform globbing or confuse filenames for command switches. (just thinking) |
@sedwards2009 what do you think of my proposal in #143? It would be a safer alternative |
@nfischer I think you're going to need a shellEscape() function anyway, but it is important to make the safe thing as easy as possible (and default if possible). In this case a function which accepts a list of strings as arguments and doesn't interpret the strings (e.g. no globs, escapes etc) and treats them as being plain, is probably the best option. The big problem with requiring people to apply shellEscape() to get safe code is that: 1) the unsafe code appears to work fine, 2) the unsafe looks simpler, 3) people have to remember to use shellEscape(). It is a combo which is just going to go wrong. |
@sedwards2009 I think something like I think the solution for |
@nfischer The goals of shelljs seem to conflict sometimes. You want to provide something which brings the important idioms and conveniences of the unix shell to JS, but you also want something safe, easy to use and predicable. Unix shells often collide with the last few desired features. :-/ I agree that I like the proposal for |
@sedwards2009 Excellent point. This is the default behavior I'm leaning toward right now:
This is for a few reasons:
What are your thoughts? |
We're still working on an implementation in shelljs itself, but I implemented a shelljs extension for node v6+ that addresses some of the security concerns here, while also giving a very convenient syntax: |
Bumping these back to v0.9, but this should be quick to fix once v0.8 is released. |
Merging into #495. |
I've found that I end up doing a lot of messy string concatenation with
exec()
commands. It would be nice to allow multiple string arguments that would be joined together with a space, such as:This could easily be backwards compatible with the current function since only the first argument is currently a string.
The text was updated successfully, but these errors were encountered: