New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a way to prevent shell-expansion on commands (this issue is not for exec) #345
Comments
Escaping is simply the wrong way to approach this. Ever since C's Node.js's Therefore, I would much prefer if, instead of providing an escape function, shelljs can support using an array of arguments that will be passed to |
@TimothyGu this issue isn't about exec. This is specifically about all the other options. #103 and #143 are more pointed at exec specifically Also, "shellEscape" is just a name. I don't intend on modifying strings when I fix this. One thought is to return an object containing that string value. Then instead of globbing in common.wrap(), we would just convert to the regular string and not glob, so special characters don't have special meanings. Or the "glob: false" option I suggested would be another good (perhaps better) choice. If you have input on either of those ideas, that'd be great 👍 I agree that exec() needs a better solution, and I'm leaning toward something like execFile() under the hood |
@nfischer: I've got an idea for an API exec-wise: What if we did this (using ES6 string tags): $`mycommand --opt ${unsafeVar}` That gets transpiled to: $('mycommand --opt ', unsafeVar); Which is a totally acceptable syntax for <ES6. |
Closing this, since |
Once #343 is resolved, we could run into code that has unintended results. For example:
If we allow
shellEscape()
to be a function, then we could replace the questionable line withrm(shellEscape(file))
, which is guaranteed to not glob.An alternative would be to insist on the syntax:
set('-f'); rm(file); set('+f')
(very verbose, but if #344 is resolved, should be safe).Another alternative would be
rm(file, {glob: false})
. This is a nice syntax, but complicates parsing. The advantage of this would be that we could extend it to support more than justglob
, likesilent: true
(to emulateecho foo >/dev/null
), instead of the very verboseconfig.silent = true; ls(); config.silent = false
, for getting a single command to be silent.The text was updated successfully, but these errors were encountered: