Commit0df7ec5

committed

fix: Escape shell arguments

The commands passed to "coder sh" are passed as a single argumentto "sh -c", so we need to shell-escape the command we pass.This change escapes spaces, backslash, and quotes.

1 parent51fd2d3 commit0df7ec5Copy full SHA for 0df7ec5

File tree

2 files changed

+74

-1

lines changed

internal/cmd
- shell.go
- shell_test.go

2 files changed

+74

-1

lines changed

`‎internal/cmd/shell.go`

Lines changed: 33 additions & 1 deletion

Original file line number	Diff line number	Diff line change
@@ -81,14 +81,46 @@ coder sh front-end-dev cat ~/config.json`,
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`
	`84`	`+// shellEscape escapes an argument so that we can pass it 'sh -c'`
	`85`	`+// and have it do the right thing.`
	`86`	`+//`
	`87`	`+// Use this to ensure that the result of a command running in`
	`88`	`+// the development environment behaves the same as the command`
	`89`	`+// running via "coder sh".`
	`90`	`+//`
	`91`	`+// For example:`
	`92`	`+//`
	`93`	`+// $ coder sh env`
	`94`	`+// $ go run ~/test.go 1 2 "3 4" '"abc def" \\abc' 5 6 "7 8 9"`
	`95`	`+//`
	`96`	`+// should produce the same output as:`
	`97`	`+//`
	`98`	`+// $ coder sh go run ~/test.go 1 2 "3 4" '"abc def" \\abc' 5 6 "7 8 9"`
	`99`	`+funcshellEscape(argstring)string {`
	`100`	+r:=strings.NewReplacer(`\`,`\\`,`"`,`\"`,`'`,`\'`,` `,`\ `)
	`101`	`+returnr.Replace(arg)`
	`102`	`+}`
	`103`	`+`
`84`	`104`	`funcshell(cmd*cobra.Command,cmdArgs []string)error {`
`85`	`105`	`ctx:=cmd.Context()`
	`106`	`+`
`86`	`107`	`varcommandstring`
`87`	`108`	`varargs []string`
`88`	`109`	`iflen(cmdArgs)>1 {`
	`110`	`+varescapedArgs strings.Builder`
	`111`	`+`
	`112`	`+fori,arg:=rangecmdArgs[1:] {`
	`113`	`+escapedArgs.WriteString(shellEscape(arg))`
	`114`	`+`
	`115`	`+// Add spaces between arguments, except the last argument`
	`116`	`+ifi<len(cmdArgs)-2 {`
	`117`	`+escapedArgs.WriteByte(' ')`
	`118`	`+}`
	`119`	`+}`
	`120`	`+`
`89`	`121`	`command="/bin/sh"`
`90`	`122`	`args= []string{"-c"}`
`91`		`-args=append(args,strings.Join(cmdArgs[1:]," "))`
	`123`	`+args=append(args,escapedArgs.String())`
`92`	`124`	`}else {`
`93`	`125`	`// Bring user into shell if no command is specified.`
`94`	`126`	`shell:="$(getent passwd $(id -u) \| cut -d: -f 7)"`

`‎internal/cmd/shell_test.go`

Lines changed: 41 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,41 @@`
	`1`	`+package cmd`
	`2`	`+`
	`3`	`+import"testing"`
	`4`	`+`
	`5`	`+funcTestShellEscape(t*testing.T) {`
	`6`	`+t.Parallel()`
	`7`	`+`
	`8`	`+tests:= []struct {`
	`9`	`+Namestring`
	`10`	`+Inputstring`
	`11`	`+Escapedstring`
	`12`	`+}{`
	`13`	`+{`
	`14`	`+Name:"single space",`
	`15`	`+Input:"hello world",`
	`16`	+Escaped:`hello\ world`,
	`17`	`+},`
	`18`	`+{`
	`19`	`+Name:"multiple spaces",`
	`20`	`+Input:"test message hello world",`
	`21`	+Escaped:`test\ message\ hello\ \ world`,
	`22`	`+},`
	`23`	`+{`
	`24`	`+Name:"mixed quotes",`
	`25`	+Input:`"''"`,
	`26`	+Escaped:`\"\'\'\"`,
	`27`	`+},`
	`28`	`+{`
	`29`	`+Name:"mixed escaped quotes",`
	`30`	+Input:`"'\"\"'"`,
	`31`	+Escaped:`\"\'\\\"\\\"\'\"`,
	`32`	`+},`
	`33`	`+}`
	`34`	`+`
	`35`	`+for_,test:=rangetests {`
	`36`	`+ife,a:=test.Escaped,shellEscape(test.Input);e!=a {`
	`37`	`+t.Fatalf("test %q failed; expected: %q, got %q (input: %q)",`
	`38`	`+test.Name,test.Escaped,a,test.Input)`
	`39`	`+}`
	`40`	`+}`
	`41`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0df7ec5

File tree

2 files changed

2 files changed

`‎internal/cmd/shell.go`

`‎internal/cmd/shell_test.go`

0 commit comments