Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Escaping shell arguments to exec()
See original GitHub issueFirst of all, I just want to say thanks for writing shelljs. It cleans up my code a lot.
I need to invoke commands with shell.exec(), however, those commands will include some input from external sources, to be passed as arguments to system executables. Is there a “safe” way to do this? I was hoping for the classic array syntax, like:
shell.exec(["ls", "-l", "/some/path"])
Though this doesn’t seem to be implemented. It doesn’t appear nodejs itself even has a shell escape function neither. Any plans on this front?
Issue Analytics
- State:
- Created 9 years ago
- Reactions:17
- Comments:27 (13 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Please. Providing only a string argument here is a recipe for disaster, honestly. As pointed out, it’s basically impossible to “properly” quote any arguments given. As is,
execis vulnerable to file names containing spaces, special characters, semicolons, the works. Cf http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/handle-metacharacters.html and the “motivation” section of (for example) https://www.python.org/dev/peps/pep-0324/. A security-conscious API should strongly encourage providing arguments as an array by default.Are there any updates on this? This has been open for 3 years now.
Ref: https://snyk.io/vuln/npm:shelljs:20140723