fix(security): escape shell arg single quotes#6037
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates the escapeShellArg helper to correctly escape single quotes for POSIX shells by replacing ' with '\'' instead of backslash escaping, which is not standard inside single-quoted strings in POSIX. It also updates the English and Chinese documentation to clarify that this helper is intended for POSIX shells and recommends using child_process.execFile or child_process.spawn where possible. Additionally, a new POSIX-specific test case has been added to verify the escaping behavior, and existing tests have been updated accordingly. There are no review comments, so I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## next #6037 +/- ##
=======================================
Coverage 82.43% 82.43%
=======================================
Files 686 686
Lines 21335 21335
Branches 4260 4260
=======================================
+ Hits 17587 17588 +1
+ Misses 3241 3240 -1
Partials 507 507 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
b68517f to
6ef8736
Compare
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthrough
ChangesPOSIX shell argument escaping
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed: private package registry requires authentication. Disable ESLint in CodeRabbit settings or use public packages. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR fixes @eggjs/security’s escapeShellArg helper to correctly escape embedded single quotes for POSIX shells using the standard '\'' pattern, preventing command-injection when callers build child_process.exec() command strings via concatenation.
Changes:
- Update
escapeShellArg()to use POSIX-safe single-quote escaping ('\'') so the escaped value remains a single shell argument. - Add a POSIX-only regression test that verifies an injection-like payload (e.g.
'; echo ...; #) stays within one argument and does not execute. - Clarify documentation to scope this helper to POSIX shell single-argument escaping and recommend
execFile()/spawn()argument arrays.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| plugins/security/src/lib/helper/escapeShellArg.ts | Switches single-quote escaping to POSIX-safe '\'' sequence. |
| plugins/security/test/app/extends/escapeShellArg.test.ts | Adds a POSIX regression test using child_process.exec to ensure payload remains one argument. |
| plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js | Updates fixture expectation for the new escaping output. |
| plugins/security/README.md | Documents POSIX-only scope and recommends safer argument-array APIs. |
| plugins/security/README.zh-CN.md | Same documentation clarification in Chinese. |
Summary
Fix
@eggjs/security'sescapeShellArghelper so embedded single quotes use the POSIX-safe'\''quoting pattern instead of\', which does not escape single quotes inside POSIX shell single-quoted strings.Why
The previous output could terminate the quoted argument and allow a following shell metacharacter sequence to execute when callers used the documented
child_process.exec()string-concatenation pattern.Changes
'\''sequence.'; echo ...; #remains one argument.execFile()/spawn()argument arrays where possible.Validation
./node_modules/.bin/oxfmt plugins/security/src/lib/helper/escapeShellArg.ts plugins/security/test/app/extends/escapeShellArg.test.ts plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js plugins/security/README.md plugins/security/README.zh-CN.mdgit diff --checkchild_process.exec: payload'; echo EGG_SECURITY_INJECTED; #is printed as one argument and does not execute the injectedecho.Note: local
vitest run plugins/security/test/app/extends/escapeShellArg.test.tscould not start in this checkout because@oxc-node/coreis missing fromnode_modules; CI should run with a hydrated install.Summary by CodeRabbit
Bug Fixes
Documentation