Skip to content

fix(security): escape shell arg single quotes#6037

Merged
elrrrrrrr merged 1 commit into
eggjs:nextfrom
killagu:codex/fix-security-escape-shell-arg
Jul 15, 2026
Merged

fix(security): escape shell arg single quotes#6037
elrrrrrrr merged 1 commit into
eggjs:nextfrom
killagu:codex/fix-security-escape-shell-arg

Conversation

@killagu

@killagu killagu commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Fix @eggjs/security's escapeShellArg helper so embedded single quotes use the POSIX-safe '\'' quoting pattern instead of \', which does not escape single quotes inside POSIX shell single-quoted strings.

Why

The previous output could terminate the quoted argument and allow a following shell metacharacter sequence to execute when callers used the documented child_process.exec() string-concatenation pattern.

Changes

  • Replace the single quote escaping logic with the POSIX standard '\'' sequence.
  • Add a POSIX shell regression test that verifies a payload containing '; echo ...; # remains one argument.
  • Update the helper docs to clarify that this is POSIX shell single-argument escaping and recommend execFile() / spawn() argument arrays where possible.

Validation

  • ./node_modules/.bin/oxfmt plugins/security/src/lib/helper/escapeShellArg.ts plugins/security/test/app/extends/escapeShellArg.test.ts plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js plugins/security/README.md plugins/security/README.zh-CN.md
  • git diff --check
  • Manual shell regression with Node + child_process.exec: payload '; echo EGG_SECURITY_INJECTED; # is printed as one argument and does not execute the injected echo.

Note: local vitest run plugins/security/test/app/extends/escapeShellArg.test.ts could not start in this checkout because @oxc-node/core is missing from node_modules; CI should run with a hydrated install.

Summary by CodeRabbit

  • Bug Fixes

    • Improved shell argument escaping for POSIX environments, including arguments containing single quotes and shell metacharacters.
    • Preserved argument contents more reliably when executed through a shell.
  • Documentation

    • Clarified POSIX shell behavior and limitations.
    • Added guidance to prefer process APIs with argument arrays for safer command execution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the escapeShellArg helper to correctly escape single quotes for POSIX shells by replacing ' with '\'' instead of backslash escaping, which is not standard inside single-quoted strings in POSIX. It also updates the English and Chinese documentation to clarify that this helper is intended for POSIX shells and recommends using child_process.execFile or child_process.spawn where possible. Additionally, a new POSIX-specific test case has been added to verify the escaping behavior, and existing tests have been updated accordingly. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@codecov

codecov Bot commented Jul 15, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.43%. Comparing base (8d7f6c7) to head (6ef8736).
⚠️ Report is 1 commits behind head on next.

Additional details and impacted files
@@           Coverage Diff           @@
##             next    #6037   +/-   ##
=======================================
  Coverage   82.43%   82.43%           
=======================================
  Files         686      686           
  Lines       21335    21335           
  Branches     4260     4260           
=======================================
+ Hits        17587    17588    +1     
+ Misses       3241     3240    -1     
  Partials      507      507           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@killagu
killagu force-pushed the codex/fix-security-escape-shell-arg branch from b68517f to 6ef8736 Compare July 15, 2026 13:09
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ed2ecfbb-b8eb-4411-b8de-1d05fff14a68

📥 Commits

Reviewing files that changed from the base of the PR and between 8d7f6c7 and 6ef8736.

📒 Files selected for processing (5)
  • plugins/security/README.md
  • plugins/security/README.zh-CN.md
  • plugins/security/src/lib/helper/escapeShellArg.ts
  • plugins/security/test/app/extends/escapeShellArg.test.ts
  • plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js

📝 Walkthrough

Walkthrough

escapeShellArg now applies POSIX single-quote escaping, while English and Chinese documentation, integration tests, and fixture expectations are updated accordingly.

Changes

POSIX shell argument escaping

Layer / File(s) Summary
Implement POSIX quoting
plugins/security/src/lib/helper/escapeShellArg.ts, plugins/security/README.md, plugins/security/README.zh-CN.md
The helper wraps arguments in single quotes and escapes embedded single quotes using the POSIX '\'' sequence; documentation describes the POSIX scope and alternatives for process execution.
Validate escaped arguments
plugins/security/test/app/extends/escapeShellArg.test.ts, plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js
POSIX-only execution coverage verifies embedded quotes and shell metacharacters remain one argument, and fixture expectations match the revised escaping output.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: fixing shell argument escaping for single quotes in the security helper.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: private package registry requires authentication. Disable ESLint in CodeRabbit settings or use public packages.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@killagu
killagu marked this pull request as ready for review July 15, 2026 14:45
Copilot AI review requested due to automatic review settings July 15, 2026 14:45

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes @eggjs/security’s escapeShellArg helper to correctly escape embedded single quotes for POSIX shells using the standard '\'' pattern, preventing command-injection when callers build child_process.exec() command strings via concatenation.

Changes:

  • Update escapeShellArg() to use POSIX-safe single-quote escaping ('\'') so the escaped value remains a single shell argument.
  • Add a POSIX-only regression test that verifies an injection-like payload (e.g. '; echo ...; #) stays within one argument and does not execute.
  • Clarify documentation to scope this helper to POSIX shell single-argument escaping and recommend execFile() / spawn() argument arrays.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
plugins/security/src/lib/helper/escapeShellArg.ts Switches single-quote escaping to POSIX-safe '\'' sequence.
plugins/security/test/app/extends/escapeShellArg.test.ts Adds a POSIX regression test using child_process.exec to ensure payload remains one argument.
plugins/security/test/fixtures/apps/helper-escapeShellArg-app/app/router.js Updates fixture expectation for the new escaping output.
plugins/security/README.md Documents POSIX-only scope and recommends safer argument-array APIs.
plugins/security/README.zh-CN.md Same documentation clarification in Chinese.

@elrrrrrrr
elrrrrrrr added this pull request to the merge queue Jul 15, 2026
Merged via the queue into eggjs:next with commit 196f11d Jul 15, 2026
32 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants