Skip to content

Commit e76c573

Browse files
authored
src: fix escaping of single quotes in task runner
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #64089 Refs: https://hackerone.com/reports/3817602 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
1 parent 387332f commit e76c573

5 files changed

Lines changed: 11 additions & 11 deletions

File tree

src/node_task_runner.cc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,10 +171,10 @@ std::string EscapeShell(const std::string_view input) {
171171
escaped = std::regex_replace(escaped, leadingQuotePairs, "");
172172
escaped = std::regex_replace(escaped, tripleSingleQuote, "\\\"");
173173
#else
174-
// Replace single quotes("'") with "\\'" and wrap the result
174+
// Replace single quotes("'") with `'"'"'` and wrap the result
175175
// in single quotes.
176176
std::string escaped =
177-
std::regex_replace(std::string(input), std::regex("'"), "\\'");
177+
std::regex_replace(std::string(input), std::regex("'"), "'\"'\"'");
178178
escaped = "'" + escaped + "'";
179179
// Remove excessive quote pairs and handle edge cases
180180
static const std::regex tripleSingleQuote("\\\\'''");

test/cctest/test_node_task_runner.cc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,12 @@ TEST_F(TaskRunnerTest, EscapeShell) {
2828
{"test words", "'test words'"},
2929
{"$1", "'$1'"},
3030
{"\"$1\"", "'\"$1\"'"},
31-
{"'$1'", "'\\'$1\\''"},
31+
{"'$1'", "\"'\"'$1'\"'\"''"},
3232
{"\\$1", "'\\$1'"},
3333
{"--arg=\"$1\"", "'--arg=\"$1\"'"},
3434
{"--arg=node exec -c \"$1\"", "'--arg=node exec -c \"$1\"'"},
35-
{"--arg=node exec -c '$1'", "'--arg=node exec -c \\'$1\\''"},
36-
{"'--arg=node exec -c \"$1\"'", "'\\'--arg=node exec -c \"$1\"\\''"}
35+
{"--arg=node exec -c '$1'", "'--arg=node exec -c '\"'\"'$1'\"'\"''"},
36+
{"'--arg=node exec -c \"$1\"'", "\"'\"'--arg=node exec -c \"$1\"'\"'\"''"}
3737
#endif
3838
};
3939

test/fixtures/run-script/node_modules/.bin/positional-args

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

test/fixtures/run-script/node_modules/.bin/positional-args.bat

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

test/parallel/test-node-run.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -143,15 +143,15 @@ describe('node --run [command]', () => {
143143
it('appends positional arguments', async () => {
144144
const child = await common.spawnPromisified(
145145
process.execPath,
146-
[ '--run', `positional-args${envSuffix}`, '--', '--help "hello world test"', 'A', 'B', 'C'],
146+
[ '--run', `positional-args${envSuffix}`, '--', '--help "hello world test"', 'A', 'B', 'C', 'I think therefore I\'m'],
147147
{ cwd: fixtures.path('run-script') },
148148
);
149149
if (common.isWindows) {
150-
assert.match(child.stdout, /Arguments: '--help ""hello world test"" A B C'/);
150+
assert.match(child.stdout, /Arguments: '--help ""hello world test"" A B C I think therefore I'm'/);
151151
} else {
152-
assert.match(child.stdout, /Arguments: '--help "hello world test" A B C'/);
152+
assert.match(child.stdout, /Arguments: '--help "hello world test" A B C I think therefore I'm'/);
153153
}
154-
assert.match(child.stdout, /The total number of arguments are: 4/);
154+
assert.match(child.stdout, /The total number of arguments is: 5/);
155155
assert.strictEqual(child.stderr, '');
156156
assert.strictEqual(child.code, 0);
157157
});

0 commit comments

Comments
 (0)