| 1 | 'use strict';
|
|---|
| 2 |
|
|---|
| 3 | // See http://www.robvanderwoude.com/escapechars.php
|
|---|
| 4 | const metaCharsRegExp = /([()\][%!^"`<>&|;, *?])/g;
|
|---|
| 5 |
|
|---|
| 6 | function escapeCommand(arg) {
|
|---|
| 7 | // Escape meta chars
|
|---|
| 8 | arg = arg.replace(metaCharsRegExp, '^$1');
|
|---|
| 9 |
|
|---|
| 10 | return arg;
|
|---|
| 11 | }
|
|---|
| 12 |
|
|---|
| 13 | function escapeArgument(arg, doubleEscapeMetaChars) {
|
|---|
| 14 | // Convert to string
|
|---|
| 15 | arg = `${arg}`;
|
|---|
| 16 |
|
|---|
| 17 | // Algorithm below is based on https://qntm.org/cmd
|
|---|
| 18 | // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
|
|---|
| 19 | // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
|
|---|
| 20 |
|
|---|
| 21 | // Sequence of backslashes followed by a double quote:
|
|---|
| 22 | // double up all the backslashes and escape the double quote
|
|---|
| 23 | arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
|
|---|
| 24 |
|
|---|
| 25 | // Sequence of backslashes followed by the end of the string
|
|---|
| 26 | // (which will become a double quote later):
|
|---|
| 27 | // double up all the backslashes
|
|---|
| 28 | arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
|
|---|
| 29 |
|
|---|
| 30 | // All other backslashes occur literally
|
|---|
| 31 |
|
|---|
| 32 | // Quote the whole thing:
|
|---|
| 33 | arg = `"${arg}"`;
|
|---|
| 34 |
|
|---|
| 35 | // Escape meta chars
|
|---|
| 36 | arg = arg.replace(metaCharsRegExp, '^$1');
|
|---|
| 37 |
|
|---|
| 38 | // Double escape meta chars if necessary
|
|---|
| 39 | if (doubleEscapeMetaChars) {
|
|---|
| 40 | arg = arg.replace(metaCharsRegExp, '^$1');
|
|---|
| 41 | }
|
|---|
| 42 |
|
|---|
| 43 | return arg;
|
|---|
| 44 | }
|
|---|
| 45 |
|
|---|
| 46 | module.exports.command = escapeCommand;
|
|---|
| 47 | module.exports.argument = escapeArgument;
|
|---|
