Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

String like =~ in Bash not escaped properly by escape(All) with interpolation escaping enabled #169

Closed
ericcornelissen opened this issue Feb 19, 2022 · 0 comments · Fixed by #170 or #172
Assignees
Labels
bug Something isn't working

Comments

@ericcornelissen
Copy link
Owner

ericcornelissen commented Feb 19, 2022

Bug Report

  • Shescape version: v1.5.0
  • Operating system: Unix (Ubuntu 20.04)
  • Shell: Bash

Description

If the string =~ appears at the end of an argument in Bash (without quoting the argument) the tilde (~) will be expanded to the home directory. Similarly, when xxx:~, ~:xxx or xxx:~:xxx appears after = (where xxx can be any string), the tilde (~) will be expanded, this even works for multiple tildes.

Actual Behaviour

When running shescape.escape(All) with interpolation escaping enabled the trailing ~ is not escaped and therefore expanded when the argument is used.

Expected Behaviour

When running shescape.escape(All) with interpolation escaping enabled the trailing ~ should be escaped to avoid it being expanded when the argument is used.

Working Examples

This category of bug was found by fuzzing, the crash results can be found here:

@ericcornelissen ericcornelissen added the bug Something isn't working label Feb 19, 2022
@ericcornelissen ericcornelissen self-assigned this Feb 19, 2022
@ericcornelissen ericcornelissen changed the title Trailing string =~ in Bash not escaped properly by escape(All) Trailing string like =~ in Bash not escaped properly by escape(All) Feb 19, 2022
@ericcornelissen ericcornelissen changed the title Trailing string like =~ in Bash not escaped properly by escape(All) String like =~ in Bash not escaped properly by escape(All) with interpolation escaping enabled Feb 22, 2022
ericcornelissen added a commit that referenced this issue Jun 3, 2022
Based on the escaping logic for Bash, notably with escaping for tildes
(`~`) after equality signs (`=`) omitted. This isn't necessary based on
manual testing, and can be confirmed by running the existing fuzz target
on Dash (given that the corpus included in git contains various test
cases for the scenario, from [1]).

--
1. #169
ericcornelissen added a commit that referenced this issue Jun 7, 2022
* Add dedicated escaping logic for Dash

Based on the escaping logic for Bash, notably with escaping for tildes
(`~`) after equality signs (`=`) omitted. This isn't necessary based on
manual testing, and can be confirmed by running the existing fuzz target
on Dash (given that the corpus included in git contains various test
cases for the scenario, from [1]).

* Update fixtures for dash

Update test cases related to tildes (`~`) after equality signs (`=`) as
those don't need to be escaped for Dash based on manual testing.

* Update CHANGELOG


--
1. #169
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
1 participant