ericcornelissen · ericcornelissen · Jul 6, 2023 · Jul 5, 2023 · Jul 6, 2023 · Jul 6, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ Versioning].
 ## [Unreleased]
 
 - Fix incorrect escaping of `"` when escaping for CMD. ([#1022])
+- Fix incorrect escaping of `"` when escaping for PowerShell. ([#1023])
+- Fix incorrect escaping of `"` when quoting for PowerShell. ([#1023])
 - Fix incorrect escaping of `%` when quoting for CMD. ([#986], [#998])
 
 ## [1.7.1] - 2023-06-21
@@ -275,6 +277,7 @@ Versioning].
 [#986]: https://github.com/ericcornelissen/shescape/pull/986
 [#998]: https://github.com/ericcornelissen/shescape/pull/998
 [#1022]: https://github.com/ericcornelissen/shescape/pull/1022
+[#1023]: https://github.com/ericcornelissen/shescape/pull/1023
 [552e8ea]: https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9
 [keep a changelog]: https://keepachangelog.com/en/1.0.0/
 [semantic versioning]: https://semver.org/spec/v2.0.0.html
diff --git a/src/win/powershell.js b/src/win/powershell.js
@@ -10,15 +10,26 @@
  * @returns {string} The escaped argument.
  */
 function escapeArgForInterpolation(arg) {
-  return arg
+  arg = arg
     .replace(/[\0\u0008\u001B\u009B]/gu, "")
     .replace(/`/gu, "``")
     .replace(/\r(?!\n)/gu, "")
     .replace(/\r?\n/gu, " ")
     .replace(/(?<=^|[\s\u0085])([*1-6]?)(>)/gu, "$1`$2")
     .replace(/(?<=^|[\s\u0085])([#\-:<@\]])/gu, "`$1")
-    .replace(/(["$&'(),;{|}‘’‚‛“”„])/gu, "`$1")
-    .replace(/([\s\u0085])/gu, "`$1");
+    .replace(/([$&'(),;{|}‘’‚‛“”„])/gu, "`$1");
+
+  if (/[\s\u0085]/u.test(arg.replace(/^[\s\u0085]+/gu, ""))) {
+    arg = arg
+      .replace(/(?<!\\)(\\*)"/gu, '$1$1`"`"')
+      .replace(/(?<!\\)(\\+)$/gu, "$1$1");
+  } else {
+    arg = arg.replace(/(?<!\\)(\\*)"/gu, '$1$1\\`"');
+  }
+
+  arg = arg.replace(/([\s\u0085])/gu, "`$1");
+
+  return arg;
 }
 
 /**
@@ -55,10 +66,20 @@ export function getEscapeFunction(options) {
  * @returns {string} The escaped argument.
  */
 function escapeArgForQuoted(arg) {
-  return arg
+  arg = arg
     .replace(/[\0\u0008\u001B\u009B]/gu, "")
     .replace(/\r(?!\n)/gu, "")
     .replace(/(['‘’‚‛])/gu, "$1$1");
+
+  if (/[\s\u0085]/u.test(arg)) {
+    arg = arg
+      .replace(/(?<!\\)(\\*)"/gu, '$1$1""')
+      .replace(/(?<!\\)(\\+)$/gu, "$1$1");
+  } else {
+    arg = arg.replace(/(?<!\\)(\\*)"/gu, '$1$1\\"');
+  }
+
+  return arg;
 }
 
 /**

diff --git a/test/fixtures/win.js b/test/fixtures/win.js
@@ -2278,32 +2278,78 @@ export const escape = {
       {
         input: 'a"b',
         expected: {
-          interpolation: 'a`"b',
+          interpolation: 'a\\`"b',
           noInterpolation: 'a"b',
         },
       },
       {
         input: 'a"b"c',
         expected: {
-          interpolation: 'a`"b`"c',
+          interpolation: 'a\\`"b\\`"c',
           noInterpolation: 'a"b"c',
         },
       },
       {
         input: 'a"',
         expected: {
-          interpolation: 'a`"',
+          interpolation: 'a\\`"',
           noInterpolation: 'a"',
         },
       },
       {
         input: '"a',
         expected: {
-          interpolation: '`"a',
+          interpolation: '\\`"a',
           noInterpolation: '"a',
         },
       },
     ],
+    "double quotes ('\"') + backslashes ('\\')": [
+      {
+        input: 'a\\"b',
+        expected: {
+          interpolation: 'a\\\\\\`"b',
+          noInterpolation: 'a\\"b',
+        },
+      },
+      {
+        input: 'a\\\\"b',
+        expected: {
+          interpolation: 'a\\\\\\\\\\`"b',
+          noInterpolation: 'a\\\\"b',
+        },
+      },
+    ],
+    "double quotes ('\"') + whitespace": [
+      {
+        input: 'a "b',
+        expected: {
+          interpolation: 'a` `"`"b',
+          noInterpolation: 'a "b',
+        },
+      },
+      {
+        input: 'a "b "c',
+        expected: {
+          interpolation: 'a` `"`"b` `"`"c',
+          noInterpolation: 'a "b "c',
+        },
+      },
+      {
+        input: 'a "',
+        expected: {
+          interpolation: 'a` `"`"',
+          noInterpolation: 'a "',
+        },
+      },
+      {
+        input: ' "a',
+        expected: {
+          interpolation: '` \\`"a',
+          noInterpolation: ' "a',
+        },
+      },
+    ],
     "backticks ('`')": [
       {
         input: "a`b",
@@ -2529,6 +2575,44 @@ export const escape = {
         expected: { interpolation: "a\\", noInterpolation: "a\\" },
       },
     ],
+    "backslashes ('\\') + whitespace": [
+      {
+        input: "a b\\c",
+        expected: { interpolation: "a` b\\c", noInterpolation: "a b\\c" },
+      },
+      {
+        input: "a\\b c",
+        expected: { interpolation: "a\\b` c", noInterpolation: "a\\b c" },
+      },
+      {
+        input: "a b\\",
+        expected: { interpolation: "a` b\\\\", noInterpolation: "a b\\" },
+      },
+      {
+        input: "a b\\\\",
+        expected: { interpolation: "a` b\\\\\\\\", noInterpolation: "a b\\\\" },
+      },
+      {
+        input: "\\a b",
+        expected: { interpolation: "\\a` b", noInterpolation: "\\a b" },
+      },
+      {
+        input: " a\\",
+        expected: { interpolation: "` a\\", noInterpolation: " a\\" },
+      },
+      {
+        input: "  a\\",
+        expected: { interpolation: "` ` a\\", noInterpolation: "  a\\" },
+      },
+      {
+        input: " a b\\",
+        expected: { interpolation: "` a` b\\\\", noInterpolation: " a b\\" },
+      },
+      {
+        input: "  a b\\",
+        expected: { interpolation: "` ` a` b\\\\", noInterpolation: "  a b\\" },
+      },
+    ],
     "colons (':')": [
       {
         input: "a:b",
@@ -4349,19 +4433,47 @@ export const quote = {
     "double quotes ('\"')": [
       {
         input: 'a"b',
-        expected: "'a\"b'",
+        expected: "'a\\\"b'",
       },
       {
         input: 'a"b"c',
-        expected: "'a\"b\"c'",
+        expected: "'a\\\"b\\\"c'",
       },
       {
         input: 'a"',
-        expected: "'a\"'",
+        expected: "'a\\\"'",
       },
       {
         input: '"a',
-        expected: "'\"a'",
+        expected: "'\\\"a'",
+      },
+    ],
+    "double quotes ('\"') + backslashes ('\\')": [
+      {
+        input: 'a\\"b',
+        expected: "'a\\\\\\\"b'",
+      },
+      {
+        input: 'a\\\\"b',
+        expected: "'a\\\\\\\\\\\"b'",
+      },
+    ],
+    "double quotes ('\"') + whitespace": [
+      {
+        input: 'a "b',
+        expected: "'a \"\"b'",
+      },
+      {
+        input: 'a "b "c',
+        expected: '\'a ""b ""c\'',
+      },
+      {
+        input: 'a "',
+        expected: "'a \"\"'",
+      },
+      {
+        input: ' "a',
+        expected: "' \"\"a'",
       },
     ],
     "backticks ('`')": [
@@ -4490,6 +4602,28 @@ export const quote = {
         expected: "'\\a'",
       },
     ],
+    "backslashes ('\\') + whitespace": [
+      {
+        input: "a b\\c",
+        expected: "'a b\\c'",
+      },
+      {
+        input: "a\\b c",
+        expected: "'a\\b c'",
+      },
+      {
+        input: "a b\\",
+        expected: "'a b\\\\'",
+      },
+      {
+        input: "a b\\\\",
+        expected: "'a b\\\\\\\\'",
+      },
+      {
+        input: "\\a b",
+        expected: "'\\a b'",
+      },
+    ],
     "pipes ('|')": [
       {
         input: "a|b",

diff --git a/test/fuzz/_common.cjs b/test/fuzz/_common.cjs
@@ -96,62 +96,9 @@ function getFuzzShell() {
   return process.env.FUZZ_SHELL || undefined;
 }
 
-/**
- * Prepares an argument for echoing to accommodate shell-specific behaviour.
- *
- * @param {object} args The function arguments.
- * @param {string} args.arg The input argument that will be echoed.
- * @param {boolean} args.quoted Will `arg` be quoted prior to echoing.
- * @param {string} args.shell The shell to be used for echoing.
- * @param {boolean} disableExtraWindowsPreparations Disable Windows prep.
- * @returns {string} The prepared `arg`.
- */
-function prepareArg({ arg, quoted, shell }, disableExtraWindowsPreparations) {
-  if (constants.isWindows && !disableExtraWindowsPreparations) {
-    // Node on Windows ...
-    if (isShellPowerShell(shell)) {
-      // ... in PowerShell, depending on if there's whitespace in the
-      // argument ...
-      if (
-        (quoted &&
-          /[\t\n\v\f \u0085\u00A0\u1680\u2000-\u200A\u2028\u2029\u202F\u205F\u3000\uFEFF]/u.test(
-            arg,
-          )) ||
-        (!quoted &&
-          /(?<!^)[\t\n\v\f \u0085\u00A0\u1680\u2000-\u200A\u2028\u2029\u202F\u205F\u3000\uFEFF]/u.test(
-            arg.replace(/^[\s\0\u0008\u001B\u0085\u009B]+/gu, ""),
-          ))
-      ) {
-        // ... interprets arguments with `"` as nothing so we escape it with
-        // extra double quotes as `""` ...
-        arg = arg.replace(/"/gu, '""');
-
-        // ... and interprets arguments with `\"` as `"` so we escape the `\`.
-        arg = arg.replace(
-          /(?<!\\)((?:\\[\0\u0008\r\u001B\u009B]*)+)(?="|$)/gu,
-          "$1$1",
-        );
-      } else {
-        // ... interprets arguments with `\"` as `"` so we escape the `\` ...
-        arg = arg.replace(
-          /(?<!\\)((?:\\[\0\u0008\r\u001B\u009B]*)+)(?=")/gu,
-          "$1$1",
-        );
-
-        // ... and interprets arguments with `"` as nothing so we escape it
-        // with `\"`.
-        arg = arg.replace(/"/gu, '\\"');
-      }
-    }
-  }
-
-  return arg;
-}
-
 module.exports = {
   ECHO_SCRIPT,
   isShellPowerShell,
   getExpectedOutput,
   getFuzzShell,
-  prepareArg,
 };
diff --git a/test/fuzz/corpus/1f605e204b5e95ba4e5e728b554aa2e245dd36dba8c7ba02475046a4040ae131 b/test/fuzz/corpus/1f605e204b5e95ba4e5e728b554aa2e245dd36dba8c7ba02475046a4040ae131
diff --git a/test/fuzz/corpus/8a9311b3c9ceb518d0aa6cb61bb3e4004165d7aaad3239a0058bb7fe078aef12 b/test/fuzz/corpus/8a9311b3c9ceb518d0aa6cb61bb3e4004165d7aaad3239a0058bb7fe078aef12
diff --git a/test/fuzz/exec-file.test.cjs b/test/fuzz/exec-file.test.cjs
@@ -12,13 +12,11 @@ const common = require("./_common.cjs");
 const shescape = require("../../index.cjs");
 
 function check({ arg, shell }) {
-  const argInfo = { arg, shell, quoted: Boolean(shell) };
   const execFileOptions = { encoding: "utf8", shell };
 
-  const preparedArg = common.prepareArg(argInfo, !Boolean(shell));
   const safeArg = execFileOptions.shell
-    ? shescape.quote(preparedArg, execFileOptions)
-    : shescape.escape(preparedArg, execFileOptions);
+    ? shescape.quote(arg, execFileOptions)
+    : shescape.escape(arg, execFileOptions);
 
   return new Promise((resolve, reject) => {
     execFile(
@@ -30,7 +28,7 @@ function check({ arg, shell }) {
           reject(`an unexpected error occurred: ${error}`);
         } else {
           const result = stdout;
-          const expected = common.getExpectedOutput(argInfo);
+          const expected = common.getExpectedOutput({ arg, shell });
           try {
             assert.strictEqual(result, expected);
             resolve();
@@ -44,13 +42,11 @@ function check({ arg, shell }) {
 }
 
 function checkSync({ arg, shell }) {
-  const argInfo = { arg, shell, quoted: Boolean(shell) };
   const execFileOptions = { encoding: "utf8", shell };
 
-  const preparedArg = common.prepareArg(argInfo, !Boolean(shell));
   const safeArg = execFileOptions.shell
-    ? shescape.quote(preparedArg, execFileOptions)
-    : shescape.escape(preparedArg, execFileOptions);
+    ? shescape.quote(arg, execFileOptions)
+    : shescape.escape(arg, execFileOptions);
 
   let stdout;
   try {
@@ -64,7 +60,7 @@ function checkSync({ arg, shell }) {
   }
 
   const result = stdout;
-  const expected = common.getExpectedOutput(argInfo);
+  const expected = common.getExpectedOutput({ arg, shell });
   assert.strictEqual(result, expected);
 }