Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output escaping is broken #3

Closed
schorsch3000 opened this issue Mar 3, 2022 · 8 comments
Closed

Output escaping is broken #3

schorsch3000 opened this issue Mar 3, 2022 · 8 comments
Assignees
@sigoden
Labels
bug Something isn't working

Comments

@schorsch3000
Copy link

At least variable values are not propperly escaped.
e.g. running the demo.sh like this:

export foo="this is broken" ; ./demo.sh download -t '$foo' bar

should result in

cmd:                      download
flag:   --force           
option: --tries           $foo
arg:    source            bar
arg:    target

but results in

cmd:                      download
flag:   --force           
option: --tries           this is broken
arg:    source            bar
arg:    target

this is since calling argc -e demo.sh download -t '$foo' bar results in

argc_tries="$foo"
argc_source="bar"
download
``` riight there is an unescaped `$foo`
@sigoden
Copy link
Owner

sigoden commented Mar 4, 2022

I didn't notice that the quotes should be kept

I'll deal with this later

@sigoden sigoden added the bug Something isn't working label Mar 4, 2022
@sigoden sigoden self-assigned this Mar 4, 2022
@schorsch3000
Copy link
Author

I'm really not fluent in rust, but in bash and it seems you should use someting like https://docs.rs/shellwords/latest/shellwords/fn.escape.html to output variable contents and connands

@sigoden
Copy link
Owner

sigoden commented Mar 4, 2022

The problem occurs a little further ahead。The value '$foo' lose quotes before it assigned to a variable during clap parsing parameters.

The escape is not a problem:

./demo.sh download file1 '"abc\""efg"\" "'

cmd:                      download
flag:   --force           
option: --tries           
arg:    source            file1
arg:    target            "abc\""efg"\" "

@schorsch3000
Copy link
Author

Imo that is exactly the problem.
im my example the actual value of the parameter is $foo '$foo' id the syntax in shell to gove $foo as value

@sigmonsays
Copy link

sigmonsays commented Mar 4, 2022
edited
Loading

Proper escaping needs to be added for all escapes.. It's not just dollar sign, that was only a trivial example. Also, its not just variables that are excuted, all shell commands are because of the dangerous use of eval. Imagine pwd being changed to rm -rf below...

Take these examples

demo.sh download -t '$(pwd)' asdf

demo.sh download -t '`pwd`' asdf

@sigoden sigoden closed this as completed in 3c2a635 Mar 5, 2022
@schorsch3000
Copy link
Author

I'm afraid it's far from fixed right now.
at least "'" or "\\1" as parameters breaks things.

my simple testsetup:

#!/bin/bash
# @describe A demo cli
# @arg value! a test value
eval "$(argc -e $0 "$@")"
if [[ "$1" == "$argc_value" ]]; then
  echo "Okay"
else
  echo "ERROR $1 results in $argc_value"
fi

Shell quotiong really isn'T simple. pleas reconsider using a proven library for that job

@sigoden sigoden mentioned this issue Mar 6, 2022
Merged
@sigoden
Copy link
Owner

sigoden commented Mar 6, 2022

Okay, I've a new build. Please test it!

@sigoden sigoden reopened this Mar 6, 2022
@sigoden sigoden closed this as completed Mar 6, 2022
@schorsch3000
Copy link
Author

Testing 0.3.1 i'Ve found the following problematic argument values:

"a "
"²"
"ö"

or any other mulitbyte character

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sigoden sigoden

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sigmonsays @schorsch3000 @sigoden