Merge pull request #120 from snyk/fix/quote-args

fix: escape child process arguments

.snyk

@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.19.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:01:32.423Z
+        created: 2022-11-29T08:01:32.424Z
+patch: {}

lib/index.ts

@@ -265,7 +265,7 @@ export function buildArgs(
   isOutputGraph?: boolean,
 ) {
   // force plain output so we don't have to parse colour codes
-  let args = ['"-Dsbt.log.noformat=true"'];
+  let args = ['-Dsbt.log.noformat=true'];
   if (sbtArgs) {
     args = args.concat(sbtArgs);
   }

lib/sub-process.ts

@@ -1,6 +1,7 @@
 import * as childProcess from 'child_process';
 import * as treeKill from 'tree-kill';
 import * as debugModule from 'debug';
+import { quoteAll } from 'shescape';
 
 // To enable debugging output, run the CLI as `DEBUG=snyk-sbt-plugin snyk ...`
 const debugLogging = debugModule('snyk-sbt-plugin');
@@ -18,6 +19,7 @@ export const execute = (
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     const out = {

package.json

@@ -44,6 +44,7 @@
   "dependencies": {
     "debug": "^4.1.1",
     "semver": "^6.1.2",
+    "shescape": "1.6.1",
     "tmp": "^0.1.0",
     "tree-kill": "^1.2.2",
     "tslib": "^1.10.0"

test/functional/sbt-plugin.test.ts

@@ -7,7 +7,7 @@ test('check build args with array not coursier', (t) => {
     '-Pjaxen',
   ], false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis',
     '-Pjaxen',
     'dependencyTree',
@@ -18,7 +18,7 @@ test('check build args with array not coursier', (t) => {
 test('check build args with string not coursie', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'dependencyTree',
   ]);
@@ -31,7 +31,7 @@ test('check build args with array for coursier', (t) => {
     '-Pjaxen',
   ], true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis',
     '-Pjaxen',
     'coursierDependencyTree',
@@ -42,7 +42,7 @@ test('check build args with array for coursier', (t) => {
 test('check build args with string for coursier', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'coursierDependencyTree',
   ]);
@@ -52,7 +52,7 @@ test('check build args with string for coursier', (t) => {
 test('check build args with string for snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false, true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'snykRenderTree',
   ]);
@@ -62,7 +62,7 @@ test('check build args with string for snykRenderTree', (t) => {
 test('check build args with string for coursier and not snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', true, false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'coursierDependencyTree',
   ]);
@@ -72,7 +72,7 @@ test('check build args with string for coursier and not snykRenderTree', (t) =>
 test('check build args with string for not coursier and not snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false, false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'dependencyTree',
   ]);