fix(exec): Fails to Execute Binaries Named After Shell Keywords (#8221)

13sfaith · web-flow · commit fdc3413019c2 · 2025-04-23T14:25:15.000-07:00
The best example of this bug is in the original issue (#8190). Basically, if an exec command has a shell keyword (i.e `npx select`) it will trigger a bash syntax error. Things I did: 1. Added a test that fails to execute a binary named after a shell keyword (`select`) 2. Wrap all execution commands (after handling parsing for locations/downloads/etc) in quotes to guarantee a programs execution and not a bash parse This is my first PR on this project so please let me know if I missed something! I'm happy to make whatever changes we need to get it fixed! Thanks! ## References Fixes #8190
diff --git a/test/lib/commands/exec.js b/test/lib/commands/exec.js
@@ -275,6 +275,31 @@ t.test('packs from git spec', async t => {
     const exists = await fs.stat(path.join(npm.prefix, 'npm-exec-test-success'))
     t.ok(exists.isFile(), 'bin ran, creating file')
   } catch (err) {
-    t.fail(err, "shouldn't throw")
+    t.fail(err, 'should not throw')
+  }
+})
+
+t.test('can run packages with keywords', async t => {
+  const { npm } = await loadMockNpm(t, {
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: '@npmcli/npx-package-test',
+        bin: { select: 'index.js' },
+      }),
+      'index.js': `#!/usr/bin/env node
+      require('fs').writeFileSync('npm-exec-test-success', (process.argv.length).toString())`,
+    },
+  })
+
+  try {
+    await npm.exec('exec', ['select'])
+
+    const testFilePath = path.join(npm.prefix, 'npm-exec-test-success')
+    const exists = await fs.stat(testFilePath)
+    t.ok(exists.isFile(), 'bin ran, creating file')
+    const noExtraArgumentCount = await fs.readFile(testFilePath, 'utf8')
+    t.equal(+noExtraArgumentCount, 2, 'should have no extra arguments')
+  } catch (err) {
+    t.fail(err, 'should not throw')
   }
 })
diff --git a/workspaces/libnpmexec/lib/run-script.js b/workspaces/libnpmexec/lib/run-script.js
@@ -3,6 +3,7 @@ const runScript = require('@npmcli/run-script')
 const readPackageJson = require('read-package-json-fast')
 const { log, output } = require('proc-log')
 const noTTY = require('./no-tty.js')
+const isWindowsShell = require('./is-windows.js')
 
 const run = async ({
   args,
@@ -14,6 +15,14 @@ const run = async ({
   runPath,
   scriptShell,
 }) => {
+  // escape executable path
+  // necessary for preventing bash/cmd keywords from overriding
+  if (!isWindowsShell) {
+    if (args.length > 0) {
+      args[0] = '"' + args[0] + '"'
+    }
+  }
+
   // turn list of args into command string
   const script = call || args.shift() || scriptShell
 
diff --git a/workspaces/libnpmexec/test/run-script.js b/workspaces/libnpmexec/test/run-script.js
@@ -115,3 +115,31 @@ t.test('ci env', async t => {
 
   t.equal(logs[0], 'warn exec Interactive mode disabled in CI environment')
 })
+
+t.test('isWindows', async t => {
+  const { runScript } = await mockRunScript(t, {
+    'ci-info': { isCI: true },
+    '@npmcli/run-script': async () => {
+      t.ok('should call run-script')
+    },
+    '../lib/is-windows.js': true,
+  })
+
+  await runScript({ args: ['test'] })
+  // need both arguments and no arguments for code coverage
+  await runScript()
+})
+
+t.test('isNotWindows', async t => {
+  const { runScript } = await mockRunScript(t, {
+    'ci-info': { isCI: true },
+    '@npmcli/run-script': async () => {
+      t.ok('should call run-script')
+    },
+    '../lib/is-windows.js': false,
+  })
+
+  await runScript({ args: ['test'] })
+  // need both arguments and no arguments for code coverage
+  await runScript()
+})
