fix: Escape shell arguments

jawnsy · jawnsy · commit 259876f701f1 · 2021-01-24T01:47:36.000Z
The commands passed to "coder sh" are passed as a single argument
to "sh -c", so we need to shell-escape the command we pass.
This change escapes spaces, backslash, and quotes.
diff --git a/internal/cmd/shell.go b/internal/cmd/shell.go
@@ -80,17 +80,54 @@ coder sh front-end-dev cat ~/config.json`,
 	}
 }
 
+// shellEscape escapes an argument so that we can pass it 'sh -c'
+// and have it do the right thing.
+//
+// Use this to ensure that the result of a command running in
+// the development environment behaves the same as the command
+// running via "coder sh".
+//
+// For example:
+//
+// $ coder sh env
+// $ go run ~/test.go 1 2 "3 4" '"abc def" \\abc' 5 6 "7 8 9"
+//
+// should produce the same output as:
+//
+// $ coder sh go run ~/test.go 1 2 "3 4" '"abc def" \\abc' 5 6 "7 8 9"
+func shellEscape(arg string) string {
+	r := strings.NewReplacer(`\`, `\\`, `"`, `\"`, `'`, `\'`, ` `, `\ `)
+	return r.Replace(arg)
+}
+
 func shell(cmd *cobra.Command, cmdArgs []string) error {
 	ctx := cmd.Context()
-	command := "sh"
-	args := []string{"-c"}
+
+	var command string
+	var args []string
 	if len(cmdArgs) > 1 {
-		args = append(args, strings.Join(cmdArgs[1:], " "))
+		var escapedArgs strings.Builder
+
+		for i, arg := range cmdArgs[1:] {
+			escapedArgs.WriteString(shellEscape(arg))
+
+			// Add spaces between arguments, except the last argument
+			if i < len(cmdArgs)-2 {
+				escapedArgs.WriteByte(' ')
+			}
+		}
+
+		command = "/bin/sh"
+		args = []string{"-c"}
+		args = append(args, escapedArgs.String())
 	} else {
 		// Bring user into shell if no command is specified.
 		shell := "$(getent passwd $(id -u) | cut -d: -f 7)"
-		name := "-$(basename " + shell + ")"
-		args = append(args, fmt.Sprintf("exec -a %q %q", name, shell))
+
+		// force bash for the '-l' flag to the exec built-in
+		command = "/bin/bash"
+		args = []string{"-c"}
+		args = append(args, fmt.Sprintf("exec -l %q", shell))
 	}
 
 	envName := cmdArgs[0]
diff --git a/internal/cmd/shell_test.go b/internal/cmd/shell_test.go
@@ -0,0 +1,41 @@
+package cmd
+
+import "testing"
+
+func TestShellEscape(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		Name    string
+		Input   string
+		Escaped string
+	}{
+		{
+			Name:    "single space",
+			Input:   "hello world",
+			Escaped: `hello\ world`,
+		},
+		{
+			Name:    "multiple spaces",
+			Input:   "test message hello  world",
+			Escaped: `test\ message\ hello\ \ world`,
+		},
+		{
+			Name:    "mixed quotes",
+			Input:   `"''"`,
+			Escaped: `\"\'\'\"`,
+		},
+		{
+			Name:    "mixed escaped quotes",
+			Input:   `"'\"\"'"`,
+			Escaped: `\"\'\\\"\\\"\'\"`,
+		},
+	}
+
+	for _, test := range tests {
+		if e, a := test.Escaped, shellEscape(test.Input); e != a {
+			t.Fatalf("test %q failed; expected: %q, got %q (input: %q)",
+				test.Name, test.Escaped, a, test.Input)
+		}
+	}
+}
