fix(shell): escape cmd.exe special chars (%, ^, newlines)

Additional hardening for Windows shell escaping:
- Escape % as %% to prevent variable expansion
- Escape ^ as ^^ to prevent escape sequence interpretation
- Replace newlines/tabs with space to prevent parsing errors
This commit is contained in:
kaitranntt
2026-02-05 10:32:31 -05:00
parent ff92c66b64
commit ed91f21994
+10 -1
View File
@@ -21,7 +21,16 @@ export function escapeShellArg(arg: string): string {
if (isWindows) {
// cmd.exe: Use double quotes, escape inner double quotes with backslash
// cmd.exe interprets "" as escaped double quote inside quoted string
return '"' + String(arg).replace(/"/g, '""') + '"';
// Strip newlines/tabs that can break cmd.exe parsing
return (
'"' +
String(arg)
.replace(/[\r\n\t]/g, ' ') // Replace newlines/tabs with space
.replace(/%/g, '%%') // Escape percent signs
.replace(/\^/g, '^^') // Escape carets
.replace(/"/g, '""') + // Escape quotes
'"'
);
} else {
// Unix/macOS: Double quotes with escaped inner quotes
return '"' + String(arg).replace(/"/g, '\\"') + '"';