From ed91f21994a3aa35a9e40539015676466b794144 Mon Sep 17 00:00:00 2001 From: kaitranntt Date: Thu, 5 Feb 2026 10:32:31 -0500 Subject: [PATCH] fix(shell): escape cmd.exe special chars (%, ^, newlines) Additional hardening for Windows shell escaping: - Escape % as %% to prevent variable expansion - Escape ^ as ^^ to prevent escape sequence interpretation - Replace newlines/tabs with space to prevent parsing errors --- src/utils/shell-executor.ts | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/utils/shell-executor.ts b/src/utils/shell-executor.ts index 4718e2e6..40a104fc 100644 --- a/src/utils/shell-executor.ts +++ b/src/utils/shell-executor.ts @@ -21,7 +21,16 @@ export function escapeShellArg(arg: string): string { if (isWindows) { // cmd.exe: Use double quotes, escape inner double quotes with backslash // cmd.exe interprets "" as escaped double quote inside quoted string - return '"' + String(arg).replace(/"/g, '""') + '"'; + // Strip newlines/tabs that can break cmd.exe parsing + return ( + '"' + + String(arg) + .replace(/[\r\n\t]/g, ' ') // Replace newlines/tabs with space + .replace(/%/g, '%%') // Escape percent signs + .replace(/\^/g, '^^') // Escape carets + .replace(/"/g, '""') + // Escape quotes + '"' + ); } else { // Unix/macOS: Double quotes with escaped inner quotes return '"' + String(arg).replace(/"/g, '\\"') + '"';