2020-09-29 04:16:52 +03:00
// Copyright 2020 The Gitea Authors. All rights reserved.
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
2020-09-29 04:16:52 +03:00
package util
import "strings"
// Bash has the definition of a metacharacter:
// * A character that, when unquoted, separates words.
// A metacharacter is one of: " \t\n|&;()<>"
//
// The following characters also have addition special meaning when unescaped:
// * ‘ ${[*?!"'`\’
//
// Double Quotes preserve the literal value of all characters with then quotes
// excepting: ‘ $’ , ‘ `’ , ‘ \’ , and, when history expansion is enabled, ‘ !’ .
// The backslash retains its special meaning only when followed by one of the
// following characters: ‘ $’ , ‘ `’ , ‘ "’ , ‘ \’ , or newline.
// Backslashes preceding characters without a special meaning are left
// unmodified. A double quote may be quoted within double quotes by preceding
// it with a backslash. If enabled, history expansion will be performed unless
// an ‘ !’ appearing in double quotes is escaped using a backslash. The
// backslash preceding the ‘ !’ is not removed.
//
// -> This means that `!\n` cannot be safely expressed in `"`.
//
// Looking at the man page for Dash and ash the situation is similar.
//
// Now zsh requires that ‘ }’ , and ‘ ]’ are also enclosed in doublequotes or escaped
//
// Single quotes escape everything except a ‘ '’
//
// There's one other gotcha - ‘ ~’ at the start of a string needs to be expanded
// because people always expect that - of course if there is a special character before '/'
// this is not going to work
const (
tildePrefix = '~'
needsEscape = " \t\n|&;()<>${}[]*?!\"'`\\"
needsSingleQuote = "!\n"
)
2022-01-20 20:46:10 +03:00
var (
doubleQuoteEscaper = strings . NewReplacer ( ` $ ` , ` \$ ` , "`" , "\\`" , ` " ` , ` \" ` , ` \ ` , ` \\ ` )
singleQuoteEscaper = strings . NewReplacer ( ` ' ` , ` '\'' ` )
singleQuoteCoalescer = strings . NewReplacer ( ` ''\' ` , ` \' ` , ` \''' ` , ` \' ` )
)
2020-09-29 04:16:52 +03:00
// ShellEscape will escape the provided string.
// We can't just use go-shellquote here because our preferences for escaping differ from those in that we want:
//
// * If the string doesn't require any escaping just leave it as it is.
// * If the string requires any escaping prefer double quote escaping
// * If we have ! or newlines then we need to use single quote escaping
func ShellEscape ( toEscape string ) string {
if len ( toEscape ) == 0 {
return toEscape
}
start := 0
if toEscape [ 0 ] == tildePrefix {
// We're in the forcibly non-escaped section...
idx := strings . IndexRune ( toEscape , '/' )
if idx < 0 {
idx = len ( toEscape )
} else {
idx ++
}
if ! strings . ContainsAny ( toEscape [ : idx ] , needsEscape ) {
// We'll assume that they intend ~ expansion to occur
start = idx
}
}
// Now for simplicity we'll look at the rest of the string
if ! strings . ContainsAny ( toEscape [ start : ] , needsEscape ) {
return toEscape
}
// OK we have to do some escaping
sb := & strings . Builder { }
_ , _ = sb . WriteString ( toEscape [ : start ] )
// Do we have any characters which absolutely need to be within single quotes - that is simply ! or \n?
if strings . ContainsAny ( toEscape [ start : ] , needsSingleQuote ) {
// We need to single quote escape.
sb2 := & strings . Builder { }
_ , _ = sb2 . WriteRune ( '\'' )
_ , _ = singleQuoteEscaper . WriteString ( sb2 , toEscape [ start : ] )
_ , _ = sb2 . WriteRune ( '\'' )
_ , _ = singleQuoteCoalescer . WriteString ( sb , sb2 . String ( ) )
return sb . String ( )
}
// OK we can just use " just escape the things that need escaping
_ , _ = sb . WriteRune ( '"' )
_ , _ = doubleQuoteEscaper . WriteString ( sb , toEscape [ start : ] )
_ , _ = sb . WriteRune ( '"' )
return sb . String ( )
}