How do I escape a string for a shell command in node?
This is what I use:
var escapeShell = function(cmd) { return '"'+cmd.replace(/(["'$`\\])/g,'\\$1')+'"';};
If you need simple (yet correct) solution you can use this:
function escapeShellArg (arg) { return `'${arg.replace(/'/g, `'\\''`)}'`;}
So your string will be simply escaped with single quotes as Chris Johnsen mentioned.
echo 'John'\''s phone';
It works in bash
because of strong quoting, feels like it also works in fish
, but does not work in zsh
and sh
.
If you have bash
your can run your script in sh
or zsh
with 'bash -c \'' + escape('all-the-rest-escaped') + '\''
.
But actually... node.js will escape all needed characters for you:
var child = require('child_process') .spawn('echo', ['`echo 1`;"echo $SSH_TTY;\'\\0{0..5}']);child.stdout.on('data', function (data) { console.log('stdout: ' + data);});child.stderr.on('data', function (data) { console.log('stderr: ' + data);});
this block of code will execute:
echo '`echo 1`;"echo $SSH_TTY;'\''\\0{0..5}'
and will output:
stdout: `echo 1`;"echo $SSH_TTY;\'\\0{0..5}
or some error.
Take a look at http://nodejs.org/api/child_process.html#child_process_child_process_spawn_command_args_options
By the way simple solution to run a bunch of commands is:
require('child_process') .spawn('sh', ['-c', [ 'cd all/your/commands', 'ls here', 'echo "and even" > more' ].join('; ')]);
Have a nice day!
You should never rely on escaping unknown input going to a shell parameter - there will almost always be some edge-case that you haven't thought of that allows the user to execute arbitrary code on your server.
Node has support for calling a command and passing each argument separately, with no escaping required. This is the safest way to do it:
const { spawn } = require('child_process');// Note that the arguments are in an array, not using string interpolationconst ls = spawn('ls', ['-lh', '/usr']);ls.stdout.on('data', (data) => { console.log(`stdout: ${data}`);});ls.stderr.on('data', (data) => { console.log(`stderr: ${data}`);});ls.on('close', (code) => { console.log(`child process exited with code ${code}`);});
The documentation is here