When processing user input that will be used in shell commands, implement shell-specific escaping mechanisms to prevent command injection vulnerabilities. Different shells (bash, PowerShell, zsh, fish) have different escaping requirements that must be handled appropriately.
When processing user input that will be used in shell commands, implement shell-specific escaping mechanisms to prevent command injection vulnerabilities. Different shells (bash, PowerShell, zsh, fish) have different escaping requirements that must be handled appropriately.
For example, instead of using a generic approach like:
// Unsafe - generic character removal
const bannedChars = /[\`\$\|\&\>\~\#\!\^\*\;\<\"\']/g;
newPath = newPath.replace(bannedChars, '');
Implement shell-specific escaping:
// Safe - proper shell-specific escaping
if (shellType === 'bash' || shellType === 'zsh') {
// POSIX-compliant escaping for single quotes
if (path.includes("'")) {
path = path.replace(/'/g, "'\\''");
}
} else if (shellType === 'fish') {
// Fish uses backslash escaping
if (path.includes("'")) {
path = path.replace(/'/g, "\\'");
}
} else if (shellType === 'powershell') {
// PowerShell uses doubled single quotes
if (path.includes("'")) {
path = path.replace(/'/g, "''");
}
}
This approach prevents security vulnerabilities by ensuring that user input cannot break out of string contexts to execute arbitrary commands.
Enter the URL of a public GitHub repository