fix: escape shell arguments (#3956)

close #3907 Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-12-24 07:38:12 -05:00 · 2021-11-09 08:41:45 +08:00
parent 302ae4f6f1
commit fa03cbdc85
5 changed files with 36 additions and 1 deletions
--- a/.changeset/shaggy-buckets-fail.md
+++ b/.changeset/shaggy-buckets-fail.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/lifecycle": patch
+"pnpm": patch
+---
+
+Escape the arguments that are passed to the scripts [#3907](https://github.com/pnpm/pnpm/issues/3907).
--- a/packages/lifecycle/src/runLifecycleHook.ts
+++ b/packages/lifecycle/src/runLifecycleHook.ts
@@ -36,7 +36,8 @@ export default async function runLifecycleHook (
    m.scripts.start = 'node server.js'
  }
  if (opts.args?.length && m.scripts?.[stage]) {
-    m.scripts[stage] = `${m.scripts[stage]} ${opts.args.map((arg) => `"${arg}"`).join(' ')}`
+    const escapedArgs = opts.args.map((arg) => JSON.stringify(arg))
+    m.scripts[stage] = `${m.scripts[stage]} ${escapedArgs.join(' ')}`
  }
  // This script is used to prevent the usage of npm or Yarn.
  // It does nothing, when pnpm is used, so we may skip its execution.
--- a/packages/lifecycle/test/fixtures/escape-args/echo.sh
+++ b/packages/lifecycle/test/fixtures/escape-args/echo.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+
+fs.writeFileSync(path.join(__dirname, 'output.json'), JSON.stringify(process.argv.slice(2), null, 2))
--- a/packages/lifecycle/test/fixtures/escape-args/package.json
+++ b/packages/lifecycle/test/fixtures/escape-args/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "issue-3907",
+  "version": "1.0.0",
+  "scripts": {
+    "echo": "node echo.sh"
+  }
+}
--- a/packages/lifecycle/test/index.ts
+++ b/packages/lifecycle/test/index.ts
@@ -22,6 +22,21 @@ test('runLifecycleHook()', async () => {
  expect((await import(path.join(pkgRoot, 'output.json'))).default).toStrictEqual(['install'])
 })

+test('runLifecycleHook() escapes the args passed to the script', async () => {
+  const pkgRoot = path.join(fixtures, 'escape-args')
+  const pkg = await import(path.join(pkgRoot, 'package.json'))
+  await runLifecycleHook('echo', pkg, {
+    depPath: '/escape-args/1.0.0',
+    pkgRoot,
+    rawConfig: {},
+    rootModulesDir,
+    unsafePerm: true,
+    args: ['Revert "feature (#1)"'],
+  })
+
+  expect((await import(path.join(pkgRoot, 'output.json'))).default).toStrictEqual(['Revert "feature (#1)"'])
+})
+
 test('runPostinstallHooks()', async () => {
  const pkgRoot = path.join(fixtures, 'with-many-scripts')
  rimraf.sync(path.join(pkgRoot, 'output.json'))