Skip to content

Fix double escaping in Build worker tar command#11250

Open
nathfavour wants to merge 1 commit intoappwrite:mainfrom
nathfavour:main
Open

Fix double escaping in Build worker tar command#11250
nathfavour wants to merge 1 commit intoappwrite:mainfrom
nathfavour:main

Conversation

@nathfavour
Copy link

@nathfavour nathfavour commented Feb 4, 2026

I noticed that the tar command in the Build worker was using both escapeshellarg and escapeshellcmd on the same variable, which caused build failures for directory paths with special characters like spaces. I've removed the redundant escaping to ensure the paths are handled correctly and securely.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Modified the tar command invocation in the Builds.php file to remove escapeshellcmd() wrapping from the directory parameter across two deployment scenarios: template-less and VCS-based deployments. The directory path is used directly instead of being passed through an additional escaping layer. No changes to logic, error handling, or function signatures were introduced.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: removing double escaping from the tar command in the Build worker. It's specific, concise, and reflects the core issue being fixed.
Description check ✅ Passed The description clearly explains the problem (double escaping with escapeshellarg and escapeshellcmd), the impact (build failures with special characters), and the solution (removing redundant escaping). It directly relates to the changeset.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libcrypto3 3.5.4-r0 CVE-2025-15467 CRITICAL
libcrypto3 3.5.4-r0 CVE-2025-69419 HIGH
libcrypto3 3.5.4-r0 CVE-2025-69421 HIGH
libexpat 2.7.3-r0 CVE-2026-24515 CRITICAL
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng 1.6.51-r0 CVE-2026-22695 HIGH
libpng 1.6.51-r0 CVE-2026-22801 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22695 HIGH
libpng-dev 1.6.51-r0 CVE-2026-22801 HIGH
libssl3 3.5.4-r0 CVE-2025-15467 CRITICAL
libssl3 3.5.4-r0 CVE-2025-69419 HIGH
libssl3 3.5.4-r0 CVE-2025-69421 HIGH
openssl 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl 3.5.4-r0 CVE-2025-69419 HIGH
openssl 3.5.4-r0 CVE-2025-69421 HIGH
openssl-dev 3.5.4-r0 CVE-2025-15467 CRITICAL
openssl-dev 3.5.4-r0 CVE-2025-69419 HIGH
openssl-dev 3.5.4-r0 CVE-2025-69421 HIGH
py3-urllib3 1.26.20-r0 CVE-2026-21441 HIGH
py3-urllib3-pyc 1.26.20-r0 CVE-2026-21441 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

coderabbitai[bot]
coderabbitai bot reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/Appwrite/Platform/Modules/Functions/Workers/Builds.php (1)

420-430: ⚠️ Potential issue | 🟡 Minor

Pre-existing double-quoting issue in the mv command.

This code block handles directories with spaces, which aligns with this PR's objective. However, line 424 has the same class of escaping issue: escapeshellarg() already wraps arguments in single quotes, so the additional double quotes create malformed syntax like mv "'/path/with space/from'" "'/path/with space/to'".

Consider fixing this for consistency with the tar command fixes:

🐛 Proposed fix 
-                    $exit = Console::execute('mv "' . \escapeshellarg($from) . '" "' . \escapeshellarg($to) . '"', '', $stdout, $stderr);
+                    $exit = Console::execute('mv ' . \escapeshellarg($from) . ' ' . \escapeshellarg($to), '', $stdout, $stderr);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nathfavour