Merge pull request microsoft#68435 from geirha/61902-shell-injection

weinand · web-flow · commit 1b1815a24eae · 2019-02-13T12:22:48.000+01:00
Use hard quotes rather than soft quotes microsoft#61902
diff --git a/src/vs/workbench/contrib/debug/node/terminals.ts b/src/vs/workbench/contrib/debug/node/terminals.ts
@@ -320,6 +320,7 @@ export function prepareCommand(args: DebugProtocol.RunInTerminalRequestArguments
 	}
 
 	let quote: (s: string) => string;
+	let hardQuote: (s: string) => string;
 	let command = '';
 
 	switch (shellType) {
@@ -391,17 +392,21 @@ export function prepareCommand(args: DebugProtocol.RunInTerminalRequestArguments
 				return (s.indexOf(' ') >= 0 || s.indexOf('\\') >= 0) ? `"${s}"` : s;
 			};
 
+			hardQuote = (s: string) => {
+				return /[^\w@%\/+=,.:^-]/.test(s) ? `'${s.replace(/'/g, '\'\\\'\'')}'` : s;
+			};
+
 			if (args.cwd) {
-				command += `cd ${quote(args.cwd)} ; `;
+				command += `cd ${hardQuote(args.cwd)} && `;
 			}
 			if (args.env) {
 				command += 'env';
 				for (let key in args.env) {
 					const value = args.env[key];
 					if (value === null) {
-						command += ` -u "${key}"`;
+						command += ` -u ${hardQuote(key)}`;
 					} else {
-						command += ` "${key}=${value}"`;
+						command += ` ${hardQuote(`${key}=${value}`)}`;
 					}
 				}
 				command += ' ';
