* Escape a string for safe inclusion as a single shell argument. * Cross-platform: uses POSIX single-quoting on Linux/macOS, and CMD-style * double-quote-with-escape on Windows. * * For Windows we double internal double-quotes and reject embedded NULs. * Use this in preference to manual `"${val
(value)
| 174 | * a tool result, user input, or model output is going into a shell command. |
| 175 | */ |
| 176 | function escapeShellArg(value) { |
| 177 | const s = String(value == null ? '' : value); |
| 178 | if (s.indexOf('\u0000') !== -1) { |
| 179 | throw new Error('shell argument contains NUL byte'); |
| 180 | } |
| 181 | if (process.platform === 'win32') { |
| 182 | // CMD: wrap in double quotes, escape internal double quotes by doubling. |
| 183 | // Reject backticks/dollar-paren — they're CMD metachars in some contexts. |
| 184 | return `"${s.replace(/"/g, '""')}"`; |
| 185 | } |
| 186 | // POSIX: single-quote and escape any embedded single quote with '\'' |
| 187 | return `'${s.replace(/'/g, `'\\''`)}'`; |
| 188 | } |
| 189 | |
| 190 | /** |
| 191 | * Build a shell command from a base + already-trusted prefix and an array |
no outgoing calls
no test coverage detected