(args: ReadonlyArray<unknown>)
| 264 | } |
| 265 | |
| 266 | export function quote(args: ReadonlyArray<unknown>): string { |
| 267 | // First try the strict validation |
| 268 | const result = tryQuoteShellArgs([...args]) |
| 269 | |
| 270 | if (result.success) { |
| 271 | return result.quoted |
| 272 | } |
| 273 | |
| 274 | // If strict validation failed, use lenient fallback |
| 275 | // This handles objects, symbols, functions, etc. by converting them to strings |
| 276 | try { |
| 277 | const stringArgs = args.map(arg => { |
| 278 | if (arg === null || arg === undefined) { |
| 279 | return String(arg) |
| 280 | } |
| 281 | |
| 282 | const type = typeof arg |
| 283 | |
| 284 | if (type === 'string' || type === 'number' || type === 'boolean') { |
| 285 | return String(arg) |
| 286 | } |
| 287 | |
| 288 | // For unsupported types, use JSON.stringify as a safe fallback |
| 289 | // This ensures we don't crash but still get a meaningful representation |
| 290 | return jsonStringify(arg) |
| 291 | }) |
| 292 | |
| 293 | return shellQuoteQuote(stringArgs) |
| 294 | } catch (error) { |
| 295 | // SECURITY: Never use JSON.stringify as a fallback for shell quoting. |
| 296 | // JSON.stringify uses double quotes which don't prevent shell command execution. |
| 297 | // For example, jsonStringify(['echo', '$(whoami)']) produces "echo" "$(whoami)" |
| 298 | if (error instanceof Error) { |
| 299 | logError(error) |
| 300 | } |
| 301 | throw new Error('Failed to quote shell arguments safely') |
| 302 | } |
| 303 | } |
no test coverage detected