(args: ReadonlyArray<unknown>)
| 265 | } |
| 266 | |
| 267 | export function quote(args: ReadonlyArray<unknown>): string { |
| 268 | // First try the strict validation |
| 269 | const result = tryQuoteShellArgs([...args]) |
| 270 | |
| 271 | if (result.success) { |
| 272 | return result.quoted |
| 273 | } |
| 274 | |
| 275 | // If strict validation failed, use lenient fallback |
| 276 | // This handles objects, symbols, functions, etc. by converting them to strings |
| 277 | try { |
| 278 | const stringArgs = args.map(arg => { |
| 279 | if (arg === null || arg === undefined) { |
| 280 | return String(arg) |
| 281 | } |
| 282 | |
| 283 | const type = typeof arg |
| 284 | |
| 285 | if (type === 'string' || type === 'number' || type === 'boolean') { |
| 286 | return String(arg) |
| 287 | } |
| 288 | |
| 289 | // For unsupported types, use JSON.stringify as a safe fallback |
| 290 | // This ensures we don't crash but still get a meaningful representation |
| 291 | return jsonStringify(arg) |
| 292 | }) |
| 293 | |
| 294 | return shellQuoteQuote(stringArgs) |
| 295 | } catch (error) { |
| 296 | // SECURITY: Never use JSON.stringify as a fallback for shell quoting. |
| 297 | // JSON.stringify uses double quotes which don't prevent shell command execution. |
| 298 | // For example, jsonStringify(['echo', '$(whoami)']) produces "echo" "$(whoami)" |
| 299 | if (error instanceof Error) { |
| 300 | logError(error) |
| 301 | } |
| 302 | throw new Error('Failed to quote shell arguments safely') |
| 303 | } |
| 304 | } |
| 305 |
no test coverage detected