* cmd.exe argument quoting. cmd.exe does NOT use CommandLineToArgvW-style * backslash escaping — it toggles its quoting state on every raw " * character, so an embedded " breaks out of the quoted region and exposes * metacharacters (& | < > ^) to cmd.exe interpretation = command injection. * *
(arg: string)
| 551 | * \ before our closing " would eat the close-quote. |
| 552 | */ |
| 553 | function cmdQuote(arg: string): string { |
| 554 | const stripped = arg.replace(/"/g, '').replace(/%/g, '%%') |
| 555 | const escaped = stripped.replace(/(\\+)$/, '$1$1') |
| 556 | return `"${escaped}"` |
| 557 | } |
| 558 |
no outgoing calls
no test coverage detected