escape printed characters to prevent command injection #45

src/application/Context/State/Code/Generation/Languages/BatchBuilder.ts

@@ -5,6 +5,12 @@ export class BatchBuilder extends CodeBuilder {
         return '::';
     }
     protected writeStandardOut(text: string): string {
-        return `echo ${text}`;
+        return `echo ${escapeForEcho(text)}`;
     }
 }
+
+function escapeForEcho(text: string) {
+    return text
+        .replace(/&/g, '^&')
+        .replace(/%/g, '%%');
+}

src/application/Context/State/Code/Generation/Languages/ShellBuilder.ts

@@ -5,6 +5,11 @@ export class ShellBuilder extends CodeBuilder {
         return '#';
     }
     protected writeStandardOut(text: string): string {
-        return `echo '${text}'`;
+        return `echo '${escapeForEcho(text)}'`;
     }
 }
+
+function escapeForEcho(text: string) {
+    return text
+        .replace(/'/g, '\'\\\'\'');
+}

tests/unit/application/Context/State/Code/Generation/Languages/BatchBuilder.spec.ts

@@ -23,15 +23,37 @@ describe('BatchBuilder', () => {
         });
     });
     describe('writeStandardOut', () => {
-        it('prepends expected', () => {
+        const testData = [
+            {
+                name: 'plain text',
+                text: 'test',
+                expected: 'echo test',
+            },
+            {
+                name: 'text with ampersand',
+                text: 'a & b',
+                expected: 'echo a ^& b',
+            },
+            {
+                name: 'text with percent sign',
+                text: '90%',
+                expected: 'echo 90%%',
+            },
+            {
+                name: 'text with multiple ampersands and percent signs',
+                text: 'Me&you in % ? You & me = 0%',
+                expected: 'echo Me^&you in %% ? You ^& me = 0%%',
+            },
+        ];
+        for (const test of testData) {
+            it(test.name, () => {
                 // arrange
-            const text = 'test';
-            const expected = `echo ${text}`;
                 const sut = new BatchBuilderRevealer();
                 // act
-            const actual = sut.writeStandardOut(text);
+                const actual = sut.writeStandardOut(test.text);
                 // assert
-            expect(expected).to.equal(actual);
+                expect(test.expected).to.equal(actual);
-        });
+            });
+        }
     });
 });

tests/unit/application/Context/State/Code/Generation/Languages/ShellBuilder.spec.ts

@@ -23,15 +23,32 @@ describe('ShellBuilder', () => {
         });
     });
     describe('writeStandardOut', () => {
-        it('prepends expected', () => {
+        const testData = [
+            {
+                name: 'plain text',
+                text: 'test',
+                expected: 'echo \'test\'',
+            },
+            {
+                name: 'text with single quote',
+                text: 'I\'m not who you think I am',
+                expected: 'echo \'I\'\\\'\'m not who you think I am\'',
+            },
+            {
+                name: 'text with multiple single quotes',
+                text: 'I\'m what you\'re',
+                expected: 'echo \'I\'\\\'\'m what you\'\\\'\'re\'',
+            },
+        ];
+        for (const test of testData) {
+            it(test.name, () => {
                 // arrange
-            const text = 'test';
-            const expected = `echo '${text}'`;
                 const sut = new ShellBuilderRevealer();
                 // act
-            const actual = sut.writeStandardOut(text);
+                const actual = sut.writeStandardOut(test.text);
                 // assert
-            expect(expected).to.equal(actual);
+                expect(test.expected).to.equal(actual);
-        });
+            });
+        }
     });
 });