Skip to content

fix: avoid shell-escaping special characters except quotes #7242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lifeizhou-ap merged 3 commits into from
Feb 16, 2026
Merged

fix: avoid shell-escaping special characters except quotes #7242

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2a742f5
removed dependency on shell quote as it has unexpected behaviour to e…
lifeizhou-ap Feb 16, 2026
e272ebb
Revert "removed dependency on shell quote as it has unexpected behavi…
lifeizhou-ap Feb 16, 2026
6aead6d
avoid shell-escaping special characters except quotes
lifeizhou-ap Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ui/desktop/src/components/settings/extensions/subcomponents/ExtensionList.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import ExtensionItem from './ExtensionItem';
import builtInExtensionsData from '../../../../built-in-extensions.json';
import { ExtensionConfig } from '../../../../api';
import { FixedExtensionEntry } from '../../../ConfigContext';
import { combineCmdAndArgs } from '../utils';

interface ExtensionListProps {
extensions: FixedExtensionEntry[];
Expand Down Expand Up @@ -137,7 +138,7 @@ export function getSubtitle(config: ExtensionConfig) {
default:
return {
description: config.description || null,
command: 'cmd' in config ? [config.cmd, ...config.args].join(' ') : null,
command: 'cmd' in config ? combineCmdAndArgs(config.cmd, config.args) : null,
};
}
}
79 changes: 79 additions & 0 deletions ui/desktop/src/components/settings/extensions/utils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,85 @@ describe('Extension Utils', () => {
headers: [],
});
});

it('should not escape @ in command args', () => {
const extension: FixedExtensionEntry = {
type: 'stdio',
name: 'context7',
description: 'Context7 MCP',
cmd: 'npx',
args: ['-y', '@upstash/context7-mcp'],
enabled: true,
};

const formData = extensionToFormData(extension);
expect(formData.cmd).toBe('npx -y @upstash/context7-mcp');
});

it('should quote args with spaces', () => {
const extension: FixedExtensionEntry = {
type: 'stdio',
name: 'java-app',
description: 'Java app',
cmd: '/Applications/IntelliJ IDEA.app/Contents/jbr/Contents/Home/bin/java',
args: ['-classpath', '/path/with spaces/lib.jar', 'Main'],
enabled: true,
};

const formData = extensionToFormData(extension);
expect(formData.cmd).toBe(
'"/Applications/IntelliJ IDEA.app/Contents/jbr/Contents/Home/bin/java" -classpath "/path/with spaces/lib.jar" Main'
);
});

it('should roundtrip command with @ through form data', () => {
const extension: FixedExtensionEntry = {
type: 'stdio',
name: 'context7',
description: 'Context7 MCP',
cmd: 'npx',
args: ['-y', '@upstash/context7-mcp'],
enabled: true,
};

const formData = extensionToFormData(extension);
const { cmd, args } = splitCmdAndArgs(formData.cmd || '');
expect(cmd).toBe('npx');
expect(args).toEqual(['-y', '@upstash/context7-mcp']);
});

it('should roundtrip command with spaces through form data', () => {
const extension: FixedExtensionEntry = {
type: 'stdio',
name: 'java-app',
description: 'Java app',
cmd: '/Applications/IntelliJ IDEA.app/Contents/jbr/Contents/Home/bin/java',
args: ['-classpath', '/path/with spaces/lib.jar', 'Main'],
enabled: true,
};

const formData = extensionToFormData(extension);
const { cmd, args } = splitCmdAndArgs(formData.cmd || '');
expect(cmd).toBe('/Applications/IntelliJ IDEA.app/Contents/jbr/Contents/Home/bin/java');
expect(args).toEqual(['-classpath', '/path/with spaces/lib.jar', 'Main']);
});

it('should roundtrip args with double quotes and spaces through form data', () => {
const extension: FixedExtensionEntry = {
type: 'stdio',
name: 'test',
description: 'test',
cmd: 'node',
args: ['/My "Project"/bin/run'],
enabled: true,
};

const formData = extensionToFormData(extension);
expect(formData.cmd).toBe('node \'/My "Project"/bin/run\'');
const { cmd, args } = splitCmdAndArgs(formData.cmd || '');
expect(cmd).toBe('node');
expect(args).toEqual(['/My "Project"/bin/run']);
});
});

describe('createExtensionConfig', () => {
Expand Down
16 changes: 11 additions & 5 deletions ui/desktop/src/components/settings/extensions/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import type { FixedExtensionEntry } from '../../ConfigContext';
import type { ExtensionConfig } from '../../../api/types.gen';
import { parse as parseShellQuote, quote as quoteShell } from 'shell-quote';
import { parse as parseShellQuote } from 'shell-quote';

// Default extension timeout in seconds
// TODO: keep in sync with rust better
Expand Down Expand Up @@ -100,11 +100,11 @@ export function extensionToFormData(extension: FixedExtensionEntry): ExtensionFo
description: extension.description || '',
type:
extension.type === 'frontend' ||
extension.type === 'inline_python' ||
extension.type === 'platform'
extension.type === 'inline_python' ||
extension.type === 'platform'
? 'stdio'
: extension.type,
cmd: extension.type === 'stdio' ? quoteShell([extension.cmd, ...extension.args]) : undefined,
cmd: extension.type === 'stdio' ? combineCmdAndArgs(extension.cmd, extension.args) : undefined,
endpoint:
extension.type === 'streamable_http' || extension.type === 'sse'
? (extension.uri ?? undefined)
Expand Down Expand Up @@ -187,7 +187,13 @@ export function splitCmdAndArgs(str: string): { cmd: string; args: string[] } {
}

export function combineCmdAndArgs(cmd: string, args: string[]): string {
return quoteShell([cmd, ...args]);
return [cmd, ...args]
.map((a) => {
if (!a.includes(' ')) return a;
if (a.includes('"')) return `'${a}'`;
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The quoting logic has a flaw: if an argument contains both a space and a double quote, it wraps the arg in single quotes. However, if that arg also contains a single quote (e.g., it's "quoted"), the round-trip through combineCmdAndArgs and splitCmdAndArgs will fail because splitCmdAndArgs will end the quote at the apostrophe. Consider implementing escape sequences for quotes, or using a more robust approach that can handle all combinations of special characters.

Suggested change
if (a.includes('"')) return `'${a}'`;
if (a.includes('"')) {
// If the argument contains both single and double quotes, escape double quotes and use double quotes outside
if (a.includes("'")) {
const escaped = a.replace(/"/g, '\\"');
return `"${escaped}"`;
}
// Safe to wrap in single quotes when there are no embedded single quotes
return `'${a}'`;
}

Copilot uses AI. Check for mistakes.
return `"${a}"`;
})
.join(' ');
}

export function extractCommand(link: string): string {
Expand Down
Loading