Debugger environment variables not escaped in Bash

[Brcrwilliams]

• VSCode Version: 1.28.1
• OS Version: Windows 10 Enterprise 1709

So, I am having the same issue described in #50302 except with the bash shell.
The issue is here: https://github.com/Microsoft/vscode/blob/release/1.28/src/vs/workbench/parts/debug/node/terminals.ts#L407

Args are wrapped in double-quotes, but only the double-quote is escaped. This means that bash characters such as ! | $ ${} $() still do their "special" behavior. I think these args should be wrapped in single-quotes instead.

Steps to Reproduce:

1. Install the Python extension
2. Create a workspace with a .env file in the root of the workspace with the contents: PASSWORD=some!password
3. Create any .py file
4. Attempt to run the debugger
5. Observe result:

cd "c:\Users\<username>\test" ; env "PASSWORD=some!password" "PYTHONIOENCODING=UTF-8" "PYTHONUNBUFFERED=1" "C:\Users\<username>\AppData\Local\Programs\Python\Python37\python.exe" "c:\Users\<username>\.vscode\extensions\ms-python.python-2018.
9.0\pythonFiles\experimental\ptvsd_launcher.py" 42928 "c:\Users\<username>\test\hello.py"
bash: !password: event not found

Does this issue occur when all extensions are disabled?: Probably not, but per #50302, the extension developer calls a VSCode API to do this.

If maintainers agree with my solution (wrapping args in single-quotes instead of double-quotes) then I can create a PR for this.

[Brcrwilliams]

Hey there, I have opened PR #61409 as a fix for this issue. I ended up just wrapping all of the args in single-quotes. This fixes the particular issue I am having. Now when I launch the debugger, it looks something like this:

test.py

from os import environ

print(environ.get('PASSWORD'))

.env

PASSWORD=test'!?$(echo foo)

launching test.py

[13:41:19] ~/test $ cd '/Users/Brian/test' ; env 'PASSWORD=test'\''!?$(echo foo)' 'PYTHONIOENCODING=UTF-8' 'PYTHONUNBUFFERED=1' 'python' '/Users/Brian/.vscode-oss-dev/extensions/ms-python.python-2018.9.1/pythonFiles/experimental/ptvsd_launcher.py' '50950' '/Users/Brian/test/test.py'
test'!?$(echo foo)

Works fine. One thing I am wondering though is if allowing special characters to be evaluated is an intended use of the TerminalLauncher? Might someone want to pass an arg like $(pwd)/some/path? I am not familiar enough with the API and its usage to make the call on whether or not that should be allowed, but I think doing it this way will avoid any unexpected errors like the case with the environment variables. Elsewise, extension authors need to do their own escaping and it will likely cause more bugs / vulnerabilities, and generally makes the behavior of the tool less predictable.

[Brcrwilliams]

Bump
@weinand, could you or another maintainer please review my PR? This issue impacts my workflow on a daily basis and I'd love to get it fixed.

[weinand]

/duplicate #61902

[vscodebot]

Thanks for creating this issue! We figured it's covering the same as another one we already have. Thus, we closed this one as a duplicate. You can search for existing issues here. See also our issue reporting guidelines.

Happy Coding!