pub fn shell_quote_arg(arg: &str) -> StringExpand description
Shell-quote one arg for safe splicing into a shell command line.
Used by aube run <script> -- args. Args get joined into the
script string, then sh -c or cmd /c reparses the whole thing. If
user arg contains $, backticks, ;, |, &, (, ), etc, the shell
interprets those as metacharacters. That is shell injection.
aube run echo 'hello; rm -rf ~' would run two commands. Same
issue npm had pre-2016. Quote each arg so shell treats it as one
literal token.
Unix: wrap in single quotes. sh treats interior of ‘…’ as pure literal with one exception, embedded single quote. Handle that with the standard ‘'’ escape trick: close the single-quoted string, emit an escaped quote, reopen. Works in every POSIX sh.
Windows cmd.exe: wrap in double quotes. cmd interprets many
metachars even inside double quotes, but CreateProcessW hands the
string to our spawn_shell that uses /d /s /c "...", the outer
quotes get stripped per /s rule and the content runs. Escape
interior “ and backslash per CommandLineToArgvW. Full cmd.exe
metachar caret-escaping is a rabbit hole, so this is best-effort,
works for the common cases, matches what node’s shell-quote does.