bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

// SC2087: Quote or escape expressions in sh -c / bash -c
//
// Variables in sh -c need proper quoting or escaping, otherwise they expand
// in the calling shell instead of the invoked shell.
//
// Examples:
// Bad:
//   sh -c "echo $var"            // $var expands now, not in sh
//   bash -c "test $x -eq 1"      // $x expands in outer shell
//
// Good:
//   sh -c 'echo $var'            // Single quotes prevent expansion
//   bash -c "echo \$var"         // Escaped $ delays expansion
//   sh -c "echo '$var'"          // Expanded now, passed as literal
//
// Impact: Variables expand in wrong shell context

use crate::linter::{Diagnostic, LintResult, Severity, Span};
use regex::Regex;

static SH_C_WITH_VAR: std::sync::LazyLock<Regex> = std::sync::LazyLock::new(|| {
    // Match: sh -c "...$var..." or bash -c "...${var}..." (with optional flags before/after -c)
    // (\s+-[a-z]+)* handles flags like -e, -x both before and after -c
    Regex::new(r#"\b(sh|bash)(\s+-[a-z]+)*\s+-c(\s+-[a-z]+)*\s+"[^"]*\$(\{[a-zA-Z_][a-zA-Z0-9_]*\}|[a-zA-Z_][a-zA-Z0-9_]*)[^"]*""#).unwrap()
});

pub fn check(source: &str) -> LintResult {
    let mut result = LintResult::new();

    for (line_num, line) in source.lines().enumerate() {
        let line_num = line_num + 1;

        if line.trim_start().starts_with('#') {
            continue;
        }

        for mat in SH_C_WITH_VAR.find_iter(line) {
            let matched = mat.as_str();

            // Check if variables are escaped
            if matched.contains("\\$") {
                continue; // Escaped variables are OK
            }

            let start_col = mat.start() + 1;
            let end_col = mat.end() + 1;

            let diagnostic = Diagnostic::new(
                "SC2087",
                Severity::Warning,
                "Quote variables in sh -c / bash -c with single quotes or escape with \\$"
                    .to_string(),
                Span::new(line_num, start_col, line_num, end_col),
            );

            result.add(diagnostic);
        }
    }

    result
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_sc2087_sh_c_with_var() {
        let code = r#"sh -c "echo $var""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2087_bash_c() {
        let code = r#"bash -c "test $x -eq 1""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2087_single_quotes_ok() {
        let code = r#"sh -c 'echo $var'"#;
        let result = check(code);
        // Single quotes prevent expansion
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2087_escaped_ok() {
        let code = r#"bash -c "echo \$var""#;
        let result = check(code);
        // Escaped $ is correct
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2087_no_var_ok() {
        let code = r#"sh -c "echo hello""#;
        let result = check(code);
        // No variables, OK
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2087_comment_ok() {
        let code = r#"# sh -c "echo $var""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_sc2087_multiple_vars() {
        let code = r#"sh -c "echo $a $b""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1); // One warning for the command
    }

    #[test]
    fn test_sc2087_with_flags() {
        let code = r#"bash -c -e "echo $var""#;
        let result = check(code);
        // Regex now handles flags both before and after -c
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2087_braced_var() {
        let code = r#"sh -c "echo ${var}""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_sc2087_sudo() {
        let code = r#"sudo sh -c "echo $HOME""#;
        let result = check(code);
        assert_eq!(result.diagnostics.len(), 1);
    }
}