implement better shell quoting thanks to @jakubroztocil

Author: ahmadnassri

src/helpers/index.js

@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = require('require-directory')(module)

src/reducer.js src/helpers/reducer.jssrc/reducer.js renamed to src/helpers/reducer.js

@@ -0,0 +1,5 @@
+'use strict'
+
+module.exports = function (value) {
+  return value.replace(/\r/g, '\\r').replace(/\n/g, '\\n')
+}

src/helpers/shell/escape.js

@@ -0,0 +1,3 @@
+'use strict'
+
+module.exports = require('require-directory')(module)

src/helpers/shell/index.js

@@ -0,0 +1,19 @@
+'use strict'
+
+var util = require('util')
+
+/**
+ * Use "strong quoting" using single quotes so that we only need
+ * to deal with nested single quote characters.
+ * <http://wiki.bash-hackers.org/syntax/quoting#strong_quoting>
+ */
+module.exports = function (value) {
+  var safe = /^[a-z0-9-_/.@%^=:]+$/i
+
+  // Unless `value` is a simple shell-safe string, quote it.
+  if (!safe.test(value)) {
+    return util.format("'%s'", value.replace(/'/g, "'\\''"))
+  }
+
+  return value
+}

src/helpers/shell/quote.js

@@ -4,7 +4,7 @@ var debug = require('debug')('httpsnippet')
 var es = require('event-stream')
 var MultiPartForm = require('form-data')
 var qs = require('querystring')
-var reducer = require('./reducer')
+var helpers = require('./helpers')
 var targets = require('./targets')
 var url = require('url')
 var util = require('util')
@@ -42,7 +42,7 @@ var HTTPSnippet = function (req, lang) {
     if (this.source.queryString && this.source.queryString.length) {
       debug('queryString found, constructing queryString pair map')
 
-      this.source.queryObj = this.source.queryString.reduce(reducer, {})
+      this.source.queryObj = this.source.queryString.reduce(helpers.reducer, {})
     }
 
     // construct headers objects
@@ -96,7 +96,7 @@ var HTTPSnippet = function (req, lang) {
         if (!this.source.postData.params) {
           this.source.postData.text = ''
         } else {
-          this.source.postData.paramsObj = this.source.postData.params.reduce(reducer, {})
+          this.source.postData.paramsObj = this.source.postData.params.reduce(helpers.reducer, {})
 
           // always overwrite
           this.source.postData.text = qs.stringify(this.source.postData.paramsObj)

src/index.js

@@ -1,6 +1,7 @@
 'use strict'
 
 var util = require('util')
+var shell = require('../helpers/shell')
 
 module.exports = function (source, options) {
   var opts = util._extend({
@@ -12,30 +13,32 @@ module.exports = function (source, options) {
 
   code.push(util.format('curl %s %s', opts.short ? '-X' : '--request', source.method))
 
-  code.push(util.format('%s"%s"', opts.short ? '' : '--url ', source.fullUrl))
+  code.push(util.format('%s%s', opts.short ? '' : '--url ', shell.quote(source.fullUrl)))
 
   if (source.httpVersion === 'HTTP/1.0') {
     code.push(opts.short ? '-0' : '--http1.0')
   }
 
   // construct headers
   Object.keys(source.headersObj).sort().map(function (key) {
-    code.push(util.format('%s "%s: %s"', opts.short ? '-H' : '--header', key, source.headersObj[key]))
+    var header = util.format('%s: %s', key, source.headersObj[key])
+    code.push(util.format('%s %s', opts.short ? '-H' : '--header', shell.quote(header)))
   })
 
   if (source.allHeaders.cookie) {
-    code.push(util.format('%s "%s"', opts.short ? '-b' : '--cookie', source.allHeaders.cookie))
+    code.push(util.format('%s %s', opts.short ? '-b' : '--cookie', shell.quote(source.allHeaders.cookie)))
   }
 
   // request body
   if (source.postData.text) {
-    code.push(util.format('%s %s', opts.short ? '-d' : '--data', JSON.stringify(source.postData.text)))
+    code.push(util.format('%s %s', opts.short ? '-d' : '--data', shell.escape(shell.quote(source.postData.text))))
   }
 
   // construct post params
   if (!source.postData.text && source.postData.params) {
     source.postData.params.map(function (param) {
-      code.push(util.format('%s "%s=%s"', opts.short ? '-F' : '--form', param.name, param.value))
+      var post = util.format('%s=%s', param.name, param.value)
+      code.push(util.format('%s %s', opts.short ? '-F' : '--form', shell.quote(post)))
     })
   }
 

src/targets/curl.js

@@ -1,18 +1,7 @@
 'use strict'
 
 var util = require('util')
-
-var shellQuote = function (value) {
-  // Unless `value` is a simple shell-safe string, quote it.
-  var shellSafe = /^[a-z0-9-_/.@%^=:]+$/i
-  if (!shellSafe.test(value)) {
-    // Use "strong quoting" using single quotes so that we only need
-    // to deal with nested single quote characters.
-    // <http://wiki.bash-hackers.org/syntax/quoting#strong_quoting>
-    return util.format("'%s'", value.replace(/'/g, "'\\''"))
-  }
-  return value
-}
+var quote = require('../helpers/shell/quote')
 
 module.exports = function (source, options) {
   var opts = util._extend({
@@ -34,7 +23,7 @@ module.exports = function (source, options) {
 
   // start with body pipe
   if (source.postData && source.postData.text) {
-    code.push(util.format('echo %s | ', shellQuote(source.postData.text)))
+    code.push(util.format('echo %s | ', quote(source.postData.text)))
   }
 
   var flags = []
@@ -75,7 +64,7 @@ module.exports = function (source, options) {
     flags.push(util.format('--timeout=%s', opts.timeout))
   }
 
-  code.push(util.format('http %s%s %s', flags.length ? flags.join(' ') + ' ' : '', source.method, shellQuote(opts.queryParams ? source.url : source.fullUrl)))
+  code.push(util.format('http %s%s %s', flags.length ? flags.join(' ') + ' ' : '', source.method, quote(opts.queryParams ? source.url : source.fullUrl)))
 
   // construct query params
   if (opts.queryParams) {
@@ -86,23 +75,23 @@ module.exports = function (source, options) {
 
       if (util.isArray(value)) {
         value.map(function (val) {
-          code.push(util.format('%s==%s', name, shellQuote(val)))
+          code.push(util.format('%s==%s', name, quote(val)))
         })
       } else {
-        code.push(util.format('%s==%s', name, shellQuote(value)))
+        code.push(util.format('%s==%s', name, quote(value)))
       }
     })
   }
 
   // construct headers
   Object.keys(source.allHeaders).sort().map(function (key) {
-    code.push(util.format('%s:%s', key, shellQuote(source.allHeaders[key])))
+    code.push(util.format('%s:%s', key, quote(source.allHeaders[key])))
   })
 
   // construct post params
   if (!source.postData.text && source.postData.params && source.postData.params.length) {
     source.postData.params.map(function (param) {
-      code.push(util.format('%s:%s', param.name, shellQuote(param.value)))
+      code.push(util.format('%s:%s', param.name, quote(param.value)))
     })
   }
 

src/targets/httpie.js

@@ -1,6 +1,7 @@
 'use strict'
 
 var util = require('util')
+var shell = require('../helpers/shell')
 
 module.exports = function (source, options) {
   var opts = util._extend({
@@ -17,19 +18,20 @@ module.exports = function (source, options) {
     code.push(util.format('wget %s', opts.short ? '-q' : '--quiet'))
   }
 
-  code.push(util.format('--method %s', source.method))
+  code.push(util.format('--method %s', shell.quote(source.method)))
 
   Object.keys(source.allHeaders).map(function (key) {
-    code.push(util.format('--header "%s: %s"', key, source.allHeaders[key]))
+    var header = util.format('%s: %s', key, source.allHeaders[key])
+    code.push(util.format('--header %s', shell.quote(header)))
   })
 
   if (source.postData.text) {
-    code.push('--body-data ' + JSON.stringify(source.postData.text))
+    code.push('--body-data ' + shell.escape(shell.quote(source.postData.text)))
   }
 
   code.push(opts.short ? '-O' : '--output-document')
 
-  code.push(util.format('- "%s"', source.fullUrl))
+  code.push(util.format('- %s', shell.quote(source.fullUrl)))
 
   return code.join(opts.indent !== false ? ' \\\n' + opts.indent : ' ')
 }

src/targets/wget.js

@@ -1,4 +1,4 @@
 curl --request POST \
-  --url "http://mockbin.com/har" \
-  --header "content-type: application/x-www-form-urlencoded" \
-  --data "foo=bar&hello=world"
+  --url http://mockbin.com/har \
+  --header 'content-type: application/x-www-form-urlencoded' \
+  --data 'foo=bar&hello=world'