refactor: Extract and improve quote handling in command parser

markijbema · markijbema · commit de425a777553 · 2025-10-23T16:48:09.000+02:00
- Extract protectNewlinesInQuotes() as a separate, testable function
- Fix quote concatenation handling (e.g., echo '"'A'"' where A is NOT quoted)
- Properly track quote boundaries without using toggle-based state
- Handle escaped quotes correctly in double-quoted strings
- Add comprehensive test suite for protectNewlinesInQuotes():
  - Basic quote handling (single/double quotes)
  - Quote concatenation edge cases
  - Escaped quotes in different contexts
  - Unclosed quotes, empty strings, multiple newlines
  - Real-world git commit message examples
- All 153 tests pass
diff --git a/webview-ui/src/utils/__tests__/command-validation.spec.ts b/webview-ui/src/utils/__tests__/command-validation.spec.ts
@@ -12,8 +12,127 @@ import {
 	CommandValidator,
 	createCommandValidator,
 	containsDangerousSubstitution,
+	protectNewlinesInQuotes,
 } from "../command-validation"
 
+describe("protectNewlinesInQuotes", () => {
+	const placeholder = "___NEWLINE___"
+
+	describe("basic quote handling", () => {
+		it("protects newlines in double quotes", () => {
+			const input = 'echo "hello\nworld"'
+			const expected = `echo "hello${placeholder}world"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("protects newlines in single quotes", () => {
+			const input = "echo 'hello\nworld'"
+			const expected = `echo 'hello${placeholder}world'`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("does not protect newlines outside quotes", () => {
+			const input = "echo hello\necho world"
+			const expected = "echo hello\necho world"
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+	})
+
+	describe("quote concatenation", () => {
+		it("handles quote concatenation where content between quotes is NOT quoted", () => {
+			// In bash: echo '"'A'"' prints "A" (A is not quoted)
+			const input = `echo '"'A\n'"'`
+			// The newline after A is NOT inside quotes, so it should NOT be protected
+			const expected = `echo '"'A\n'"'`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles alternating quotes correctly", () => {
+			// echo "hello"world"test" -> hello is quoted, world is not, test is quoted
+			const input = `echo "hello\n"world\n"test\n"`
+			const expected = `echo "hello${placeholder}"world\n"test${placeholder}"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles single quote after double quote", () => {
+			const input = `echo "hello"'world\n'`
+			const expected = `echo "hello"'world${placeholder}'`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles double quote after single quote", () => {
+			const input = `echo 'hello'"world\n"`
+			const expected = `echo 'hello'"world${placeholder}"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+	})
+
+	describe("escaped quotes", () => {
+		it("handles escaped double quotes in double-quoted strings", () => {
+			const input = 'echo "hello\\"world\n"'
+			const expected = `echo "hello\\"world${placeholder}"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("does not treat backslash as escape in single quotes", () => {
+			// In single quotes, backslash is literal (except for \' in some shells)
+			const input = "echo 'hello\\'world\n'"
+			// The \\ is literal, the ' ends the quote, so world\n is outside quotes
+			const expected = "echo 'hello\\'world\n'"
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+	})
+
+	describe("edge cases", () => {
+		it("handles unclosed quotes", () => {
+			const input = 'echo "unclosed\n'
+			const expected = `echo "unclosed${placeholder}`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles empty string", () => {
+			expect(protectNewlinesInQuotes("", placeholder)).toBe("")
+		})
+
+		it("handles string with no quotes", () => {
+			const input = "echo hello\nworld"
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(input)
+		})
+
+		it("handles multiple newlines in quotes", () => {
+			const input = 'echo "line1\nline2\nline3"'
+			const expected = `echo "line1${placeholder}line2${placeholder}line3"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles carriage returns", () => {
+			const input = 'echo "hello\rworld"'
+			const expected = `echo "hello${placeholder}world"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles CRLF", () => {
+			const input = 'echo "hello\r\nworld"'
+			const expected = `echo "hello${placeholder}${placeholder}world"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+	})
+
+	describe("real-world git commit examples", () => {
+		it("protects newlines in git commit message", () => {
+			const input = `git commit -m "feat: title\n\n- point a\n- point b"`
+			const expected = `git commit -m "feat: title${placeholder}${placeholder}- point a${placeholder}- point b"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+
+		it("handles complex git command with multiple quoted sections", () => {
+			const input = `git add . && git commit -m "feat: title\n\n- point a" && echo "done\n"`
+			const expected = `git add . && git commit -m "feat: title${placeholder}${placeholder}- point a" && echo "done${placeholder}"`
+			expect(protectNewlinesInQuotes(input, placeholder)).toBe(expected)
+		})
+	})
+})
+
 describe("Command Validation", () => {
 	describe("parseCommand", () => {
 		it("splits commands by chain operators", () => {
diff --git a/webview-ui/src/utils/command-validation.ts b/webview-ui/src/utils/command-validation.ts
@@ -122,6 +122,85 @@ export function containsDangerousSubstitution(source: string): boolean {
 	)
 }
 
+/**
+ * Protect newlines inside quoted strings by replacing them with a placeholder.
+ * This handles proper shell quoting rules where quotes can be concatenated.
+ *
+ * Examples:
+ * - "hello\nworld" -> newline is protected (inside double quotes)
+ * - 'hello\nworld' -> newline is protected (inside single quotes)
+ * - echo '"'A'"' -> A is NOT quoted (quote concatenation)
+ * - "hello"world -> world is NOT quoted
+ *
+ * @param command - The command string to process
+ * @param placeholder - The placeholder string to use for protected newlines
+ * @returns The command with newlines in quotes replaced by placeholder
+ */
+export function protectNewlinesInQuotes(command: string, placeholder: string): string {
+	let result = ""
+	let i = 0
+
+	while (i < command.length) {
+		const char = command[i]
+
+		if (char === '"') {
+			// Start of double-quoted string
+			result += char
+			i++
+
+			// Process until we find the closing unescaped quote
+			while (i < command.length) {
+				const quoteChar = command[i]
+				const prevChar = i > 0 ? command[i - 1] : ""
+
+				if (quoteChar === '"' && prevChar !== "\\") {
+					// Found closing quote
+					result += quoteChar
+					i++
+					break
+				} else if (quoteChar === "\n" || quoteChar === "\r") {
+					// Replace newline inside double quotes
+					result += placeholder
+					i++
+				} else {
+					result += quoteChar
+					i++
+				}
+			}
+		} else if (char === "'") {
+			// Start of single-quoted string
+			result += char
+			i++
+
+			// Process until we find the closing quote
+			// Note: In single quotes, backslash does NOT escape (except for \' in some shells)
+			while (i < command.length) {
+				const quoteChar = command[i]
+
+				if (quoteChar === "'") {
+					// Found closing quote
+					result += quoteChar
+					i++
+					break
+				} else if (quoteChar === "\n" || quoteChar === "\r") {
+					// Replace newline inside single quotes
+					result += placeholder
+					i++
+				} else {
+					result += quoteChar
+					i++
+				}
+			}
+		} else {
+			// Not in quotes, keep character as-is
+			result += char
+			i++
+		}
+	}
+
+	return result
+}
+
 /**
  * Split a command string into individual sub-commands by
  * chaining operators (&&, ||, ;, |, or &) and newlines.
@@ -139,33 +218,7 @@ export function parseCommand(command: string): string[] {
 	// First, protect newlines inside quoted strings by replacing them with a placeholder
 	// This prevents splitting multi-line quoted strings (e.g., git commit -m "multi\nline")
 	const quotedStringPlaceholder = "___NEWLINE_IN_QUOTE___"
-	let protectedCommand = command
-
-	// Track quote state and replace newlines inside quotes
-	let inDoubleQuote = false
-	let inSingleQuote = false
-	let result = ""
-
-	for (let i = 0; i < command.length; i++) {
-		const char = command[i]
-		const prevChar = i > 0 ? command[i - 1] : ""
-
-		// Toggle quote state (ignore escaped quotes)
-		if (char === '"' && prevChar !== "\\") {
-			inDoubleQuote = !inDoubleQuote
-			result += char
-		} else if (char === "'" && prevChar !== "\\") {
-			inSingleQuote = !inSingleQuote
-			result += char
-		} else if ((char === "\n" || char === "\r") && (inDoubleQuote || inSingleQuote)) {
-			// Replace newlines inside quotes with placeholder
-			result += quotedStringPlaceholder
-		} else {
-			result += char
-		}
-	}
-
-	protectedCommand = result
+	const protectedCommand = protectNewlinesInQuotes(command, quotedStringPlaceholder)
 
 	// Split by newlines (handle different line ending formats)
 	// This regex splits on \r\n (Windows), \n (Unix), or \r (old Mac)
