fix: use shlex.quote for safe path escaping in shell commands

ryantzr1 · ryantzr1 · commit 40364e7199fe · 2026-01-08T15:00:55.000+08:00
diff --git a/docs/cookbooks/codex-coding.mdx b/docs/cookbooks/codex-coding.mdx
@@ -242,8 +242,10 @@ async def main():
         max_output_length: int | None = None,
     ) -> dict:
         """Execute shell commands in a bash session."""
+        import shlex
         # Change to working directory before executing
-        prefixed_commands = [f"cd {base_path} && {cmd}" for cmd in commands]
+        safe_path = shlex.quote(base_path)
+        prefixed_commands = [f"cd {safe_path} && {cmd}" for cmd in commands]
         result = await shell_tool(
             commands=prefixed_commands,
             timeout_ms=timeout_ms,
diff --git a/examples/06_codex_coding_agent.py b/examples/06_codex_coding_agent.py
@@ -32,6 +32,7 @@
 import argparse
 import asyncio
 import os
+import shlex
 
 from dotenv import load_dotenv
 from openai import AsyncOpenAI
@@ -124,7 +125,9 @@ async def shell(
             max_output_length: Optional max output length hint
         """
         # Change to working directory before executing
-        prefixed_commands = [f"cd {base_path} && {cmd}" for cmd in commands]
+        # Use shlex.quote to safely handle paths with spaces or special characters
+        safe_path = shlex.quote(base_path)
+        prefixed_commands = [f"cd {safe_path} && {cmd}" for cmd in commands]
         result = await shell_tool(
             commands=prefixed_commands,
             timeout_ms=timeout_ms,
