Skip to content

docs(tasks): add bash array pattern for variadic args #7914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jdx merged 3 commits into from
Jan 30, 2026
+34 −0
Merged

docs(tasks): add bash array pattern for variadic args #7914

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8ec559a
docs(tasks): add bash array pattern for variadic args
jdx Jan 30, 2026
8a4cc6b
docs(task): add note about readarray/mapfile bash version requirements
jdx Jan 30, 2026
905ebdf
docs(task): remove incorrect note about readarray/mapfile
jdx Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions docs/tasks/task-arguments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,24 @@ arg "<files>" var=#true var_max=5 // Maximum 5 files allowed
arg "<files>" var=#true var_min=1 var_max=3 // Between 1 and 3 files
```

::: tip Handling Variadic Args with Spaces in Bash
Variadic arguments are passed as a shell-escaped string. To properly handle arguments containing spaces as a bash array, wrap the variable in parentheses:

```bash
# Convert to bash array:
eval "files=($usage_files)"
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using eval with user-provided input is a security risk. If $usage_files contains malicious code, it will be executed. Consider documenting safer alternatives like mapfile or readarray, or at minimum add a security warning about validating input before using eval.

Suggested change
eval "files=($usage_files)"
files=($usage_files)

Copilot uses AI. Check for mistakes.
Copy link

@gemini-code-assist gemini-code-assist bot Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The eval command is powerful and can be a security risk if the $usage_files variable were to contain untrusted or malicious input, as eval executes arbitrary shell commands. While this pattern is a common and often necessary way to parse shell-escaped strings into arrays in bash, it's generally good practice to include a small cautionary note about the potential risks of eval when dealing with potentially untrusted input, or to emphasize that usage_files should always be from a trusted source.


# Use as array:
for f in "${files[@]}"; do
echo "Processing: $f"
done

# Or pass to commands:
touch "${files[@]}"
```

:::

#### Environment Variable Backing

```kdl
Expand Down Expand Up @@ -680,6 +698,22 @@ run = 'eslint ${usage_files?}'

</div>

::: tip Handling Arguments with Spaces
If your variadic arguments may contain spaces, convert the variable to a bash array:

```mise-toml
[tasks.process]
usage = 'arg "<files>" var=#true'
run = '''
eval "files=($usage_files)"
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using eval with user-provided input is a security risk. If $usage_files contains malicious code, it will be executed. Consider documenting safer alternatives like mapfile or readarray, or at minimum add a security warning about validating input before using eval.

Suggested change
eval "files=($usage_files)"
# Safely read the usage_files into a Bash array without using eval
mapfile -t files <<< "$usage_files"

Copilot uses AI. Check for mistakes.
Copy link

@gemini-code-assist gemini-code-assist bot Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the previous tip, the eval command used here carries potential security risks if $usage_files could be manipulated by untrusted input. It's crucial to ensure that the source of usage_files is always trusted when employing eval in scripts.

for f in "${files[@]}"; do
process "$f"
done
'''
```

:::

## See Also

- [Task Configuration](/tasks/task-configuration) - Complete task configuration reference
Expand Down
Loading