-
Notifications
You must be signed in to change notification settings - Fork 347
Open
Description
Bug Report: Ruby Wrapper Quote Escaping Issue
Problem Description
The Ruby gem wrapper in /Ruby/lib/terminal-notifier.rb has a critical bug in argument escaping that causes shell parsing errors when notification content contains quotes or special characters.
Environment
- Terminal-notifier Version: 2.0.0
- Ruby Gem: terminal-notifier gem
- Issue Location:
Ruby/lib/terminal-notifier.rb:20
Symptoms
When using the Ruby gem with quotes in messages, the shell gets confused and waits for input:
# This fails with "dquote> " prompt:
terminal-notifier -message "Hello World\!" -title "Test"
# Shell shows:
dquote> Root Cause Analysis
File: Ruby/lib/terminal-notifier.rb, line 20
Problematic Code:
"#{v[0] == "-" ? " " : ""}#{Shellwords.escape(v[0,1])}#{v[1..-1]}"The Issue: This code only escapes the first character of each argument value using Shellwords.escape(v[0,1]), then concatenates the remainder v[1..-1] completely unescaped.
Impact Examples
| Input | Current Broken Output | Should Be |
|---|---|---|
'Hello "World"' |
Hello \"World\" |
Hello\ \"World\" |
'"Start with quote' |
\"Start with quote |
\"Start\ with\ quote |
'-dash "quotes"' |
-dash \"quotes\" |
\ -dash\ \"quotes\" |
Proposed Fix
Replace line 20 with:
command = [BIN_PATH, *options.map { |k,v|
v = v.to_s
escaped_value = v[0] == "-" ? Shellwords.escape(" #{v}") : Shellwords.escape(v)
["-#{k}", escaped_value]
}.flatten]Fix Benefits
- Complete escaping: Escapes the entire argument value, not just first character
- Shell safety: All special characters properly escaped
- Backward compatibility: Maintains dash-prefixed argument handling
- Security: Prevents potential shell injection vulnerabilities
Validation
This fix resolves quote handling while maintaining all existing functionality:
- ✅ Messages with quotes work properly
- ✅ Arguments starting with dashes handled correctly
- ✅ All existing tests continue to pass
- ✅ Shell injection vulnerabilities eliminated
Additional Notes
- This bug only affects the Ruby gem wrapper, not the direct binary
- The CLI wrapper (
bin/terminal-notifier) bypasses this by usingexec - This is a critical fix for Ruby API users:
TerminalNotifier.notify()
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels