Build: escape all whitespaces (#12152)

ref https://readthedocs.slack.com/archives/C04SS8XNB6K/p1746136083159309

NOTE: this isn't a vulnerability, as all commands that make use of this
function are run inside a container.

Author: stsewd

readthedocs/doc_builder/environments.py

@@ -282,7 +282,7 @@ class DockerBuildCommand(BuildCommand):
     """
 
     bash_escape_re = re.compile(
-        r"([\t\ \!\"\#\$\&\'\(\)\*\:\;\<\>\?\@\[\\\]\^\`\{\|\}\~])"  # noqa
+        r"([\s\!\"\#\$\&\'\(\)\*\:\;\<\>\?\@\[\\\]\^\`\{\|\}\~])"  # noqa
     )
 
     def __init__(self, *args, escape_command=True, **kwargs):

readthedocs/doc_builder/tests/__init__.py

@@ -0,0 +1,32 @@
+from django.test import TestCase
+
+from readthedocs.doc_builder.environments import DockerBuildCommand
+
+
+class TestDockerBuildEnvironment(TestCase):
+    def test_command_escape(self):
+        commands = [
+            (
+                ["ls", ".", "; touch /tmp/test"],
+                "/bin/sh -c 'ls . \\;\\ touch\\ /tmp/test'",
+            ),
+            (
+                ["ls", ".", "\ntouch /tmp/test"],
+                "/bin/sh -c 'ls . \\\ntouch\\ /tmp/test'",
+            ),
+            (
+                ["ls", ".", "\ftouch /tmp/test"],
+                "/bin/sh -c 'ls . \\\ftouch\\ /tmp/test'",
+            ),
+            (
+                ["ls", ".", "\ttouch /tmp/test"],
+                "/bin/sh -c 'ls . \\\ttouch\\ /tmp/test'",
+            ),
+            (
+                ["ls", ".", "\vtouch /tmp/test"],
+                "/bin/sh -c 'ls . \\\vtouch\\ /tmp/test'",
+            ),
+        ]
+        for command, expected in commands:
+            build_command = DockerBuildCommand(command=command)
+            assert build_command.get_wrapped_command() == expected, command