[BUG] npx@7 regression: command injection / impossible to pass a bactick as argument #3306
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Let’s say you have a create-blog-post CLI installed globally. You run it like so:
create-blog-post --title 'Cool `ls` tricks'
One day you install create-blog-post locally instead. Then how do you run it? Well, you could just slap npx at the start, right? Wrong! The following does not do what you expect:
npx create-blog-post --title 'Cool `ls` tricks'
Let me show why. I’m using node -p 'process.argv[2]' -- instead of create-blog-post to show that the implementation of that tool wouldn’t matter:
❯ node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool `ls` tricks
With npx in front:
❯ npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool LICENSE
README.md
lib
map.js
node_modules
package-lock.json
package.json
test tricks
Oops! The argument was treated as shell script, executed ls and put the result in my string (backticks means command interpolation)!
Expected Behavior
npx@6 got it right:
❯ npx --version
6.14.12
❯ npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool `ls` tricks
The worst thing is that I don’t even know how to workaround this issue in npx@7. Trying to add backslashes does not help. I just can’t figure out a way to pass literal backticks as an argument.
Steps To Reproduce
- macOS or Linux (Windows have different issues)
- With this config...
- Run
npx node -p 'process.argv[1]' '`'(tested insh,bash,zsh,fish) - See error:
sh: -c: line 0: unexpected EOF while looking for matching ``'
Environment
- OS: macOS Big Sur (also happens on any Linux)
- Node: 16.1.0
- npm: 7.11.2
Fix
I’m posting an issue here as well so the PR has something to close 😄 And also to help people who have encountered the same problem can more easily find this.