Escape shell arguments correctly (#3603)

* escape shell argument depending on target operating system

* only escape unix style

* add some basic tests

* use json_encode in test

* correctly escape single quotes on the Linux command line

docs/recipe/deploy/release.md

@@ -13,7 +13,7 @@ require 'recipe/deploy/release.php';
 
 ## Configuration
 ### release_name
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L8)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L9)
 
 The name of the release.
 
@@ -26,7 +26,7 @@ return strval(intval($latest) + 1);
 
 
 ### releases_log
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L16)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L17)
 
 Holds releases log from `.dep/releases_log` file.
 :::info Autogenerated
@@ -37,7 +37,7 @@ The value of this configuration is autogenerated on access.
 
 
 ### releases_list
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L31)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L32)
 
 Return list of release names on host.
 :::info Autogenerated
@@ -48,7 +48,7 @@ The value of this configuration is autogenerated on access.
 
 
 ### release_path
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L58)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L59)
 
 Return release path.
 :::info Autogenerated
@@ -59,7 +59,7 @@ The value of this configuration is autogenerated on access.
 
 
 ### release_revision
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L69)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L70)
 
 Current release revision. Usually a git hash.
 
@@ -69,7 +69,7 @@ return run('cat {{release_path}}/REVISION');
 
 
 ### release_or_current_path
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L75)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L76)
 
 Return the release path during a deployment
 but fallback to the current path otherwise.
@@ -84,15 +84,15 @@ return $releaseExists ? get('release_path') : get('current_path');
 ## Tasks
 
 ### deploy:release
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L82)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L83)
 
 Prepares release.
 
 Clean up unfinished releases and prepare next release
 
 
 ### releases
-[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L157)
+[Source](https://github.com/deployphp/deployer/blob/master/recipe/deploy/release.php#L158)
 
 Shows releases list.
 

recipe/deploy/release.php

@@ -3,6 +3,7 @@
 
 use Deployer\Exception\Exception;
 use Symfony\Component\Console\Helper\Table;
+use function Deployer\Support\escape_shell_argument;
 
 // The name of the release.
 set('release_name', function () {
@@ -123,7 +124,7 @@
     ];
 
     // Save metainfo about release.
-    $json = escapeshellarg(json_encode($metainfo));
+    $json = escape_shell_argument(json_encode($metainfo));
     run("echo $json >> .dep/releases_log");
 
     // Make new release.

src/Support/helpers.php

@@ -252,3 +252,8 @@ function colorize_host(string $alias): string
     $tag = $colors[abs(crc32($alias)) % count($colors)];
     return "<$tag>$alias</>";
 }
+
+function escape_shell_argument(string $argument): string
+{
+    return "'".str_replace("'", "'\\''", $argument)."'";
+}

tests/src/Support/HelpersTest.php

@@ -59,4 +59,9 @@ public function testParseHomeDir()
         $this->assertStringStartsWith('~', parse_home_dir('~path'));
         $this->assertStringEndsWith('~', parse_home_dir('path~'));
     }
+
+    public function testEscapeShellArgument()
+    {
+        $this->assertEquals('\'{"foobar":"Lorem ipsum\'\\\'\'s dolor"}\'', escape_shell_argument(json_encode(['foobar' => 'Lorem ipsum\'s dolor'])));
+    }
 }