Merge pull request #127 from pstadler/sudo-escape-spaces

fix sudo command escaping

Author: pstadler

lib/transport/index.js

@@ -7,7 +7,7 @@ var format = require('util').format
   , errors = require('../errors')
   , commands = require('./commands')
   , queue = require('../utils/queue')
-  , escapeSingleQuotes = require('../utils').escapeSingleQuotes;
+  , escapeQuotes = require('../utils').escapeQuotes;
 
 /**
  * A transport is the interface you use during flights. Basically they
@@ -190,8 +190,8 @@ Transport.prototype.sudo = function(command, options) {
   var user = options.user || 'root';
 
   command = format('%s%s', this._execWith, command);
-  command = escapeSingleQuotes(command);
-  command = format("sudo -u %s -i bash -c '%s'", user, command);
+  command = escapeQuotes(command);
+  command = format("sudo -u %s -i bash -c \"'%s'\"", user, command);
 
   return this._exec(command, options);
 };

lib/utils/index.js

@@ -17,10 +17,13 @@ exports.writeTempFile = function(str) {
   return fullpath;
 };
 
-exports.escapeSingleQuotes = function(str) {
+exports.escapeQuotes = function(str) {
   if(!str) {
     return str;
   }
 
-  return str.replace(/'/g, "'\\''");
+  str = str.replace(/"/g, '\\"');
+  str = str.replace(/'/g, "'\\''");
+
+  return str;
 };

test/test.transport.js

@@ -97,21 +97,23 @@ describe('transport', function() {
 
       expect(transport._exec.calledOnce).to.be.true;
       expect(transport._exec.lastCall.args).to.deep.equal([
-        "sudo -u root -i bash -c ''",
+        "sudo -u root -i bash -c \"''\"",
         {}
       ]);
     });
 
     it('should properly escape the command', function() {
       transport._exec = sinon.stub();
 
-      transport.sudo('"cmd"');
+      transport.sudo('printf "hello world"');
 
-      expect(transport._exec.lastCall.args[0]).to.equal("sudo -u root -i bash -c '\"cmd\"'");
+      expect(transport._exec.lastCall.args[0])
+        .to.equal("sudo -u root -i bash -c \"\'printf \\\"hello world\\\"\'\"");
 
-      transport.sudo("'cmd'");
+      transport.sudo("printf 'hello world'");
 
-      expect(transport._exec.lastCall.args[0]).to.equal("sudo -u root -i bash -c ''\\''cmd'\\'''");
+      expect(transport._exec.lastCall.args[0])
+        .to.equal("sudo -u root -i bash -c \"'printf '\\''hello world'\\'''\"");
     });
 
     it('should pass options to #_exec()', function() {
@@ -127,7 +129,7 @@ describe('transport', function() {
 
       transport.sudo('cmd', { user: 'not-root' });
 
-      expect(transport._exec.lastCall.args[0]).to.equal("sudo -u not-root -i bash -c 'cmd'");
+      expect(transport._exec.lastCall.args[0]).to.equal("sudo -u not-root -i bash -c \"'cmd'\"");
     });
   });
 

test/test.utils.js

@@ -37,14 +37,15 @@ describe('utils', function() {
     });
   });
 
-  describe('#escapeSingleQuotes()', function() {
+  describe('#escapeQuotes()', function() {
     it('should correctly escape single quotes', function() {
-      var escapeSingleQuotes = proxyquire('../lib/utils', {}).escapeSingleQuotes;
+      var escapeQuotes = proxyquire('../lib/utils', {}).escapeQuotes;
 
-      expect(escapeSingleQuotes("'string'")).to.equal("'\\''string'\\''");
-      expect(escapeSingleQuotes('"string"')).to.equal('"string"');
-      expect(escapeSingleQuotes("\\'string\\'")).to.equal("\\'\\''string\\'\\''");
-      expect(escapeSingleQuotes('')).to.equal('');
+      expect(escapeQuotes("'string'")).to.equal("'\\''string'\\''");
+      expect(escapeQuotes('"string"')).to.equal('\\"string\\"');
+      expect(escapeQuotes("\\'string\\'")).to.equal("\\'\\''string\\'\\''");
+      expect(escapeQuotes('')).to.equal('');
+      expect(escapeQuotes()).to.be.undefined;
     });
   });