Research
npm Malware Targets Telegram Bot Developers with Persistent SSH Backdoors
Malicious npm packages posing as Telegram bot libraries install SSH backdoors and exfiltrate data from Linux developer machines.
By Kush Pandya - Apr 18, 2025
You're Invited: Meet the Socket team at BSidesSF and RSAC - April 27 - May 1.RSVP →
argv-split
Advanced tools
argv-split
Split argv(argument vector) and handle special cases, such as quoted values.
argv-split
Split argv(argument vector) and handle special cases, such as quoted or escaped values.
Why?
const split = require('split')
const mkdir = 'mkdir "foo bar"'
mkdir.split(' ') // ['mkdir', '"foo', 'bar"'] -> Oops!
split(mkdir) // ['mkdir', 'foo bar'] -> Oh yeah!
const mkdir2 = 'mkdir foo\\ bar'.split(' ')
mkdir2.split(' ') // ['mkdir', 'foo\\', 'bar'] -> Oops!
split(mkdir2) // ['mkdir', 'foo bar'] -> Oh yeah!
argv-split handles all special cases with complete unit tests.
# shell command: javascript array:
foo a\ b # ['foo', 'a b']
foo \' # ['foo', '\\\'']
foo \" # ['foo', '\\"']
foo "a b" # ['foo', 'a b']
foo "a\ b" # ['foo', 'a\\ b']
foo '\' # ['foo', '\\']
foo --abc="a b" # ['foo', '--abc=a b']
foo --abc=a\ b # ['foo', '--abc=a b']
# argv-split also handles carriage returns
foo \
--abc=a\ b # ['foo', '--abc=a b']
# etc
split('foo \\\n --abc=a\\ b') // ['foo', '--abc=a b']
Error Codes
UNMATCHED_SINGLE
If a command missed the closing single quote, the error will throw:
Shell command:
foo --abc 'abc
try {
split('foo --abc \'abc')
} catch (e) {
console.log(e.code) // 'UNMATCHED_SINGLE'
}
UNMATCHED_DOUBLE
If a command missed the closing double quote, the error will throw:
foo --abc "abc
ESCAPED_EOF
If a command unexpectedly ends with a \, the error will throw:
foo --abc a\# if there is nothing after \, the error will throw
foo --abc a\ # if there is a whitespace after, then -> ['foo', '--abc', 'a ']
NON_STRING
If the argument passed to split is not a string, the error will throw
split(undefined)
Install
$ npm i argv-split
split(string) -> Array
Splits a string, and balance quoted parts. The usage is quite simple, see examples above.
Returns Array<string>
split.join(args, options?) -> string
Join the given array of argument vectors into a valid argument string
New in 3.1.0
- args
Array<string>arguments to be joined - options?
Object=- quote
string="should we use single quote or double quote when a certain argument needs to be quoted. Defaults to"
- quote
'command ' + join(['foo "bar', "'baz"])
// command "foo \"bar" "'baz"
License
MIT
FAQs
Split argv(argument vector) and handle special cases, such as quoted values.
The npm package argv-split receives a total of 6,013 weekly downloads. As such, argv-split popularity was classified as popular.
We found that argv-split demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 19 Nov 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Python Tools Are Quickly Adopting the New pylock.toml Standard
pip, PDM, pip-audit, and the packaging library are already adding support for Python’s new lock file format.
By Sarah Gooding - Apr 18, 2025
Product
Go Support Is Now Generally Available
Socket's Go support is now generally available, bringing automatic scanning and deep code analysis to all users with Go projects.
By Peter van der Zee, Ryan Eberhardt - Apr 17, 2025