Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

shescape

Package Overview
Dependencies
Maintainers
1
Versions
51
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

shescape

simple shell escape library

  • 1.5.8
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
1.5K
decreased by-56.1%
Maintainers
1
Weekly downloads
 
Created
Source

Shescape

GitHub Actions Coverage Report Mutation Report quality Report NPM Package

A simple shell escape package for JavaScript. Use it to escape user-controlled inputs to shell commands to prevent shell injection.

Quick links: NPM | Source code | License | Changelog | Security

Features

  • Advanced shell detection
  • Lightweight
  • Supports MacOS, Linux, and Windows

Usage

Install

  1. Install shescape

    # npm
    npm install shescape
    
    # yarn
    yarn add shescape
    
  2. Import shescape

    import * as shescape from "shescape";
    
  3. Use shescape

Shells

The following shells are officially supported and extensively tested. It is recommended to only use shells found in this list.

If you want to use Shescape with another shell you can request it on GitHub by opening an issue.

Recipes

View the recipes for examples of how to use Shescape.

API

quote(arg)

The quote function takes as input a single value, the argument, puts OS-specific quotes around it, and escapes any dangerous characters.

Example
import { quote } from "shescape";

const arg = " && ls -al";
const safeArg = quote(arg);
console.log(safeArg);
// Output:  "' && ls -al'"
Input-output
InputTypeRequiredDescription
argstringYesThe argument to quote and escape.
optionsObjectNoThe escape options.
options.shellstring, booleanNoThe shell that will be used.
OutputTypeDescription
safeArgstringThe quoted and escaped argument.

quote automatically converts non-string values to strings if needed and will error if this is not possible. You are responsible for verifying the input makes sense.

quoteAll(args)

The quoteAll function takes as input an array of values, the arguments, puts OS-specific quotes around every argument, and escapes any dangerous characters in every argument.

Example
import { quoteAll } from "shescape";

const args = ["Guppy", " && ls -al"];
const safeArgs = quoteAll(args);
console.log(safeArgs);
// Output:  ["'Guppy'", "' && ls -al"]
Input-output
InputTypeRequiredDescription
argsstring[]YesThe arguments to quote and escape.
optionsObjectNoThe escape options.
options.shellstring, booleanNoThe shell that will be used.
OutputTypeDescription
safeArgsstring[]The quoted and escaped arguments.

quoteAll automatically converts non-array inputs to single-value arrays and individual non-string values to strings if needed and will error if this is not possible. You are responsible for verifying the input makes sense.

escape(arg)

The escape function takes as input a value, the argument, and escapes any dangerous characters.

Calling escape() directly is not recommended unless you know what you're doing.

The options.interpolation value should be set to true if using this function with the exec function, or when using fork, spawn, execFile, or similar, and setting { shell: true } in the call options. If in doubt, set it to true explicitly.

Example
import { escape } from "shescape";

const arg = "' && ls -al";
const safeArg = `'${escape(arg)}'`;
console.log(safeArg);
// Output:  "''\'' && ls -al'"
Input-output
InputTypeRequiredDescription
argstringYesThe argument to escape.
optionsObjectNoThe escape options.
options.interpolationbooleanNoIs interpolation enabled.
options.shellstring, booleanNoThe shell that will be used.
OutputTypeDescription
safeArgstringThe escaped argument.

escape automatically converts non-string values to strings if needed and will error if this is not possible. You are responsible for verifying the input makes sense.

escapeAll(args)

The escapeAll function takes as input an array of values, the arguments, and escapes any dangerous characters in every argument.

The options.interpolation value should be set to true if using this function with fork, spawn, execFile, or similar, and setting { shell: true } in the call options. If in doubt, set it to true explicitly.

Example
import { escapeAll } from "shescape";

const args = ["Guppy", "' && ls -al"];
const safeArgs = escapeAll(args);
console.log(safeArgs);
// Output:  ["Guppy", "'\'' ls -al"]
Input-output
InputTypeRequiredDescription
argsstring[]YesThe arguments to escape.
optionsObjectNoThe escape options.
options.interpolationbooleanNoIs interpolation enabled.
options.shellstring, booleanNoThe shell that will be used.
OutputTypeDescription
safeArgsstring[]The escaped arguments.

escapeAll automatically converts non-array inputs to single-value arrays and individual non-string values to strings if needed and will error if this is not possible. You are responsible for verifying the input makes sense.

Keywords

FAQs

Package last updated on 15 Jul 2022

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc