MCPcopy
hub / github.com/Doorman11991/smallcode / escapeShellArg

Function escapeShellArg

src/security/sanitize.js:176–188  ·  view source on GitHub ↗

* Escape a string for safe inclusion as a single shell argument. * Cross-platform: uses POSIX single-quoting on Linux/macOS, and CMD-style * double-quote-with-escape on Windows. * * For Windows we double internal double-quotes and reject embedded NULs. * Use this in preference to manual `"${val

(value)

Source from the content-addressed store, hash-verified

174 * a tool result, user input, or model output is going into a shell command.
175 */
176function escapeShellArg(value) {
177 const s = String(value == null ? '' : value);
178 if (s.indexOf('\u0000') !== -1) {
179 throw new Error('shell argument contains NUL byte');
180 }
181 if (process.platform === 'win32') {
182 // CMD: wrap in double quotes, escape internal double quotes by doubling.
183 // Reject backticks/dollar-paren — they're CMD metachars in some contexts.
184 return `"${s.replace(/"/g, '""')}"`;
185 }
186 // POSIX: single-quote and escape any embedded single quote with '\''
187 return `'${s.replace(/'/g, `'\\''`)}'`;
188}
189
190/**
191 * Build a shell command from a base + already-trusted prefix and an array

Callers 4

buildCommandFunction · 0.85
_executeToolMethod · 0.85
handleMCPToolCallFunction · 0.85
executeToolFunction · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected