MIT licensed by Patrick Brisbin
Maintained by [email protected]
This version can be pinned in stack with:shellwords-0.1.4.0@sha256:b5d67ee434d0e738daa5e288595cc18d48c08e8e2ec616e5c303f1a4a27bc72a,2451

Module documentation for 0.1.4.0

Depends on 3 packages(full list with versions):

ShellWords

Hackage Stackage Nightly Stackage LTS CI

Parse a string into words, like a shell would.

Motivation

If you want to execute a specific command with input given to you from an untrusted source, you should not give that text as-is to a shell:

let userInput = "push origin main"

callCommand $ "git " <> userInput
-- Forward output of the push command...

You may be tempted to do this because you want to correctly handle quoting and other notoriously-difficult word-splitting problems. But doing so is a severe security vulnerability:

let userInput = "push origin main; cat /etc/passwd"

callCommand $ "git " <> userInput
-- Forward output of the push command...
-- And then dump /etc/passwd. Oops.

Furthermore, any attempts to sanitize the string are unlikely to be 100% affective and should be avoided. The only safe way to do this is to not use a shell intermediary, and always exec a process directly:

let userInput = "push origin main"

callProcess "git" $ words userInput
-- Forward output of the push command...

Now, there’s no vulnerability:

let userInput = "push origin main; cat /etc/passwd"

callProcess "git" $ words userInput
-- Invalid usage. :)

The new problem (but not a security-related one!) is how to correctly parse a string like "push origin main" into command arguments. The rules are complex enough that you probably want to get a library to do it.

So here we are.

Example

Right args <- parse "some -complex --command=\"Line And\" 'More'"

callProcess cmd args
--
-- Is equivalent to:
--
-- > callProcess cmd ["some", "-complex", "--command=Line And", "More"]
--

Unsafe Usage

The following is a perfectly reasonable thing one might do with this library:

Right (cmd:args) <- parse userInput

callProcess cmd args

However, if:

  1. userInput is un-trusted, and
  2. You do no further validation of what cmd can be,

Then this re-introduces the original security vulnerability and, at that point, you might as well just pass userInput to a shell.

Lineage

This package is inspired by and named after


CHANGELOG | LICENSE

Changes

Unreleased

v0.1.4.0

v0.1.3.2

  • Fix bugs around = handling, adjacent strings, and escaped-backslash

v0.1.3.1

  • Fix incorrect lower bound on base

v0.1.3.0

  • Define reserved characters, to enable delimited parsing $(<words)
  • Export Parser-related functions, to enable incorporating in a larger parser

v0.1.2.1

  • Strip surrounding whitespace before parsing
  • Fix mis-handling of escaped spaces in certain kinds of flags

v0.1.2.0

  • parse works on String now, use parseText for the Text interface

v0.1.1.0

  • Bugfixes that I can’t remember

v0.1.0.0

First released version.