search

yargs / yargs-parser

:muscle: the mighty option parser used by yargs
http://yargs.js.org/
ISC License
491 stars 123 forks source link

Incorrect parsing of options with escaped quotes #484

Open jettdc opened 11 months ago

jettdc commented 11 months ago

trying to parse the string:

const curl = `curl -X POST "https://api.example.com/data" -H "Content-Type: application/json" -d "{\\"key\\": \\"This string has an escaped backslash: \\\\ and a newline: \\\\n\\"}"`;

Which is equivalent to the valid curl command

curl -X POST "https://api.example.com/data" -H "Content-Type: application/json" -d "{\"key\": \"This string has an escaped backslash: \\ and a newline: \\n\"}"

But when I parse it, my args array looks like the following:

_: [
        'curl',
        'https://api.example.com/data',
        'string',
        'has',
        'an',
        'escaped',
        'backslash:',
        '\\\\',
        'and',
        'a',
        'newline:',
        '\\\\n\\"}"'
      ],

Am I missing something or is this a bug?

shadowspawn commented 11 months ago

yargs-parser does not support escaping embedded quotes, but it does support nesting quotes. So you can have " inside ' quotes.

I am not sure what quoting you would want for the slash and newline, but this quoting at least reads everything after the -d as the option value:

import parser from 'yargs-parser'
const curl = `curl -X POST "https://api.example.com/data" -H "Content-Type: application/json" -d '{"key": "This string has an escaped backslash: \\\\ and a newline: \\\\n"}'`;
const argv = parser(curl);
console.log(argv);
% node index.mjs
{
  _: [ 'curl', '"https://api.example.com/data"' ],
  X: 'POST',
  H: 'Content-Type: application/json',
  d: '{"key": "This string has an escaped backslash: \\\\ and a newline: \\\\n"}'
}
jettdc commented 11 months ago

Unfortunately these strings are coming from user input, and since the mentioned curl command is a valid curl command/bash/input, I need to be able to support it

Is there a reason it doesn't support escaping embedded quotes?

shadowspawn commented 11 months ago

If you can access the command after it is parsed by the shell into separate arguments then you avoid the problem that different shells/platforms and yargs split up command-line into arguments in different ways. (I realise this may not be possible in your use case, but I thought worth mentioning as a general approach.)

Related: #300 #385

Is there a reason it doesn't support escaping embedded quotes?

I suspect just hasn't come up enough.

A package I have used for some quoting work is: https://www.npmjs.com/package/shell-quote