fix: handle spaces in file paths for Open in Editor#849
fix: handle spaces in file paths for Open in Editor#849ranvier2d2 wants to merge 2 commits intopingdotgg:mainfrom
Conversation
On Windows, spawn uses shell: true so cmd.exe can resolve .cmd/.bat editor stubs. This causes arguments containing spaces to be split into separate tokens. Quote such arguments before passing them to the shell. Fixes pingdotgg#757, Fixes pingdotgg#603 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
bot
added
the
vouch:unvouched
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
| const useShell = process.platform === "win32"; | ||
| const args = useShell | ||
| ? launch.args.map((a) => (a.includes(" ") ? `"${a}"` : a)) | ||
| : [...launch.args]; |
There was a problem hiding this comment.
🟠 High src/open.ts:237
On Windows with shell: true, the quoting logic only wraps arguments containing spaces, leaving shell metacharacters like &, |, (, ), and % unquoted. An argument like Logs&Reports.txt is split into two commands (Logs and Reports.txt) instead of being treated as a single path, and malicious filenames like malicious&whoami can inject arbitrary commands. Arguments containing any shell metacharacters must be quoted, not just those with spaces.
- const useShell = process.platform === "win32";
- const args = useShell
- ? launch.args.map((a) => (a.includes(" ") ? `"${a}"` : a))
- : [...launch.args];
+ const useShell = process.platform === "win32";
+ const shellMetas = /[&|<>^()%!"]/;
+ const args = useShell
+ ? launch.args.map((a) => (shellMetas.test(a) ? `"${a}"` : a))
+ : [...launch.args];🚀 Reply "fix it for me" or copy this AI Prompt for your agent:
In file apps/server/src/open.ts around lines 237-240:
On Windows with `shell: true`, the quoting logic only wraps arguments containing spaces, leaving shell metacharacters like `&`, `|`, `(`, `)`, and `%` unquoted. An argument like `Logs&Reports.txt` is split into two commands (`Logs` and `Reports.txt`) instead of being treated as a single path, and malicious filenames like `malicious&whoami` can inject arbitrary commands. Arguments containing any shell metacharacters must be quoted, not just those with spaces.
Evidence trail:
apps/server/src/open.ts lines 236-243 at REVIEWED_COMMIT - shows the quoting logic `launch.args.map((a) => (a.includes(" ") ? `"${a}"` : a))` which only checks for spaces, and the spawn call with `shell: useShell` where `useShell` is true on Windows.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 participant
Summary
Changes
apps/server/src/open.ts, whenshell: true(Windows), wrap spawn args containing spaces in double quotes before passing tospawn()spawn()withshell: truejoins args with spaces forcmd.exe, splitting paths likeC:\Users\John Doe\projectinto separate tokensshell: falsewhere args are passed as properargventries, so no quoting is neededTest plan
Note
Fix spaces in file paths for Open in Editor on Windows
In open.ts,
launchDetachednow wraps each argument in double quotes when spawning on Windows, and sets theshelloption accordingly. Non-Windows behavior is unchanged.Macroscope summarized 443b4e0.