Shell sanitizing, quoting parameters

examples.md

• Old code

  exec_cmd('ping {ip}'.format(ip=ip))

  Rewritten code

  exec_cmd(format_cmd('ping {ip}', ip=ip))

  Examples

  format_cmd('ping {ip}', ip="$(rm -rf /)")
  $ ping '$(rm -rf /)'
  ping: cannot resolve $(rm -rf /): Unknown host 

  format_cmd('ping {ip}', ip='$(rm -rf '/')')
  $ ping '$(rm -rf '"'"'/'"'"')'
  ping: cannot resolve $(rm -rf '/'): Unknown host

• Old code

  exec_cmd("python -c'print(\"{arg}\")'".format(arg=arg))

  Rewritten code

  exec_cmd(format_cmd("python -c'import sys; print(sys.argv[1])' {arg}", arg=arg))

  Examples

  format_cmd("python -c'import sys; print(sys.argv[1])' {arg}", arg="'$(rm -rf /)'")
  $ python -c'import sys; print(sys.argv[1])' ''"'"'$(rm -rf /)'"'"''
  '$(rm -rf /)'

shell.py

try:  # py3
    from shlex import quote  # noqa
except ImportError:  # py2
    from pipes import quote  # noqa


def format_cmd(cmd, *args, **kwargs):
    return cmd.format(*[quote(str(i)) for i in args],
                      **{k: quote(str(v)) for k, v in kwargs.items()})