fix shell escape

packages/docusaurus-utils/src/__tests__/shellUtils.test.ts

@@ -9,11 +9,11 @@ import {escapeShellArg} from '../shellUtils';
 
 describe('shellUtils', () => {
   it('escapeShellArg', () => {
-    expect(escapeShellArg('hello')).toBe('hello');
-    expect(escapeShellArg('*')).toBe('"*"');
-    expect(escapeShellArg('hello world')).toBe('"hello world"');
-    expect(escapeShellArg("'hello'")).toBe('"\'hello\'"');
-    expect(escapeShellArg('$(pwd)')).toBe('"$(pwd)"');
-    expect(escapeShellArg('hello$(pwd)')).toBe('"hello$(pwd)"');
+    expect(escapeShellArg('hello')).toBe("'hello'");
+    expect(escapeShellArg('*')).toBe("'*'");
+    expect(escapeShellArg('hello world')).toBe("'hello world'");
+    expect(escapeShellArg("'hello'")).toBe("\\''hello'\\'");
+    expect(escapeShellArg('$(pwd)')).toBe("'$(pwd)'");
+    expect(escapeShellArg('hello$(pwd)')).toBe("'hello$(pwd)'");
   });
 });

packages/docusaurus-utils/src/shellUtils.ts

@@ -10,15 +10,9 @@
 // Even shelljs recommends execa for security / escaping:
 // https://github.com/shelljs/shelljs/wiki/Security-guidelines
 
-const NO_ESCAPE_REGEXP = /^[\w.-]+$/;
-const DOUBLE_QUOTES_REGEXP = /"/g;
-
-// Inspired from Execa escaping function
-// https://github.com/sindresorhus/execa/blob/main/lib/command.js#L12
-export function escapeShellArg(arg: string): string {
-  if (NO_ESCAPE_REGEXP.test(arg)) {
-    return arg;
-  }
-
-  return `"${arg.replace(DOUBLE_QUOTES_REGEXP, '\\"')}"`;
+// Inspired by https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js
+export function escapeShellArg(s: string): string {
+  let res = `'${s.replace(/'/g, "'\\''")}'`;
+  res = res.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'");
+  return res;
 }