JSPM

shelljs-exec-proxy

0.1.0
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 3153
  • Score
    100M100P100Q127232F
  • License MIT

Unlimited shelljs commands with ES6 proxies

Package Exports

  • shelljs-exec-proxy

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (shelljs-exec-proxy) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

ShellJS Exec Proxy

Travis npm (scoped)

Unleash the power of unlimited ShellJS commands... with ES6 Proxies!

Do you like ShellJS, but wish it had your favorite commands? Skip the weird exec() calls by using shelljs-exec-proxy:

// Want to run the shell command `$ git commit -am "I'm updating the \"foo\" module to be more secure"`?
// Standard ShellJS requires the exec function, with confusing string escaping:
shell.exec('git commit -am "I\'m updating the \\"foo\\" module to be more secure"');
// Skip the extra string escaping with shelljs-exec-proxy!
shell.git.commit('-am', `I'm updating the "foo" module to be more secure`);

Installation

Important note: This is only available for Node v6+ (it requires ES6 Proxies!)

$ npm install --save shelljs-exec-proxy

Get that JavaScript feeling back in your code

shell.git.status();
shell.git.add('.');
shell.git.commit('-am', 'Fixed issue #1');
shell.git.push('origin', 'master');

Security improvements

ShellJS v0.7 is vulnerable to command injection, wildcards, and string escaping mistakes. Here's an insecure code snippet:

shell.ls('dir/*.txt').forEach(file => {
  shell.exec('git add ' + file);
}

This leaves you vulnerable to files like:

Example file name Vulnerability
File 1.txt This tries to add both File and 1.txt, instead of File 1.txt
foo;rm -rf * This executes both git add foo and rm -rf *, unexpectedly deleting your files!
ThisHas"quotes'.txt This tries running git add ThisHas"quotes'.txt producing a Bash syntax error

shelljs-exec-proxy solves all these problems:

shell.ls('dir/*.txt').forEach(file => {
  shell.git.add(file);
}
Example file name Security fix
File 1.txt Filenames are automatically quoted, so spaces aren't an issue
foo;rm -rf * Only one command runs at a time (semicolons are treated literally) and wildcards aren't expanded
ThisHas"quotes'.txt Quote characters are automatically escaped for you, so there are never any issues