{"id":16001479,"url":"https://github.com/pbrisbin/hs-shellwords","last_synced_at":"2025-03-17T19:32:00.993Z","repository":{"id":31848296,"uuid":"129418956","full_name":"pbrisbin/hs-shellwords","owner":"pbrisbin","description":"Parse a string into words, like a shell would","archived":false,"fork":false,"pushed_at":"2022-12-15T20:42:09.000Z","size":77,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-04-24T15:19:10.338Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pbrisbin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-13T15:12:30.000Z","updated_at":"2023-03-31T20:12:35.000Z","dependencies_parsed_at":"2023-01-14T19:54:06.082Z","dependency_job_id":null,"html_url":"https://github.com/pbrisbin/hs-shellwords","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbrisbin%2Fhs-shellwords","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbrisbin%2Fhs-shellwords/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbrisbin%2Fhs-shellwords/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pbrisbin%2Fhs-shellwords/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pbrisbin","download_url":"https://codeload.github.com/pbrisbin/hs-shellwords/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221699111,"owners_count":16865982,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-08T09:43:42.775Z","updated_at":"2024-10-27T15:33:21.636Z","avatar_url":"https://github.com/pbrisbin.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ShellWords\n\n[![Hackage](https://img.shields.io/hackage/v/shellwords.svg?style=flat)](https://hackage.haskell.org/package/shellwords)\n[![Stackage Nightly](http://stackage.org/package/shellwords/badge/nightly)](http://stackage.org/nightly/package/shellwords)\n[![Stackage LTS](http://stackage.org/package/shellwords/badge/lts)](http://stackage.org/lts/package/shellwords)\n[![CI](https://github.com/pbrisbin/hs-shellwords/actions/workflows/ci.yml/badge.svg)](https://github.com/pbrisbin/hs-shellwords/actions/workflows/ci.yml)\n\nParse a string into words, like a shell would.\n\n## Motivation\n\nIf you want to execute a specific command with input given to you from an\nuntrusted source, you should not give that text as-is to a shell:\n\n```hs\nlet userInput = \"push origin main\"\n\ncallCommand $ \"git \" \u003c\u003e userInput\n-- Forward output of the push command...\n```\n\nYou may be tempted to do this because you want to correctly handle quoting and\nother notoriously-difficult word-splitting problems. But doing so is a severe\nsecurity vulnerability:\n\n```hs\nlet userInput = \"push origin main; cat /etc/passwd\"\n\ncallCommand $ \"git \" \u003c\u003e userInput\n-- Forward output of the push command...\n-- And then dump /etc/passwd. Oops.\n```\n\nFurthermore, any attempts to sanitize the string are unlikely to be 100%\naffective and should be avoided. The only safe way to do this is to not use a\nshell intermediary, and always `exec` a process directly:\n\n```hs\nlet userInput = \"push origin main\"\n\ncallProcess \"git\" $ words userInput\n-- Forward output of the push command...\n```\n\nNow, there's no vulnerability:\n\n```hs\nlet userInput = \"push origin main; cat /etc/passwd\"\n\ncallProcess \"git\" $ words userInput\n-- Invalid usage. :)\n```\n\nThe new problem (but not a security-related one!) is how to correctly parse a\nstring like `\"push origin main\"` into command arguments. The rules are complex\nenough that you probably want to get a library to do it.\n\nSo here we are.\n\n## Example\n\n```hs\nRight args \u003c- parse \"some -complex --command=\\\"Line And\\\" 'More'\"\n\ncallProcess cmd args\n--\n-- Is equivalent to:\n--\n-- \u003e callProcess cmd [\"some\", \"-complex\", \"--command=Line And\", \"More\"]\n--\n```\n\n## Unsafe Usage\n\nThe following is a perfectly reasonable thing one might do with this library:\n\n```hs\nRight (cmd:args) \u003c- parse userInput\n\ncallProcess cmd args\n```\n\nHowever, if:\n\n1. `userInput` is un-trusted, and\n1. You do no further validation of what `cmd` can be,\n\nThen this re-introduces the original security vulnerability and, at that point,\nyou might as well just pass `userInput` to a shell.\n\n## Lineage\n\nThis package is inspired by and named after\n\n- [`python-shellwords`][python-shellwords], which was itself inspired by\n- [`go-shellwords`][go-shellwords], which was itself inspired by\n- [`Parser::CommandLine`][parser-commandline]\n\n[python-shellwords]: https://github.com/mozillazg/python-shellwords\n[go-shellwords]: https://github.com/mattn/go-shellwords\n[parser-commandline]: https://github.com/Songmu/p5-Parse-CommandLine\n\n---\n\n[CHANGELOG](./CHANGELOG.md) | [LICENSE](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpbrisbin%2Fhs-shellwords","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpbrisbin%2Fhs-shellwords","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpbrisbin%2Fhs-shellwords/lists"}