starred/raptor
1
0
Fork 0
mirror of https://github.com/gadievron/raptor.git synced 2026-04-25 05:56:00 +03:00
Code Issues 9 Projects Releases Packages Wiki Activity

[GH-ISSUE #43] Fix shell metacharacter handling in wrapper script generation #12

New issue
Closed
opened 2026-03-02 04:07:48 +03:00 by kerem · 1 comment
kerem commented 2026-03-02 04:07:48 +03:00
Owner
Copy link

Originally created by @gadievron on GitHub (Dec 22, 2025).
Original GitHub issue: https://github.com/gadievron/raptor/issues/43

Problem

Paths with spaces, quotes, or special characters aren't properly escaped, causing wrapper scripts to fail. While RAPTOR is a local tool with user-provided input, proper escaping prevents frustration and potential security issues with paths like /Users/dev/My Projects/app.

Lines 452, 466, 472 in packages/codeql/build_detector.py write repo_path values directly into bash wrapper scripts without shell escaping.

Example Issue

# Repo path with spaces
repo_path = "/Users/dev/My Projects/app"

# Generated wrapper (BREAKS)
#!/bin/bash
cd /Users/dev/My Projects/app  # Fails - spaces not escaped

Impact

  • Wrapper scripts fail with paths containing special characters
  • User frustration with common path patterns
  • Best practice for shell scripting not followed

Fix

Use shlex.quote() to properly escape paths:

from shlex import quote

# At lines 452, 466, 472
cd {quote(str(self.repo_path))}  # Properly escaped

File: packages/codeql/build_detector.py:452, 466, 472

Type

  • Bug fix + Enhancement (robustness improvement)

Related

  • Bug #5 from internal analysis
  • Multi-agent validated
Originally created by @gadievron on GitHub (Dec 22, 2025). Original GitHub issue: https://github.com/gadievron/raptor/issues/43 ## Problem Paths with spaces, quotes, or special characters aren't properly escaped, causing wrapper scripts to fail. While RAPTOR is a local tool with user-provided input, proper escaping prevents frustration and potential security issues with paths like `/Users/dev/My Projects/app`. Lines 452, 466, 472 in `packages/codeql/build_detector.py` write `repo_path` values directly into bash wrapper scripts without shell escaping. ## Example Issue ```bash # Repo path with spaces repo_path = "/Users/dev/My Projects/app" # Generated wrapper (BREAKS) #!/bin/bash cd /Users/dev/My Projects/app # Fails - spaces not escaped ``` ## Impact - Wrapper scripts fail with paths containing special characters - User frustration with common path patterns - Best practice for shell scripting not followed ## Fix Use `shlex.quote()` to properly escape paths: ```python from shlex import quote # At lines 452, 466, 472 cd {quote(str(self.repo_path))} # Properly escaped ``` **File:** `packages/codeql/build_detector.py:452, 466, 472` ## Type - Bug fix + Enhancement (robustness improvement) ## Related - Bug #5 from internal analysis - Multi-agent validated
kerem 2026-03-02 04:07:48 +03:00
kerem commented 2026-03-02 04:07:49 +03:00
Author
Owner
Copy link

@gadievron commented on GitHub (Dec 22, 2025):

Fixed in PR #49

<!-- gh-comment-id:3684217294 --> @gadievron commented on GitHub (Dec 22, 2025): Fixed in PR #49
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
sage_integration
feature/agentic-understand-validate
feature/release-workflow
feature/semgrep-offline-rules
feature/dockerfile-bookworm-fixes
hardware-phun
v3.0.0
Labels
Clear labels   
bug

   
enhancement

   
enhancement

   
good first issue

   
pull-request

Mirrored from GitHub Pull Request

  
question
No labels
bug
enhancement
enhancement
good first issue
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/raptor#12
No description provided.