so my code looks like this , i have a function defined as the following :
func shellOut(command string) (string, string, error) {
var stdout bytes.Buffer
var stderr bytes.Buffer
cmd := exec.Command("bash", "-c", command)
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
return stdout.String(), stderr.String(), err
}
and a while later i am doing this.
t := "yoooooooooooo\"oo)(';#oooooooooooo"
out, stderr, err := shellOut("echo \"" t "\" | ./doOperation.sh")
if err != nil {
log.Printf("final error: %v\nstderr: %s", err, stderr)
}
fmt.Println(out)
but i am getting an error that looks like this:
2021/10/14 22:54:18 final error: exit status 1
stderr: bash: -c: line 838: syntax error near unexpected token `('
bash: -c: line 838: ` return "Symbol(" String(void 0 === t ? "" : t) ")_" ( n r).toString(36)'
and when i give the variable t a value like "yooooo" its gets executed nicely, so how can i pass a variable with any weird character into echo? is there a way to escape all bad character before passing it?
CodePudding user response:
For purely academic purposes, I'm posting this function, as I had to do something similar a while back:
var bashReplacer = strings.NewReplacer(
`)`, `\)`, // using back-ticks to keep our sanity
`(`, `\(`,
`'`, `\'`,
`"`, `\"`,
`$`, `\$`, // include if you don't want variable substitutions
"`", "\\`", // can't use back-ticks to include a back-tick, so back to double-quotes
)
func bashEscape(s string) string { return bashReplacer.Replace(s) }
https://play.golang.org/p/uNfI_2MyjcI
However, as I mentioned in the comments, you can avoid all the pain of shell escaping by just running the target script directly, and feed in your UTF-8
string unaltered like so:
func execWithStdin(command, stdinText string) (string, string, error) {
var (
stdout bytes.Buffer
stderr bytes.Buffer
)
cmd := exec.Command(command)
cmd.Stdin = strings.NewReader(stdinText) // pass in our data via Stdin
cmd.Stdout = &stdout
cmd.Stderr = &stderr
err := cmd.Run()
return stdout.String(), stderr.String(), err
}
to use:
t := `yoooooooooooo"oo)(';#oooooooooooo`
t = "`" // add a back-tick to make things interesting
// no shell escaping necessary:
out, stderr, err := execWithStdin("./doOperation.sh", t)