Unleash the power of unlimited ShellJS commands... with ES6 Proxies!
Do you like ShellJS, but wish it had your
favorite commands? Skip the weird exec() calls by using shelljs-exec-proxy:
// Our goal: make a commit: `$ git commit -am "I'm updating the \"foo\" module to be more secure"`
// Standard ShellJS requires the exec function, with confusing string escaping:
shell.exec('git commit -am "I\'m updating the \\"foo\\" module to be more secure"');
// Skip the extra string escaping with shelljs-exec-proxy!
shell.git.commit('-am', `I'm updating the "foo" module to be more secure`);$ npm install --save shelljs-exec-proxy
const shell = require('shelljs-exec-proxy');
shell.git.status();
shell.git.add('.');
shell.git.commit('-am', 'Fixed issue #1');
shell.git.push('origin', 'main');Current versions of ShellJS export the .exec() method, which if not used
carefully, could introduce command injection Vulnerabilities to your module.
Here's an insecure code snippet:
shell.ls('dir/*.txt').forEach(file => {
shell.exec('git add ' + file);
}This leaves you vulnerable to files like:
| Example file name | Unintended behavior |
|---|---|
File 1.txt |
This tries to add both File and 1.txt, instead of File 1.txt |
foo;rm -rf * |
This executes both git add foo and rm -rf *, unexpectedly deleting your files! |
ThisHas"quotes'.txt |
This tries running git add ThisHas"quotes'.txt, producing a Bash syntax error |
shelljs-exec-proxy solves all these problems:
shell.ls('dir/*.txt').forEach(file => {
shell.git.add(file);
}| Example file name | Behavior |
|---|---|
File 1.txt |
Arguments are automatically quoted, so spaces aren't an issue |
foo;rm -rf * |
Only one command runs at a time (semicolons are treated literally) and wildcards aren't expanded |
ThisHas"quotes'.txt |
Quote characters are automatically escaped for you, so there are never any issues |