Use escapeshellarg

Use escapeshellarg by default, but allow disabling it.

Author: danmichaelo

README.md

@@ -64,6 +64,14 @@ or
     }
 ```
 
+By default, all arguments are escaped using
+[escapeshellarg](https://secure.php.net/manual/en/function.escapeshellarg.php).
+If you need to pass unescaped arguments, use `{!name!}`, like so:
+
+```php
+Command::exec('echo {!path!}', ['path' => '$PATH']);
+```
+
 ## Testing
 
 ``` bash

src/Command.php

@@ -13,22 +13,22 @@ private function __construct()
     /**
      * Execute command with params.
      *
-     * @param string $commandLine
+     * @param string $command
      * @param array  $params
      *
      * @return bool|string
      *
      * @throws \Exception
      */
-    public static function exec($commandLine, array $params = array())
+    public static function exec($command, array $params = array())
     {
-        if (empty($commandLine)) {
+        if (empty($command)) {
             throw new \Exception('Command line is empty');
         }
 
-        $commandLine = self::bindParams($commandLine, $params);
+        $command = self::bindParams($command, $params);
 
-        exec($commandLine, $output, $code);
+        exec($command, $output, $code);
 
         if (count($output) === 0) {
             $output = $code;
@@ -37,7 +37,7 @@ public static function exec($commandLine, array $params = array())
         }
 
         if ($code !== 0) {
-            throw new \Exception($output . ' Command line: ' . $commandLine);
+            throw new \Exception($output . ' Command line: ' . $command);
         }
 
         return $output;
@@ -46,38 +46,26 @@ public static function exec($commandLine, array $params = array())
     /**
      * Bind params to command.
      *
-     * @param string $commandLine
+     * @param string $command
      * @param array  $params
      *
      * @return string
      */
-    public static function bindParams($commandLine, array $params)
+    public static function bindParams($command, array $params)
     {
-        if (count($params) > 0) {
-            $wrapper = function ($string) {
-                return '{' . $string . '}';
-            };
-            $converter = function ($var) {
-                if (is_array($var)) {
-                    $var = implode(' ', $var);
-                }
-                
-                return $var;
-            };
+        $wrappers = array();
+        $converters = array();
+        foreach ($params as $key => $value) {
 
-            $commandLine = str_replace(
-                array_map(
-                    $wrapper,
-                    array_keys($params)
-                ),
-                array_map(
-                    $converter,
-                    array_values($params)
-                ),
-                $commandLine
-            );
+            // Escaped
+            $wrappers[] = '{' . $key . '}';
+            $converters[] = escapeshellarg(is_array($value) ? implode(' ', $value) : $value);
+
+            // Unescaped
+            $wrappers[] = '{!' . $key . '!}';
+            $converters[] = is_array($value) ? implode(' ', $value) : $value;
         }
 
-        return $commandLine;
+        return str_replace($wrappers, $converters, $command);
     }
 }

tests/CommandTest.php

@@ -49,4 +49,34 @@ public function testExecEmptyCommand()
             ''
         );
     }
+
+    /**
+     * Test that arguments are escaped by default
+     */
+    public function testArgumentsEscapedByDefault()
+    {
+        $output = Command::exec(
+            'echo {phrase}',
+            [
+                'phrase' => 'hello $PATH',
+            ]
+        );
+
+        $this->assertEquals('hello $PATH', $output);
+    }
+
+    /**
+     * Test that unescaped arguments can be passed
+     */
+    public function testUnescapedArguments()
+    {
+        $output = Command::exec(
+            'echo {!phrase!}',
+            [
+                'phrase' => 'hello $PATH',
+            ]
+        );
+
+        $this->assertRegexp('/\//', $output);
+    }
 }