Escape backticks and dollar signs in quoteForShell (#777)

* Escape backticks and dollar signs in quoteForShell * Sync embedded formulas with .beads/formulas
2026-01-20 15:11:00 -06:00
parent 55a3b9858a
commit 6966eb4c28
4 changed files with 83 additions and 43 deletions
--- a/internal/config/loader_test.go
+++ b/internal/config/loader_test.go
@@ -2603,3 +2603,62 @@ func TestBuildStartupCommandWithAgentOverride_IncludesGTRoot(t *testing.T) {
 		t.Errorf("expected GT_ROOT=%s in command, got: %q", townRoot, cmd)
 	}
 }
+
+func TestQuoteForShell(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name:  "simple string",
+			input: "hello",
+			want:  `"hello"`,
+		},
+		{
+			name:  "string with double quote",
+			input: `say "hello"`,
+			want:  `"say \"hello\""`,
+		},
+		{
+			name:  "string with backslash",
+			input: `path\to\file`,
+			want:  `"path\\to\\file"`,
+		},
+		{
+			name:  "string with backtick",
+			input: "run `cmd`",
+			want:  "\"run \\`cmd\\`\"",
+		},
+		{
+			name:  "string with dollar sign",
+			input: "cost is $100",
+			want:  `"cost is \$100"`,
+		},
+		{
+			name:  "variable expansion prevented",
+			input: "$HOME/path",
+			want:  `"\$HOME/path"`,
+		},
+		{
+			name:  "empty string",
+			input: "",
+			want:  `""`,
+		},
+		{
+			name:  "combined special chars",
+			input: "`$HOME`",
+			want:  "\"\\`\\$HOME\\`\"",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := quoteForShell(tt.input)
+			if got != tt.want {
+				t.Errorf("quoteForShell(%q) = %q, want %q", tt.input, got, tt.want)
+			}
+		})
+	}
+}
--- a/internal/config/types.go
+++ b/internal/config/types.go
@@ -580,9 +580,15 @@ func defaultInstructionsFile(provider string) string {

 // quoteForShell quotes a string for safe shell usage.
 func quoteForShell(s string) string {
-	// Simple quoting: wrap in double quotes, escape internal quotes
+	// Wrap in double quotes, escaping characters that are special in double-quoted strings:
+	// - backslash (escape character)
+	// - double quote (string delimiter)
+	// - backtick (command substitution)
+	// - dollar sign (variable expansion)
 	escaped := strings.ReplaceAll(s, `\`, `\\`)
 	escaped = strings.ReplaceAll(escaped, `"`, `\"`)
+	escaped = strings.ReplaceAll(escaped, "`", "\\`")
+	escaped = strings.ReplaceAll(escaped, "$", `\$`)
 	return `"` + escaped + `"`
 }