shellwords: Parse strings into words, like a shell would

[ library, mit, text ] [ Propose Tags ]

See https://github.com/pbrisbin/hs-shellwords#readme

[Skip to Readme]

Modules

[Index] [Quick Jump]

ShellWords
Text
- Megaparsec
  - Text.Megaparsec.Compat

Downloads

shellwords-0.1.3.1.tar.gz [browse] (Cabal source package)
Package description (as included in the package)

Maintainer's Corner

Package maintainers

PatrickBrisbin

For package maintainers and hackage trustees

edit package information

Candidates

No Candidates

Versions [RSS]	0.1.0.0, 0.1.1.0, 0.1.2.0, 0.1.2.1, 0.1.2.2, 0.1.3.0, 0.1.3.1
Change log	CHANGELOG.md
Dependencies	base (>=4.11.1.0 && <5), megaparsec (>=6.5.0), text (>=1.2.3.1) [details]
License	MIT
Copyright	2018 Patrick Brisbin
Author	Patrick Brisbin
Maintainer	pbrisbin@gmail.com
Category	Text
Home page	https://github.com/pbrisbin/hs-shellwords#readme
Bug tracker	https://github.com/pbrisbin/hs-shellwords/issues
Source repo	head: git clone https://github.com/pbrisbin/hs-shellwords
Uploaded	by PatrickBrisbin at 2022-07-20T14:42:27Z
Distributions	LTSHaskell:0.1.3.1, NixOS:0.1.3.1, Stackage:0.1.3.1
Reverse Dependencies	2 direct, 5 indirect [details]
Downloads	3154 total (51 in the last 30 days)
Rating	(no votes yet) [estimated by Bayesian average]
Your Rating	λ λ λ
Status	Docs available [build log] Last success reported on 2022-07-20 [all 1 reports]

Readme for shellwords-0.1.3.1

[back to package description]

ShellWords

Parse a string into words, like a shell would.

Motivation

If you need to execute commands given to you as user-input, you should know not to give that text as-is to a shell:

callProcess "sh" ["-c", "some --user --input"]

Such code is a severe security vulnerability. Furthermore, any attempts to sanitize the string are unlikely to be 100% affective and should be avoided. The only safe way to do this is to not use a shell intermediary, and always exec a process directly:

callProcess "some" ["--user", "--input"]

The new problem (and not a security-related one) is how to correctly parse a string like "some --user --input" into the command and its arguments. The rules are complex enough that you probably want to get a library to do it.

So here we are.

Example

Right (cmd:args) <- parse "some -complex --command=\"Line And\" 'More'"

callProcess cmd args
--
-- Is equivalent to:
--
-- > callProcess "some" ["-complex", "--command=Line And", "More"]
--

Lineage

This package is inspired by and named after

python-shellwords, which was itself inspired by
go-shellwords, which was itself inspired by
Parser::CommandLine

CHANGELOG | LICENSE