Search code examples
node.jslinuxparametersspawn

Spawn in nodejs for a unix command with spaces in parameters

I would like to execute the following command using nodejs Spawn on a Debian system : /usr/bin/apt-get upgrade -s | tail -1 | cut -f1 -d' ' I want to use spawn and not exec because of future use of root only commands and i don't want to allow a full shell access (i will update the visudo file with correct commands) Here is my code

  const apt = spawn('/usr/bin/apt-get', ['upgrade', '-s']);
  const tail = spawn('tail', ['-1']);
  const cut = spawn('cut', ['-f1', '-d" "']);

  apt.stdout.on('data', (data) => {
    tail.stdin.write(data);
  });

  tail.stdout.on('data', (data) => {
    cut.stdin.write(data);
  });

  cut.stdout.on('data', (data) => {
    console.log(data.toString());
  });


  apt.stderr.on('data', (data) => {
    console.log("apt stderr: ${data}");
  });

  tail.stderr.on('data', (data) => {
    console.log("tail stderr: ${data}");
  });

  cut.stderr.on('data', (data) => {
    console.log("cut stderr: ${data}");
  });

  apt.on('close', (code) => {
    if (code !== 0) {
      console.log("apt process exited with code ${code}");
    }
  });

  tail.on('close', (code) => {
    if (code !== 0) {
      console.log("tail process exited with code ${code}");
    }
  });

  cut.on('close', (code) => {
    if (code !== 0) {
      console.log("cut process exited with code ${code}");
    }
  });

  res.status(200).json('');

Once executed i have an error because of the '-d" "' parameter that is not recognized. I try escaping the space with a double \ or split the parameter in both but still errors

Solution

  • It should just be:

    const cut = spawn('cut', ['-f1', '-d ']);

    No double quotes or backslash escapes -- those are for the use of the shell, not cut, and there's no shell here.

    This makes dealing with unknown filenames (for your future use cases) particularly easy: When your strings are passed as arguments (to software that doesn't misuse them my running eval-equivalent code later), you don't need to quote, escape, sanitize, or otherwise modify them before they can be passed as data.

    (That is to say -- when you tell your shell cut -f1 -d" ", the actual syscall it invokes to start that cut process, in C syntax, looks like execve("/usr/bin/cut", {"cut", "-f1", "-d ", NULL}, environ); the quotes were syntactic, consumed by the shell when it used them to make the decision that the space after the -d should be part of the same literal argument).