Thread overview
safeArg: Little CLI util to pass null-delimited list of cmdline args to a program
Jun 09, 2015
Nick Sabalausky
Jun 09, 2015
Marc Schütz
Jun 09, 2015
Nick Sabalausky
Re: safeArg v0.9.2
Jun 14, 2015
Nick Sabalausky
Re: safeArg v0.9.3
Jun 14, 2015
Nick Sabalausky
Re: safeArg v0.9.4
Jun 14, 2015
Nick Sabalausky
Re: safeArg v0.9.5
Jun 16, 2015
Nick Sabalausky
Re: safeArg v0.9.6
Jun 28, 2015
Nick Sabalausky
Re: safeArg v0.9.7
Jun 28, 2015
Nick Sabalausky
June 09, 2015
https://github.com/Abscissa/safeArg
http://code.dlang.org/packages/safearg

This is a small command line tool that was inspired by this: http://stackoverflow.com/questions/30720364/honoring-quoting-in-reading-shell-arguments-from-a-file

To quote safeArg's readme:

-----------------------------------------
Using eval or command substitution to pass arguments to a program is error-prone, non-portable and a potential security risk:

    Error-Prone: Proper shell quoting/escaping rules can be complex and confusing. Ignoring proper quoting/escaping can cause your program to fail (or worse) on certain inputs (such as filepaths with spaces, or multi-line data).

    Non-Portable: Posix platforms and Windows have completely different shells, and not all Windows machines have a Posix-style shell installed. Even the various Posix shells may have differences, and knowing whether you're relying on an extension-specific feature isn't always obvious.

    Potential Security Risk: Specially-constructed arguments can give an attacker full shell access.

A recommended solution is to use a null-delimited stream for sending the output of one command to the command line of another. This completely bypasses the shell's command parsing, and thus can avoid the problems above. Unfortunately, using the shell to actually send a null-delimited stream of arguments to a program can still be non-trivial and platform-specific, so this cross-platform tool helps you out:

$ safearg program_to_run < INPUT

For example (Granted, this example is using tools that aren't built-in on Windows, but it's only an example for illustration. Safearg itself is cross-platform, and sticking to only cross-platform tools would still work fine):

$ printf "[%s]\n" abc 'hello world'   # Let's try doing this
[abc]
[hello world]

$ echo abc \'hello world\' >datafile  # Store in file: abc 'hello world'
$ printf "[%s]\n" $(<datafile)        # Fails?! Plus, a security risk :(
[abc]
['hello]
[world']

$ echo -n '[%s]\n' >datafile          # Store printf's first arg
$ printf "\0abc\0hello world" >>datafile # Append next two args
$ safearg printf <datafile            # Works! And safe!
[abc]
[hello world]
-----------------------------------------

I think it's cool that this program is only about 100 LOC. Yay D :)
June 09, 2015
This sounds like "xargs":
http://linux.die.net/man/1/xargs
June 09, 2015
On 06/09/2015 05:45 AM, "Marc =?UTF-8?B?U2Now7x0eiI=?= <schuetzm@gmx.net>" wrote:
> This sounds like "xargs":
> http://linux.die.net/man/1/xargs

Heh,

Unix: The ORIGINAL "There's an app for that." ;)

In any case, FWIW, safearg is simpler (which I suppose could be good or bad depending on use-case), and easier for D users to be able to rely on even in Windows due to dub support (Windows users rarely ever install GNU tools).
June 14, 2015
On 06/09/2015 02:16 AM, Nick Sabalausky wrote:
> https://github.com/Abscissa/safeArg
> http://code.dlang.org/packages/safearg
>
> This is a small command line tool that was inspired by this:
> http://stackoverflow.com/questions/30720364/honoring-quoting-in-reading-shell-arguments-from-a-file
>

Just tagged a small update, v0.9.2:

https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

- Enhancement: Use --newline|-n to delimit with newlines (both \n and \r\n) instead of \0.

- Enhancement: Use --delim=VALUE to use custom one-byte delimiter instead of \0.

- Enhancement: Displays version number in help screen, and via new --version flag.

- Change: Cleaned up internal directory structure.

- Change: Documentation improvements.

June 14, 2015
On 06/09/2015 02:16 AM, Nick Sabalausky wrote:
> https://github.com/Abscissa/safeArg
> http://code.dlang.org/packages/safearg
>
> This is a small command line tool that was inspired by this:
> http://stackoverflow.com/questions/30720364/honoring-quoting-in-reading-shell-arguments-from-a-file
>

Another small update, v0.9.3:

https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

- Enhancement: Allow extra "initial-arguments" to be specified on the command line (ex: safearg echo -n < WHATEVER).

- Enhancement: Add --post|-p for "post"-arguments to be added to the end of the command line.

June 14, 2015
Yet another. Hopefully the last for now ;)

safeArg v0.9.4

https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

- Fixed: Build failure for projects depending on safearg (gen-package-version was run from wrong directory).

June 16, 2015
Aaaand, one more...

safeArg v0.9.5

https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

- Fixed: Correctly pass-thru all initial_arguments after program_to_run, instead of mistakenly trying to process them.

- Fixed: Fix a build issue for dub projects with a dependency on safearg by updating minimum gen-package-version to v0.9.3.

June 28, 2015
Another small update:

safeArg v0.9.6
https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

One change:
- Enhancement: Add --verbose|-v to echo the generated command to stdout before running.
June 28, 2015
safeArg v0.9.7
https://github.com/Abscissa/safeArg/blob/master/CHANGELOG.md

- Fixed: Don't use a broken scriptlike release (v0.9.0), use v0.9.1 instead.