prefix-dev
Escaping shell substitution with `pixi run` requires multiple layers of quoting
Checks
-
[X] I have checked that this issue has not already been reported.
-
[X] I have confirmed this bug exists on the latest version of pixi, using
pixi --version.
Reproducible example
$ cat script.sh
echo "$1"
$ ./script.sh '*'
*
$ pixi --version
pixi 0.25.0
$ pixi init
✔ Initialized project in /tmp/bug/.
$ pixi run script.sh '*'
pixi.lock
# ^ that is strange, there are actually 3 files in the current directory
$ pixi run script.sh "'*'"
*
# ^ expected output
$ pixi self-update --version 0.28.2
✔ Pixi will be updated from 0.25.0 to 0.28.2
✔ Pixi archive downloaded.
✔ Pixi archive uncompressed.
✔ Pixi has been updated to version 0.28.2.
$ pixi run script.sh "'*'"
pixi.lock
# ^ now that's wrong
$ pixi run script.sh ""'*'""
*
# ^ correct again, with 3 layers of quoting
Issue description
pixi requires several layers of quotes to avoid shell substitutions. The "correct" number of quote is 1 (e.g. when you directly call the target script). pixi 0.25.0 needs two. pixi 0.28.2 needs three.
Expected behavior
$ pixi run script.sh '*'
*
Ah this is because of deno task shell. The first quotes are needed to escape the *wildcard in your own shell. But then the * is interpreted by deno task shell which will also use it as a wildcard which is why you see pixi.lock. That is the result of the wildcard expansion.
But the 3 quotes are strange to me.. That needs a little more investigation.
I have what I think is a clearer example of this:
$ pixi run python -c "print('hello')"
Traceback (most recent call last):
File "<string>", line 1, in <module>
print(hello)
^^^^^
NameError: name 'hello' is not defined. Did you mean: 'help'?
vs
$ pixi run python -c 'print("hello")'
hello
It seems like it's a case of quoting argv correcrly when running it rather than asuming single quotes are correct, similar to https://docs.python.org/3/library/shlex.html#shlex.quote
