[Fix] quote: validate object-token shapes

The per-character `.op` escape (`/(.)/g`) did not match line terminators
(`\n`, `\r`, U+2028, U+2029),
so a literal newline in `.op` passed through unescaped and acted as a shell command separator.
Replace the regex with strict shape validation:

- `{ op }`: `.op` must match the parser's control-operator allowlist
- `{ op: 'glob', pattern }`: `.pattern` must be a string without line terminators; glob metas pass through, shell-special chars are escaped
  (Previously the field was discarded and the literal `\g\l\o\b` was emitted)
- `{ comment }`: `.comment` must be a string without line terminators
  (Previously `quote` crashed on `{ comment }` tokens that `parse` emits)
- Any other object shape: `TypeError`

Author: ljharb

README.md

@@ -107,6 +107,13 @@ var parse = require('shell-quote/parse');
 Return a quoted string for the array `args` suitable for using in shell
 commands.
 
+Each entry of `args` may be a string, or one of the object shapes that
+`parse` emits: `{ op }` (where `op` is one of the control operators
+`||`, `&&`, `;;`, `|&`, `<(`, `<<<`, `>>`, `>&`, `<&`, `&`, `;`, `(`,
+`)`, `|`, `<`, `>`), `{ op: 'glob', pattern }`, or `{ comment }`. Any
+other object shape, an unrecognized `op`, or a `pattern`/`comment`
+containing line terminators throws a `TypeError`.
+
 ## parse(cmd, env={})
 
 Return an array of arguments from the quoted string `cmd`.

quote.js

@@ -1,12 +1,54 @@
 'use strict';
 
+var OPS = [
+	'||',
+	'&&',
+	';;',
+	'|&',
+	'<(',
+	'<<<',
+	'>>',
+	'>&',
+	'<&',
+	'&',
+	';',
+	'(',
+	')',
+	'|',
+	'<',
+	'>'
+];
+var LINE_TERMINATORS = /[\n\r\u2028\u2029]/;
+var GLOB_SHELL_SPECIAL = /[\s#!"$&'():;<=>@\\^`|]/g;
+
 module.exports = function quote(xs) {
 	return xs.map(function (s) {
 		if (s === '') {
 			return '\'\'';
 		}
 		if (s && typeof s === 'object') {
-			return s.op.replace(/(.)/g, '\\$1');
+			if (s.op === 'glob') {
+				if (typeof s.pattern !== 'string') {
+					throw new TypeError('glob token requires a string `pattern`');
+				}
+				if (LINE_TERMINATORS.test(s.pattern)) {
+					throw new TypeError('glob `pattern` must not contain line terminators');
+				}
+				return s.pattern.replace(GLOB_SHELL_SPECIAL, '\\$&');
+			}
+			if (typeof s.op === 'string') {
+				if (OPS.indexOf(s.op) < 0) {
+					throw new TypeError('invalid `op` value: ' + JSON.stringify(s.op));
+				}
+				return s.op.replace(/[\s\S]/g, '\\$&');
+			}
+			if (typeof s.comment === 'string') {
+				if (LINE_TERMINATORS.test(s.comment)) {
+					throw new TypeError('`comment` must not contain line terminators');
+				}
+				return '#' + s.comment;
+			}
+			throw new TypeError('unrecognized object token shape');
 		}
 		if ((/["\s\\]/).test(s) && !(/'/).test(s)) {
 			return "'" + s.replace(/(['])/g, '\\$1') + "'";

test/quote.js

@@ -58,3 +58,59 @@ test('empty strings', function (t) {
 
 	t.end();
 });
+
+test('quote ops: allowlist', function (t) {
+	var ops = ['||', '&&', ';;', '|&', '<(', '<<<', '>>', '>&', '<&', '&', ';', '(', ')', '|', '<', '>'];
+	for (var i = 0; i < ops.length; i++) {
+		var op = ops[i];
+		var expected = '';
+		for (var j = 0; j < op.length; j++) { expected += '\\' + op.charAt(j); }
+		t.equal(quote([{ op: op }]), expected, 'op ' + op);
+	}
+	t.end();
+});
+
+test('quote ops: rejects line terminators (GHSA-w7jw-789q-3m8p)', function (t) {
+	t['throws'](function () { quote([{ op: ';\nid' }]); }, TypeError, 'newline in op');
+	t['throws'](function () { quote([{ op: ';\rid' }]); }, TypeError, 'carriage return in op');
+	t['throws'](function () { quote([{ op: ';\u2028id' }]); }, TypeError, 'U+2028 in op');
+	t['throws'](function () { quote([{ op: ';\u2029id' }]); }, TypeError, 'U+2029 in op');
+	t.end();
+});
+
+test('quote ops: rejects non-allowlisted values', function (t) {
+	t['throws'](function () { quote([{ op: '' }]); }, TypeError, 'empty op');
+	t['throws'](function () { quote([{ op: 'foo' }]); }, TypeError, 'arbitrary string');
+	t['throws'](function () { quote([{ op: '|||' }]); }, TypeError, 'near-miss');
+	t['throws'](function () { quote([{ op: 42 }]); }, TypeError, 'non-string op');
+	t.end();
+});
+
+test('quote glob pattern', function (t) {
+	t.equal(quote([{ op: 'glob', pattern: 'test/*.test.js' }]), 'test/*.test.js');
+	t.equal(quote([{ op: 'glob', pattern: '?ab' }]), '?ab');
+	t.equal(quote([{ op: 'glob', pattern: '[ab]c' }]), '[ab]c');
+	t.equal(quote([{ op: 'glob', pattern: '{a,b}' }]), '{a,b}');
+	t.equal(quote([{ op: 'glob', pattern: 'my dir/*.txt' }]), 'my\\ dir/*.txt');
+	t.equal(quote([{ op: 'glob', pattern: 'a$b' }]), 'a\\$b');
+	t['throws'](function () { quote([{ op: 'glob' }]); }, TypeError, 'missing pattern');
+	t['throws'](function () { quote([{ op: 'glob', pattern: 'a\nb' }]); }, TypeError, 'newline in pattern');
+	t['throws'](function () { quote([{ op: 'glob', pattern: 'a\u2028b' }]); }, TypeError, 'U+2028 in pattern');
+	t.end();
+});
+
+test('quote comment', function (t) {
+	t.equal(quote(['echo', 'hi', { comment: ' a comment' }]), 'echo hi # a comment');
+	t.equal(quote([{ comment: '' }]), '#');
+	t['throws'](function () { quote([{ comment: 'a\nb' }]); }, TypeError, 'newline in comment');
+	t['throws'](function () { quote([{ comment: 'a\rb' }]); }, TypeError, 'CR in comment');
+	t['throws'](function () { quote([{ comment: 'a\u2028b' }]); }, TypeError, 'U+2028 in comment');
+	t.end();
+});
+
+test('quote rejects unrecognized object shapes', function (t) {
+	t['throws'](function () { quote([{}]); }, TypeError, 'empty object');
+	t['throws'](function () { quote([{ foo: 'bar' }]); }, TypeError, 'unknown key');
+	t['throws'](function () { quote([{ op: null }]); }, TypeError, 'null op');
+	t.end();
+});