Skip to content

nix-store --print-env: fix shell quoting on _args output #14329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

nix-store --print-env: fix shell quoting on _args output #14329

wants to merge 1 commit into from

Conversation

@Mic92
Copy link
Member

@Mic92 Mic92 commented Oct 22, 2025

The previous implementation double-quoted the _args variable by escaping each argument individually and then wrapping them all in single quotes, producing output like: _args=''-e' 'arg1' 'arg2''

This fix concatenates all arguments into a single string first, then escapes that string once, producing correct output like: _args='-e arg1 arg2'

This prevents potential command injection issues when the output is sourced in shell scripts.

Fixes #14327

Motivation

Context

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@Mic92 Mic92 requested a review from edolstra as a code owner October 22, 2025 19:00
@github-actions github-actions bot added new-cli Relating to the "nix" command with-tests Issues related to testing. PRs with tests have some priority labels Oct 22, 2025
@Mic92 Mic92 force-pushed the nix-store-print-env branch from ed3d0c8 to 68c48ce Compare October 22, 2025 19:02
@Mic92
nix-store --print-env: fix shell quoting on _args output
5ed7379 
The previous implementation double-quoted the _args variable by escaping
each argument individually and then wrapping them all in single quotes,
producing output like: _args=''-e' 'arg1' 'arg2''

This fix concatenates all arguments into a single string first, then
escapes that string once, producing correct output like:
_args='-e arg1 arg2'

This prevents potential command injection issues when the output is
sourced in shell scripts.

Fixes NixOS#14327
@Mic92 Mic92 force-pushed the nix-store-print-env branch from 68c48ce to 5ed7379 Compare October 27, 2025 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Ericson2314 approved these changes

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

+1 more reviewer

@matshch matshch matshch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

new-cli Relating to the "nix" command with-tests Issues related to testing. PRs with tests have some priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

nix-store --print-env improperly escapes the command line arguments of the builder

3 participants

@Mic92 @Ericson2314 @matshch