From ea77d4a637cc2057d606d63d743fac3b7aa925b5 Mon Sep 17 00:00:00 2001
From: ben c <ben.uzh@pm.me>
Date: Fri, 14 Mar 2025 16:55:12 +0100
Subject: [PATCH] fix: use shlex for more robust shell escaping

Initially I was using a simple regex for escaping single quotes; this is
copied over from the original apptainer implementation in what I believe
it's an attempt at defending against shell injection via provided
commands.

It seems `shlex.quote` is a more robust function call to try to properly
parse strings that can be safely used as shell command line.

Do note that `shlex.quote()` is only designed for POSIX-compliant
shells.
---
 src/snakemake_software_deployment_plugin_container/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/snakemake_software_deployment_plugin_container/__init__.py b/src/snakemake_software_deployment_plugin_container/__init__.py
index 2638e1d..45445eb 100644
--- a/src/snakemake_software_deployment_plugin_container/__init__.py
+++ b/src/snakemake_software_deployment_plugin_container/__init__.py
@@ -3,6 +3,7 @@
 __email__ = "ben.uzh@pm.me"
 __license__ = "MIT"
 import os.path
+import shlex
 import tempfile
 
 from dataclasses import dataclass, field
@@ -132,7 +133,7 @@ def decorate_shellcmd(self, cmd: str) -> str:
             containercache=repr(containercache),
             image_id=self.spec.image_uri,
             shell="/bin/sh",
-            cmd=cmd.replace("'", r"'\''"),
+            cmd=shlex.quote(cmd),
         )
 
         return decorated_cmd