From eaec10d7c8afadbdd783ac47bd2adbfab444d6df Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Mon, 19 Feb 2024 14:27:38 +0100
Subject: [PATCH] fix: increase shlex usage

---
 lib/modules/manager/bundler/artifacts.ts     | 2 +-
 lib/modules/manager/cargo/artifacts.ts       | 4 ++--
 lib/modules/manager/composer/artifacts.ts    | 4 +++-
 lib/modules/manager/hermit/artifacts.ts      | 3 ++-
 lib/modules/manager/pep621/processors/pdm.ts | 7 ++++---
 5 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/modules/manager/bundler/artifacts.ts b/lib/modules/manager/bundler/artifacts.ts
index 5b4f527a0a..60e17f6f4f 100644
--- a/lib/modules/manager/bundler/artifacts.ts
+++ b/lib/modules/manager/bundler/artifacts.ts
@@ -143,7 +143,7 @@ export async function updateArtifacts(
         if (hostRule.resolvedHost?.includes('-')) {
           // TODO: fix me, hostrules can missing all auth
           const creds = getAuthenticationHeaderValue(hostRule);
-          authCommands.push(`${hostRule.resolvedHost} ${creds}`);
+          authCommands.push(`${quote(hostRule.resolvedHost)} ${quote(creds)}`);
         }
         return authCommands;
       },
diff --git a/lib/modules/manager/cargo/artifacts.ts b/lib/modules/manager/cargo/artifacts.ts
index 7fa9ced9db..1b64c67959 100644
--- a/lib/modules/manager/cargo/artifacts.ts
+++ b/lib/modules/manager/cargo/artifacts.ts
@@ -53,8 +53,8 @@ async function cargoUpdatePrecise(
     cmds.push(
       `cargo update --config net.git-fetch-with-cli=true` +
         ` --manifest-path ${quote(manifestPath)}` +
-        ` --package ${dep.packageName!}@${dep.lockedVersion}` +
-        ` --precise ${dep.newVersion}`,
+        ` --package ${quote(`${dep.packageName}@${dep.lockedVersion}`)}` +
+        ` --precise ${quote(dep.newVersion!)}`,
     );
   }
 
diff --git a/lib/modules/manager/composer/artifacts.ts b/lib/modules/manager/composer/artifacts.ts
index 44cbfca896..bf90aa7d7e 100644
--- a/lib/modules/manager/composer/artifacts.ts
+++ b/lib/modules/manager/composer/artifacts.ts
@@ -181,7 +181,9 @@ export async function updateArtifacts({
           'update ' +
           updatedDeps
             .map((dep) =>
-              dep.newVersion ? `${dep.depName}:${dep.newVersion}` : dep.depName,
+              dep.newVersion
+                ? quote(`${dep.depName}:${dep.newVersion}`)
+                : quote(dep.depName!),
             )
             .filter(is.string)
             .map((dep) => quote(dep))
diff --git a/lib/modules/manager/hermit/artifacts.ts b/lib/modules/manager/hermit/artifacts.ts
index 052520ba53..3ea1d6424f 100644
--- a/lib/modules/manager/hermit/artifacts.ts
+++ b/lib/modules/manager/hermit/artifacts.ts
@@ -1,3 +1,4 @@
+import { quote } from 'shlex';
 import upath from 'upath';
 import { logger } from '../../../logger';
 import { exec } from '../../../util/exec';
@@ -210,7 +211,7 @@ async function updateHermitPackage(update: UpdateArtifact): Promise<void> {
   };
 
   const packagesToInstall = toInstall.join(' ');
-  const fromPackages = from.join(' ');
+  const fromPackages = from.map(quote).join(' ');
 
   const execCommands = `./hermit install ${packagesToInstall}`;
   logger.debug(
diff --git a/lib/modules/manager/pep621/processors/pdm.ts b/lib/modules/manager/pep621/processors/pdm.ts
index d80ea729c8..a8c461448f 100644
--- a/lib/modules/manager/pep621/processors/pdm.ts
+++ b/lib/modules/manager/pep621/processors/pdm.ts
@@ -1,4 +1,5 @@
 import is from '@sindresorhus/is';
+import { quote } from 'shlex';
 import { TEMPORARY_ERROR } from '../../../../constants/error-messages';
 import { logger } from '../../../../logger';
 import { exec } from '../../../../util/exec';
@@ -139,7 +140,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
         const [group, name] = dep.depName!.split('/');
         addPackageToCMDRecord(
           packagesByCMD,
-          `${pdmUpdateCMD} -G ${group}`,
+          `${pdmUpdateCMD} -G ${quote(group)}`,
           name,
         );
         break;
@@ -148,7 +149,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
         const [group, name] = dep.depName!.split('/');
         addPackageToCMDRecord(
           packagesByCMD,
-          `${pdmUpdateCMD} -dG ${group}`,
+          `${pdmUpdateCMD} -dG ${quote(group)}`,
           name,
         );
         break;
@@ -160,7 +161,7 @@ function generateCMDs(updatedDeps: Upgrade[]): string[] {
   }
 
   for (const commandPrefix in packagesByCMD) {
-    const packageList = packagesByCMD[commandPrefix].join(' ');
+    const packageList = packagesByCMD[commandPrefix].map(quote).join(' ');
     const cmd = `${commandPrefix} ${packageList}`;
     cmds.push(cmd);
   }
-- 
GitLab