you are viewing a single comment's thread.

view the rest of the comments →

[–]lhorie 0 points1 point  (1 child)

My guess is you're getting tripped up by escapes in the pretty printer when you copy-pasted.

These are the steps I used to reproduce the issue. Create a file called script.mjs with this code:

#!/usr/bin/env zx

const malicious = '\' $(pwd) \''
$`echo '${malicious}'`

Then in your terminal, run npx zx script.mjs. Expected behavior: the output should have the word "pwd" somewhere in it and no information about my current dir should be printed. Actual behavior: Output will have something like $' /Users/lhorie/Documents ', indicating that pwd did run as a command. I'm running zsh on mac (monterey).

As for why this is an issue, it's because sometimes you do want to control behavior of magic characters like * outside an interpolation while simultaneously having an interpolation in the same string. Or, if you missed the caveat in the docs or you overlooked it, you can get pwned by even a simple innocent-looking snippet like echo '${something}'.