Escape special chars in shell scripts

packages/safe-chain/src/utils/safeSpawn.js

@@ -1,9 +1,15 @@
 import { spawnSync, spawn } from "child_process";
 
 function escapeArg(arg) {
-  // If argument contains spaces or quotes, wrap in double quotes and escape double quotes
+  // Shell metacharacters that need escaping
-  if (arg.includes(" ") || arg.includes('"') || arg.includes("'")) {
+  // These characters have special meaning in shells and need to be quoted
-    return '"' + arg.replaceAll('"', '\\"') + '"';
+  const shellMetaChars = /[ "&'|;<>()$`\\!*?[\]{}~#]/;
+
+  // If argument contains shell metacharacters, wrap in double quotes
+  // and escape characters that are special even inside double quotes
+  if (shellMetaChars.test(arg)) {
+    // Inside double quotes, we need to escape: " $ ` \
+    return '"' + arg.replace(/(["`$\\])/g, '\\$1') + '"';
   }
   return arg;
 }

packages/safe-chain/src/utils/safeSpawn.spec.js

@@ -105,5 +105,14 @@ describe("safeSpawn", () => {
       assert.strictEqual(spawnCalls[0].command, "npm install axios --save");
       assert.strictEqual(spawnCalls[0].options.shell, true);
     });
+
+    it(`should escape ampersand character (${variant})`, async () => {
+      await runSafeSpawn(variant, "npx", ["cypress", "run", "--env", "password=foo&bar"]);
+
+      assert.strictEqual(spawnCalls.length, 1);
+      // & should be escaped by wrapping the arg in quotes
+      assert.strictEqual(spawnCalls[0].command, 'npx cypress run --env "password=foo&bar"');
+      assert.strictEqual(spawnCalls[0].options.shell, true);
+    });
   }
 });