Fix for "Incomplete string escaping or encoding"

data-douser · data-douser · commit bc89221796d7 · 2025-04-30T21:17:22.000-06:00
Atttempts fix the "Incomplete string escaping or encoding" code scanning
alert generated for the `extractors/cds/tools/src/cdsCompiler.ts` file.

Re-adds shell-quote sanitization logic that was lost during the
translation from "one big JavaScript script" to a modular solution
implemented primarily in TypeScript.
diff --git a/extractors/cds/tools/src/cdsCompiler.ts b/extractors/cds/tools/src/cdsCompiler.ts
@@ -1,6 +1,8 @@
 import { execFileSync, spawnSync, SpawnSyncReturns } from 'child_process';
 import { resolve } from 'path';
 
+import * as shellQuote from 'shell-quote';
+
 import { fileExists, dirExists, recursivelyRenameJsonFiles } from './filesystem';
 
 /**
@@ -115,8 +117,8 @@ export function addCompilationDiagnostic(
   codeqlExePath: string,
 ): boolean {
   try {
-    // Escape the error message for safe command line usage
-    const escapedErrorMessage = errorMessage.replace(/"/g, '\\"').replace(/\n/g, '\\n');
+    // Use shell-quote to safely escape the error message
+    const escapedErrorMessage = shellQuote.quote([errorMessage]);
 
     execFileSync(codeqlExePath, [
       'database',
@@ -126,7 +128,7 @@ export function addCompilationDiagnostic(
       '--source-id=cds/compilation-failure',
       '--source-name=Failure to compile one or more SAP CAP CDS files',
       '--severity=error',
-      `--markdown-message=${escapedErrorMessage}`,
+      `--markdown-message=${escapedErrorMessage.slice(1, -1)}`, // Remove the added quotes from shell-quote
       `--file-path=${resolve(cdsFilePath)}`,
       '--',
       `${process.env.CODEQL_EXTRACTOR_CDS_WIP_DATABASE ?? ''}`,
