feat: add Prepare::with_shell_allow_argument_splitting() flag.

This flag is enabled on windows by default to emulate `git` which
doesn't actually use a shell at all there.

This should help to allow windows users to use more complex programs,
which might not have been possible previously.

It also allows certain areas of `gix` to indicate that they are safe to
use with this flag, which always is the case when `git` is prefixed, like
with credential helpers.

Author: Byron

Cargo.lock

@@ -14,8 +14,10 @@ doctest = false
 
 [dependencies]
 gix-trace = { version = "^0.1.3", path = "../gix-trace" }
+gix-path = { version = "^0.10.0", path = "../gix-path" }
 
 bstr = { version = "1.5.0", default-features = false, features = ["std"] }
+shell-words = "1.0"
 
 [dev-dependencies]
 gix-testtools = { path = "../tests/tools" }

gix-command/Cargo.toml

@@ -20,6 +20,19 @@ pub struct Prepare {
     pub env: Vec<(OsString, OsString)>,
     /// If `true`, we will use `sh` to execute the `command`.
     pub use_shell: bool,
+    /// If `true` (default `true` on windows and `false` everywhere else)
+    /// we will see if it's safe to manually invoke `command` after splitting
+    /// its arguments as a shell would do.
+    /// Note that outside of windows, it's generally not advisable as this
+    /// removes support for literal shell scripts with shell-builtins.
+    ///
+    /// This mimics the behaviour we see with `git` on windows, which also
+    /// won't invoke the shell there at all.
+    ///
+    /// Only effective if `use_shell` is `true` as well, as the shell will
+    /// be used as a fallback if it's not possible to split arguments as
+    /// the command-line contains 'scripting'.
+    pub allow_manual_arg_splitting: bool,
 }
 
 mod prepare {
@@ -54,6 +67,14 @@ mod prepare {
             self
         }
 
+        /// Use a shell, but try to split arguments by hand if this be safely done without a shell.
+        ///
+        /// If that's not the case, use a shell instead.
+        pub fn with_shell_allow_argument_splitting(mut self) -> Self {
+            self.allow_manual_arg_splitting = true;
+            self.with_shell()
+        }
+
         /// Configure the process to use `stdio` for _stdin.
         pub fn stdin(mut self, stdio: Stdio) -> Self {
             self.stdin = stdio;
@@ -103,14 +124,38 @@ mod prepare {
     impl From<Prepare> for Command {
         fn from(mut prep: Prepare) -> Command {
             let mut cmd = if prep.use_shell {
-                let mut cmd = Command::new(if cfg!(windows) { "sh" } else { "/bin/sh" });
-                cmd.arg("-c");
-                if !prep.args.is_empty() {
-                    prep.command.push(" \"$@\"")
+                let split_args = prep
+                    .allow_manual_arg_splitting
+                    .then(|| {
+                        if gix_path::into_bstr(std::borrow::Cow::Borrowed(prep.command.as_ref()))
+                            .find_byteset(b"\\|&;<>()$`\n*?[#~%")
+                            .is_none()
+                        {
+                            prep.command
+                                .to_str()
+                                .and_then(|args| shell_words::split(args).ok().map(Vec::into_iter))
+                        } else {
+                            None
+                        }
+                    })
+                    .flatten();
+                match split_args {
+                    Some(mut args) => {
+                        let mut cmd = Command::new(args.next().expect("non-empty input"));
+                        cmd.args(args);
+                        cmd
+                    }
+                    None => {
+                        let mut cmd = Command::new(if cfg!(windows) { "sh" } else { "/bin/sh" });
+                        cmd.arg("-c");
+                        if !prep.args.is_empty() {
+                            prep.command.push(" \"$@\"")
+                        }
+                        cmd.arg(prep.command);
+                        cmd.arg("--");
+                        cmd
+                    }
                 }
-                cmd.arg(prep.command);
-                cmd.arg("--");
-                cmd
             } else {
                 Command::new(prep.command)
             };
@@ -140,5 +185,6 @@ pub fn prepare(cmd: impl Into<OsString>) -> Prepare {
         args: Vec::new(),
         env: Vec::new(),
         use_shell: false,
+        allow_manual_arg_splitting: cfg!(windows),
     }
 }

gix-command/src/lib.rs

@@ -15,12 +15,25 @@ mod prepare {
         let cmd = std::process::Command::from(gix_command::prepare(""));
         assert_eq!(format!("{cmd:?}"), "\"\"");
     }
+
     #[test]
     fn single_and_multiple_arguments() {
         let cmd = std::process::Command::from(gix_command::prepare("ls").arg("first").args(["second", "third"]));
         assert_eq!(format!("{cmd:?}"), quoted(&["ls", "first", "second", "third"]));
     }
 
+    #[test]
+    fn multiple_arguments_in_one_line_with_auto_split() {
+        let cmd = std::process::Command::from(
+            gix_command::prepare("echo first second third").with_shell_allow_argument_splitting(),
+        );
+        assert_eq!(
+            format!("{cmd:?}"),
+            quoted(&["echo", "first", "second", "third"]),
+            "we split by hand which works unless one tries to rely on shell-builtins (which we can't detect)"
+        );
+    }
+
     #[test]
     fn single_and_multiple_arguments_as_part_of_command() {
         let cmd = std::process::Command::from(gix_command::prepare("ls first second third"));
@@ -36,7 +49,11 @@ mod prepare {
         let cmd = std::process::Command::from(gix_command::prepare("ls first second third").with_shell());
         assert_eq!(
             format!("{cmd:?}"),
-            quoted(&[SH, "-c", "ls first second third", "--"]),
+            if cfg!(windows) {
+                quoted(&["ls", "first", "second", "third"])
+            } else {
+                quoted(&[SH, "-c", "ls first second third", "--"])
+            },
             "with shell, this works as it performs word splitting"
         );
     }
@@ -46,17 +63,43 @@ mod prepare {
         let cmd = std::process::Command::from(gix_command::prepare("ls --foo \"a b\"").arg("additional").with_shell());
         assert_eq!(
             format!("{cmd:?}"),
-            format!("\"{SH}\" \"-c\" \"ls --foo \\\"a b\\\" \\\"$@\\\"\" \"--\" \"additional\""),
+            if cfg!(windows) {
+                quoted(&["ls", "--foo", "a b", "additional"])
+            } else {
+                format!(r#""{SH}" "-c" "ls --foo \"a b\" \"$@\"" "--" "additional""#)
+            },
             "with shell, this works as it performs word splitting"
         );
     }
 
+    #[test]
+    fn single_and_complex_arguments_with_auto_split() {
+        let cmd =
+            std::process::Command::from(gix_command::prepare("ls --foo=\"a b\"").with_shell_allow_argument_splitting());
+        assert_eq!(
+            format!("{cmd:?}"),
+            format!(r#""ls" "--foo=a b""#),
+            "splitting can also handle quotes"
+        );
+    }
+
+    #[test]
+    fn single_and_complex_arguments_will_not_auto_split_on_special_characters() {
+        let cmd =
+            std::process::Command::from(gix_command::prepare("ls --foo=~/path").with_shell_allow_argument_splitting());
+        assert_eq!(
+            format!("{cmd:?}"),
+            format!(r#""{SH}" "-c" "ls --foo=~/path" "--""#),
+            "splitting can also handle quotes"
+        );
+    }
+
     #[test]
     fn tilde_path_and_multiple_arguments_as_part_of_command_with_shell() {
         let cmd = std::process::Command::from(gix_command::prepare("~/bin/exe --foo \"a b\"").with_shell());
         assert_eq!(
             format!("{cmd:?}"),
-            format!("\"{SH}\" \"-c\" \"~/bin/exe --foo \\\"a b\\\"\" \"--\""),
+            format!(r#""{SH}" "-c" "~/bin/exe --foo \"a b\"" "--""#),
             "this always needs a shell as we need tilde expansion"
         );
     }