🧪 Testing Improvement: Extract and test shell escaping logic

src/utils/shell.test.ts

@@ -0,0 +1,17 @@
+import * as assert from "node:assert";
+import { test } from "node:test";
+import { escapeTextForShell } from "./shellEscape.ts";
+
+test("escapeTextForShell", () => {
+    // PowerShell
+    assert.strictEqual(escapeTextForShell("hello", "powershell"), "'hello'");
+    assert.strictEqual(escapeTextForShell("hello 'world'", "pwsh"), "'hello ''world'''");
+
+    // Windows CMD
+    assert.strictEqual(escapeTextForShell("hello", "cmd.exe"), "\"hello\"");
+    assert.strictEqual(escapeTextForShell("hello \"world\"", "cmd.exe"), "\"hello \"\"world\"\"\"");
+
+    // POSIX
+    assert.strictEqual(escapeTextForShell("hello", "bash"), "'hello'");
+    assert.strictEqual(escapeTextForShell("hello 'world'", "zsh"), "'hello '\\''world'\\'''");
+});

src/utils/shell.ts

@@ -1,4 +1,6 @@
+import type { ExtensionContext } from "vscode";
 import * as vscode from "vscode";
+import { escapeTextForShell } from "./shellEscape";
 
 /**
  * Escapes a string to be safely used as a command line argument
@@ -7,23 +9,5 @@ import * as vscode from "vscode";
 export function escapeForTerminal(text: string): string {
   // Try to determine the shell from VS Code environment
   const shell = (vscode.env.shell || "").toLowerCase();
-
-  // PowerShell
-  if (shell.includes("powershell") || shell.includes("pwsh")) {
-    // Wrap in single quotes, escape literal single quotes by doubling them
-    return `'${text.replace(/'/g, "''")}'`;
-  }
-
-  // Windows CMD
-  if (shell.includes("cmd.exe")) {
-    // CMD is notoriously difficult to escape perfectly.
-    // We replace double quotes with escaped double quotes and wrap in double quotes.
-    // For highly complex strings (like code diffs), CMD might still struggle
-    // with %, !, ^, etc., but this prevents trivial command injection via " & ".
-    return `"${text.replace(/"/g, '""')}"`;
-  }
-
-  // Default to POSIX (Bash, Zsh, Git Bash, macOS, Linux)
-  // Wrap in single quotes, escape literal single quotes as '\''
-  return `'${text.replace(/'/g, "'\\''")}'`;
+  return escapeTextForShell(text, shell);
 }

src/utils/shellEscape.ts

@@ -0,0 +1,24 @@
+/**
+ * Escapes a string to be safely used as a command line argument
+ * in a specified shell.
+ */
+export function escapeTextForShell(text: string, shell: string): string {
+  // PowerShell
+  if (shell.includes("powershell") || shell.includes("pwsh")) {
+    // Wrap in single quotes, escape literal single quotes by doubling them
+    return `'${text.replace(/'/g, "''")}'`;
+  }
+
+  // Windows CMD
+  if (shell.includes("cmd.exe")) {
+    // CMD is notoriously difficult to escape perfectly.
+    // We replace double quotes with escaped double quotes and wrap in double quotes.
+    // For highly complex strings (like code diffs), CMD might still struggle
+    // with %, !, ^, etc., but this prevents trivial command injection via " & ".
+    return `"${text.replace(/"/g, '""')}"`;
+  }
+
+  // Default to POSIX (Bash, Zsh, Git Bash, macOS, Linux)
+  // Wrap in single quotes, escape literal single quotes as '\''
+  return `'${text.replace(/'/g, "'\\''")}'`;
+}