find_files does not escape the filenames when passing to the file command #3589
Description
Description
No escaping is done when passing the listed files to the file command here:
I suspected a missing utils.path_expand(...), but wrapping filename with it does not resolve the issue.
in an empty folder:
:w \
:Telescope find_files
Neovim version
NVIM v0.11.5
Build type: RelWithDebInfo
LuaJIT 2.1.1765007043Operating system and version
arch 6.17.9-arch1-1
Telescope version / branch / rev
v0.2.0
checkhealth telescope
==============================================================================
telescope: ✅
Checking for required plugins ~
- ✅ OK plenary installed.
Checking external dependencies ~
- ✅ OK rg: found ripgrep 15.1.0
- ✅ OK fd: found fd 10.3.0
===== Installed extensions ===== ~
Telescope Extension: `fzf` ~
- ✅ OK lib working as expected
- ✅ OK file_sorter correctly configured
- ✅ OK generic_sorter correctly configured
Telescope Extension: `ui-select` ~
- No healthcheck providedSteps to reproduce
- in an empty folder
touch '\' - open nvim and
:Telescope find_files
Expected behavior
special characters in filenames work as usual.
Actual behavior
special characters in filenames can result in command injection.
Minimal config
local root = vim.fn.fnamemodify("./.repro", ":p")
-- set stdpaths to use .repro
for _, name in ipairs { "config", "data", "state", "cache" } do
vim.env[("XDG_%s_HOME"):format(name:upper())] = root .. "/" .. name
end
-- bootstrap lazy
local lazypath = root .. "/plugins/lazy.nvim"
if not vim.uv.fs_stat(lazypath) then
vim.fn.system {
"git",
"clone",
"--filter=blob:none",
"https://github.com/folke/lazy.nvim.git",
lazypath,
}
end
vim.opt.runtimepath:prepend(lazypath)
-- install plugins
local plugins = {
{
"nvim-telescope/telescope.nvim",
dependencies = {
"nvim-lua/plenary.nvim",
},
config = function()
-- ADD INIT.LUA SETTINGS THAT ARE _NECESSARY_ FOR REPRODUCING THE ISSUE
require("telescope").setup {}
end,
},
}
require("lazy").setup(plugins, {
root = root .. "/plugins",
})