Fix command injection when exporting to curl

The command generated by `export.clip curl @focus` or `export.file curl
@focus /path/to/file` wasn't being properly escaped so it could contain
a malicious command instead of just a simple curl.

1 files changed, 16 insertions, 9 deletions

diff --git a/mitmproxy/addons/export.py b/mitmproxy/addons/export.py
index 90e95d3e..271fc49d 100644
--- a/mitmproxy/addons/export.py
+++ b/mitmproxy/addons/export.py
@@ -1,4 +1,5 @@
 import typing
+import shlex
 
 from mitmproxy import ctx
 from mitmproxy import command
@@ -18,20 +19,26 @@ def raise_if_missing_request(f: flow.Flow) -> None:
 
 def curl_command(f: flow.Flow) -> str:
     raise_if_missing_request(f)
-    data = "curl "
+    args = ["curl"]
     request = f.request.copy()  # type: ignore
     request.decode(strict=False)
     for k, v in request.headers.items(multi=True):
-        data += "-H '%s:%s' " % (k, v)
+        args += ["-H", shlex.quote("%s:%s" % (k, v))]
     if request.method != "GET":
-        data += "-X %s " % request.method
-    data += "'%s'" % request.url
+        args += ["-X", shlex.quote(request.method)]
+    args.append(shlex.quote(request.url))
     if request.content:
-        data += " --data-binary '%s'" % strutils.bytes_to_escaped_str(
-            request.content,
-            escape_single_quotes=True
-        )
-    return data
+        try:
+            content = strutils.always_str(request.content)
+        except UnicodeDecodeError:
+            # shlex.quote doesn't support a bytes object
+            # see https://github.com/python/cpython/pull/10871
+            raise exceptions.CommandError("Request content must be valid unicode")
+        args += [
+            "--data-binary",
+            shlex.quote(strutils.always_str(request.content))
+        ]
+    return ' '.join(args)
 
 
 def httpie_command(f: flow.Flow) -> str: