From 687e194a204a6b495a2de970ed50a5a16f8ceda3 Mon Sep 17 00:00:00 2001
From: Alexis Svinartchouk <alexis@resin.io>
Date: Tue, 15 Sep 2020 12:56:27 +0200
Subject: [PATCH] Copy cmd.exe if the path contains any of thes characters: ` '
 " & | < > ^

---
 index.js | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/index.js b/index.js
index 5ebeedc..706fb53 100644
--- a/index.js
+++ b/index.js
@@ -514,7 +514,16 @@ function Windows(instance, callback) {
   );
 }
 
+function WindowsNeedsCopyCmd(instance) {
+  const specialChars = /&`'"<>\|\^/;
+  return specialChars.test(instance.path);
+}
+
 function WindowsCopyCmd(instance, end) {
+  if (!WindowsNeedsCopyCmd(instance)) {
+    end();
+    return;
+  }
   // Work around https://github.com/jorangreef/sudo-prompt/issues/97
   // Powershell can't properly escape amperstands in paths.
   // We work around this by copying cmd.exe in our temporary folder and running
@@ -525,7 +534,7 @@ function WindowsCopyCmd(instance, end) {
   Node.fs.copyFile(
     Node.path.join(Node.process.env.SystemRoot, 'System32', 'cmd.exe'),
     Node.path.join(instance.path, 'cmd.exe'),
-    end
+    end,
   );
 }
 
@@ -536,14 +545,24 @@ function WindowsElevate(instance, end) {
   command.push('powershell.exe');
   command.push('Start-Process');
   command.push('-FilePath');
-  // Node.path.join('.', 'cmd.exe') would return 'cmd.exe'
-  command.push(['.', 'cmd.exe'].join(Node.path.sep));
-  command.push('-ArgumentList');
-  command.push('"/C","execute.bat"');
+  var options = { encoding: 'utf8' };
+  if (WindowsNeedsCopyCmd(instance)) {
+    // Node.path.join('.', 'cmd.exe') would return 'cmd.exe'
+    command.push(['.', 'cmd.exe'].join(Node.path.sep));
+    command.push('-ArgumentList');
+    command.push('"/C","execute.bat"');
+    options.cwd = instance.path;
+  } else {
+    // Escape characters for cmd using double quotes:
+    // Escape characters for PowerShell using single quotes:
+    // Escape single quotes for PowerShell using backtick:
+    // See: https://ss64.com/ps/syntax-esc.html
+    command.push('"\'' + instance.pathExecute.replace(/'/g, "`'") + '\'"');
+  }
   command.push('-WindowStyle hidden');
   command.push('-Verb runAs');
   command = command.join(' ');
-  var child = Node.child.exec(command, { encoding: 'utf-8', cwd: instance.path },
+  var child = Node.child.exec(command, options,
     function(error, stdout, stderr) {
       // We used to return PERMISSION_DENIED only for error messages containing
       // the string 'canceled by the user'. However, Windows internationalizes