Skip to content

[Bug]: ampersand & character not escaped by single-tick in cypress run #89

New issue
New issue
Open
#91
Open
[Bug]: ampersand & character not escaped by single-tick in cypress run#89
#91
Labels
bugSomething isn't working
@petervandenabeele

Description

@petervandenabeele
petervandenabeele
opened on Oct 6, 2025

Bug Description

When safe-chain is active, the escaping of special characters for the shell by placing them between single quotes fails.

Escaping with backslash still works.

See details below.

Steps to Reproduce

Please find below 1 failing example and 2 passing examples:

FAILING EXAMPLE:

Given:

Mac OS X 15.x
zsh

I had installed safe-chain globally:

npm install -g @aikidosec/safe-chain

this works as expected and added this line at bottom of .zshrc:

➜  ~ tail -3 .zshrc

source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script

When:

I then run

 npx cypress run --env password='foo&bar'

Then:

the bar after the ampersand is not considered part of the password string, but is interpreted by zsh as "run this task in the background and try to run a bar command"

✔ Safe-chain: No malicious packages detected.
/bin/sh: bar: command not found
npm warn exec The following package was not found and will be installed: [email protected]
⠋
⠋
⠼
⠇
It looks like this is your first time using Cypress: 15.3.0

✔  Verified Cypress! /Users/peter_v/Library/Caches/Cypress/15.3.0/Cypress.app

Opening Cypress...

DevTools listening on ws://127.0.0.1:49814/devtools/browser/664...
Could not find a Cypress configuration file in this folder: ...
^C

PASSING EXAMPLE:

Given:

I commented out the activation of safe-chain in .zshrc and started a new terminal:

➜  ~ tail -3 .zshrc

# source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script

When:

In a newly opened terminal, I then run

 npx cypress run --env password='foo&bar'

Then:

npx runs as expected and escapes the content between '...' correctly as a string.

➜  ~ npx cypress run --env password='foo&bar'

DevTools listening on ws://127.0.0.1:50271/devtools/browser/9eaf21...
Could not find a Cypress configuration file in this folder: ...
➜  ~

SECOND PASSING EXAMPLE

Given:

I re-activated safe-chain in .zshrc and started a new terminal:

➜ ~ tail -3 .zshrc

source ~/.safe-chain/scripts/init-posix.sh # Safe-chain Zsh initialization script

When:

Using \ to escape the & in the password:

In a newly opened terminal, I then run

➜  ~ npx cypress run --env password='foo\&bar'

Then:

npx runs as expected and escapes the & correctly:

✔ Safe-chain: No malicious packages detected.

DevTools listening on ws://127.0.0.1:50311/devtools/browser/ca42ac97...
Could not find a Cypress configuration file in this folder: ...
➜  ~

Environment

  • OS: Mac OS 15.x
  • npm: 11.6.0
  • Cypress: 15.3.0
- ➜  ~ npm -g list | grep safe
├── @aikidosec/[email protected]

➜  ~ nvm current
v20.19.4

Error Logs



Additional Context


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions