Fix double-escaped SSH commands by Copilot · Pull Request #6240 · wp-cli/wp-cli

Copilot · 2026-02-12T22:54:34Z

Fix Double Escaped SSH Commands

Fixes the issue where SSH commands were double-escaped, making debug output unnecessarily complex.

Problem

Arguments were escaped twice - once in run_ssh_command() and again in generate_ssh_command(), resulting in:

ssh -q 'foo' -t 'wp '\''plugin'\'' '\''list'\'' '\''--debug'\'''

Solution

Implemented minimal quoting strategy - only quote arguments with characters outside [a-zA-Z0-9_=.\/:-]

Results

Before: ssh -q 'foo' -t 'wp '\''plugin'\'' '\''list'\'' '\''--debug'\'''
After: ssh -q 'foo' -t 'wp plugin list --debug'

Arguments with spaces/special chars still properly escaped:

ssh -q 'foo' -t 'wp post create '\''--post_title=My Title'\'''

Security

Two-layer escaping model maintained:

run_ssh_command(): Quote args with special chars for remote shell
generate_ssh_command(): Wrap entire command for local shell

Testing

Added Behat test scenario
Manual verification with various argument types
All linters pass (lint, phpcs, phpstan)
Security scanner pass (codeql)
Code review completed and comments addressed
Removed redundant docker-compose-run special case

Files Changed

php/WP_CLI/Runner.php: Modified run_ssh_command() with minimal quoting, removed redundant special case
features/aliases.feature: Added test for SSH command escaping

Original prompt

This section details on the original issue you should resolve

<issue_title>Double escaped SSH commands</issue_title>
<issue_description>When running a command over SSH (eg. via the --ssh flag or an @-alias), the contents of the command flag appears to be double escaped.

Example:
wp --ssh=foo plugin list --debug
Results in:
Running SSH command: ssh -q 'foo' -t 'wp '\''plugin'\'' '\''list'\'' '\''--debug'\'''
I would expect it to be:
Running SSH command: ssh -q 'foo' -t 'wp plugin list --debug'
The double escaping appears to come from two calls to escapeshellarg, first inside WP_CLI\Runner::run_ssh_command() and secondly within 8000 the corresponding condition in WP_CLI\Runner::generate_ssh_command() (and conditions above that for Docker, Vagrant, etc).

Is there a reason for the double escaping that I'm missing?</issue_description>

Comments on the Issue (you are @copilot in this section)
@danielbachhuber > Is there a reason for the double escaping that I'm missing?
Yes: I wrote bad code :) It's worth fixing.</comment_new>
<comment_new>@schlessera

after they are receiving the '

@marksabbath I'm not sure what you mean by that? I don't think we're directly adding quotes anywhere, they are only added by escapeshellarg(). Or am I missing something?</comment_new>

Fixes Double escaped SSH commands #4650

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

…hars Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

codecov · 2026-02-13T07:08:03Z

Codecov Report

❌ Patch coverage is 85.71429% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
php/WP_CLI/Runner.php	85.71%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

php/WP_CLI/Runner.php

The selective escaping approach now handles docker-compose-run uniformly with other schemes, so the special case that was rebuilding the command without escaping is no longer needed. Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Initial plan

b393f88

Copilot AI assigned Copilot and swissspidy Feb 12, 2026

Copilot started work on behalf of swissspidy February 12, 2026 22:55 View session

github-actions bot added the command:cli Related to 'cli' command label Feb 12, 2026

Copilot AI and others added 5 commits February 12, 2026 22:59

Remove double escaping in run_ssh_command

5cf9c4f

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Use minimal quoting for SSH commands - only quote a 8000 rgs with special c…

5f2fcb1

…hars Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Use conservative regex for safe argument detection

607eee6

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Add detailed comments explaining the security model

50e3cf9

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Clarify safety of hyphens in command arguments with additional comments

7b14a38

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix double escaped SSH commands in runner~~ Fix double-escaped SSH commands Feb 12, 2026

Copilot AI requested a review from swissspidy February 12, 2026 23:07

Copilot finished work on behalf of swissspidy February 12, 2026 23:07

swissspidy marked this pull request as ready for review February 19, 2026 22:08

swissspidy requested a review from a team as a code owner February 19, 2026 22:08

Copilot AI review requested due to automatic review settings February 19, 2026 22:08

Copilot started reviewing on behalf of swissspidy February 19, 2026 22:09 View session

This comment was marked as resolved.

Sign in to view

swissspidy and others added 3 commits February 19, 2026 23:29

Update features/aliases.feature

87ccd84

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Merge branch 'main' into copilot/fix-double-escaped-ssh-commands

39ee37a

Update test

cae778e

This comment was marked as resolved.

Sign in to view

swissspidy reviewed Mar 12, 2026

View reviewed changes

php/WP_CLI/Runner.php Outdated Show resolved Hide resolved

Copilot started work on behalf of swissspidy March 12, 2026 08:10 View session

Copilot AI requested a review from swissspidy March 12, 2026 08:14

Copilot finished work on behalf of swissspidy March 12, 2026 08:14

Merge branch 'main' into copilot/fix-double-escaped-ssh-commands

c2d1af1

swissspidy added this to the 3.0.0 milestone Mar 12, 2026

swissspidy merged commit 7aa203f into main Mar 12, 2026
70 checks passed

swissspidy deleted the copilot/fix-double-escaped-ssh-commands branch March 12, 2026 10:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix double-escaped SSH commands#6240

Fix double-escaped SSH commands#6240
swissspidy merged 11 commits intomainfrom
copilot/fix-double-escaped-ssh-commands

Uh oh!

Uh oh!

This comment was marked as resolved.

Uh oh!

This comment was marked as resolved.

This comment was marked as resolved.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Uh oh!