Quote input strings before constructing a command line

[qiluo-msft]

Quote input strings from function arguments before constructing a command line, so prevent of the bash script input injection.

man dash shows below section, which indicates the double quotes and escaping is enough for general use.

Double Quotes
 Enclosing characters within double quotes preserves the literal meaning of all characters except dollarsign ($), backquote (`), and backslash (\).  The backslash inside double quotes is historically weird, and serves to quote only the following characters:
       $ ` " \ <newline>.
 Otherwise it remains literal.

[pavel-shirshov]

We need some description for this PR #Resolved

[pavel-shirshov]

sonicbld@5de366018e18:~$ cat /sys/class/net/"$(echo hi)"/operstate    
cat: /sys/class/net/hi/operstate: No such file or directory

I still can execute commands even with quotes #ByDesign

[pavel-shirshov]

How can we be sure this regex is enough for everything?
Should we better create functions to check the input parameters and run them?
Our input parameters types are easy:

1. ip address
2. network mask
3. network device
4. number
5. string enum

[qiluo-msft]

Update the PR comment at the top with answer.
I agree case-by-case protection is also possible, this one is for general purpose.

[stcheng]

thanks

[banagiri]

@qiluo-msft in the api removeHostVlanMember, is the cmds having cmds as input instead of inner? or is this expected ?

cmds << BASH_CMD " -c " << shellquote(cmds.str());
instead of
cmds << BASH_CMD " -c " << shellquote(inner.str());