cargo / shlex

shlex

cargo

Split a string into shell words, like Python's shlex.

2 audits github.com/comex/rust-shlex

Audits

PE Patrick Elsen 2026-06-02

shlex@2.0.1 · 2 findings

Audit of shlex 2.0.1, a small POSIX-shell-word splitter/quoter (split, try_quote, try_join, Shlex iterator). Matches upstream Git byte-for-byte; no dependencies, no I/O, no concurrency, no build script. The byte-level parser is panic-free and the string-typed unsafe UTF-8 wrappers in lib.rs are sound. Two informational findings: a documented threat-model caveat (output not safe for interactive shells) and the soundness analysis for the unsafe blocks. Includes the RUSTSEC-2024-0006 fix.

has-binarieshas-build-exechas-fuzz-testshas-install-exechas-integration-testshas-property-testshas-unit-testsimpl-algorithmimpl-concurrencyimpl-cryptoimpl-datastructureimpl-interpreterimpl-jitimpl-parserimpl-protocolis-benignparser-impl-correctparser-impl-safeparser-impl-testedunsafe-documentedunsafe-minimalunsafe-safeunsafe-testeduses-concurrencyuses-cryptouses-environmentuses-execuses-filesystemuses-interpreteruses-jituses-networkuses-unsafe

PE Patrick Elsen 2026-05-27

shlex@1.3.0

shlex 1.3.0 is the post-CVE remediation release of a small no_std POSIX shell word-splitter/quoter; five from_utf8_unchecked calls are all justified by a documented byte-level UTF-8 invariant and exercised by upstream fuzz harnesses. No findings; safe to deploy for non-interactive shell quoting.

has-binarieshas-build-exechas-fuzz-testshas-install-exechas-integration-testshas-property-testshas-unit-testsimpl-algorithmimpl-concurrencyimpl-cryptoimpl-datastructureimpl-interpreterimpl-jitimpl-parserimpl-protocolis-benignparser-impl-correctparser-impl-safeparser-impl-testedunsafe-documentedunsafe-minimalunsafe-safeunsafe-testeduses-concurrencyuses-cryptouses-environmentuses-execuses-filesystemuses-interpreteruses-jituses-networkuses-unsafe