shlex
The shlex library provides shell-style string quoting and splitting, matching Python’s shlex module. Use it to safely build command lines for subprocess or to parse shell-like input.
Available Functions
| Function | Description |
|---|---|
quote(s) |
Escape a string for use as a single shell argument. |
split(s) |
Split a string into shell-style tokens. |
join(split_command) |
Join a list of arguments into a shell-quoted string. |
Functions
quote(s)
Returns a shell-escaped version of s. If the string contains only safe characters ([a-zA-Z0-9_@%+=:,./-]) it is returned unchanged; otherwise it is wrapped in single quotes with embedded single quotes escaped.
Parameters: s (str): The string to escape.
Returns: str: the shell-safe string.
import shlex
shlex.quote("a b c") # "'a b c'"
shlex.quote("simple") # "simple"
shlex.quote("it's") # "'it'\"'\"'s'"
shlex.quote("") # "''"
# Build a safe command line
cmd = "grep " + shlex.quote(user_input)split(s)
Parses s using shell-style rules for quoting and escaping, returning a list of tokens.
- Single quotes (
'…'): everything is literal. - Double quotes (
"…"): everything is literal except a backslash before",\,$, or`. - Backslash (outside single quotes): escapes the next character.
Parameters: s (str): The string to split.
Returns: list[str]: the parsed tokens.
Raises: Error on unterminated quotes or a trailing backslash.
import shlex
shlex.split("mycommand --flag value")
# ["mycommand", "--flag", "value"]
shlex.split('cmd --flag="quoted value"')
# ["cmd", "--flag=quoted value"]
shlex.split("ls 'My Documents'")
# ["ls", "My Documents"]join(split_command)
Quotes each argument with quote() and joins them with spaces, producing a single shell-safe command-line string.
Parameters: split_command (list[str]): The arguments to join.
Returns: str: the shell-quoted command line.
import shlex
shlex.join(["ls", "-la", "My Documents"])
# "ls -la 'My Documents'"
# round trip
shlex.join(shlex.split("grep 'hello world' file.txt"))
# "grep 'hello world' file.txt"Security Considerations
shlex does not access the filesystem and requires no allowedPaths. It is a pure string-processing library.
Use quote() to prevent shell injection when constructing command strings for subprocess:
import shlex, subprocess
# SAFE: user input is quoted
subprocess.run(shlex.split("echo " + shlex.quote(user_input)))See Also
- subprocess: Running external commands