Fix SSH aliases with separate path lines on tcsh

[Copilot]

Fix aliases with separate path line failing on FreeBSD/tcsh

• Explore repository structure and locate the issue
• Identify root cause: environment variable assignment syntax incompatible with tcsh
• Update Runner.php to use env command for portable environment variable setting
• Verify code passes linting, PHPCS, and PHPStan checks
• Add test case to verify the fix
• Fix command injection vulnerability by escaping single quotes
• Add test case for single quote escaping
• Request final code review and security scan

Security Fix Applied

Fixed command injection vulnerability identified by @swissspidy where single quotes in alias paths could break out of the shell string. Now using str_replace("'", "'\\''", $encoded_alias) to properly escape single quotes before embedding in shell command.

Changes

1. Security fix: Escape single quotes in $encoded_alias to prevent command injection
2. Type safety: Added check for json_encode returning false
3. Test coverage: Added scenario to verify proper escaping of single quotes in paths

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Aliases with separate path line fail on FreeBSD/tcsh</issue_title>
<issue_description>## Bug Report

• [x ] Yes, I reviewed the contribution guidelines.
• [x ] Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.

Describe the current, buggy behavior

When writing a WP-CLI config yml file, we have the option of appending the WordPress root directory path to the sss: line, or putting it on it's own path: line. Both seem to work without issues. The docs show samples with both lines being used.

However, if the server we are connecting to is a FreeBSD/tcsh one, only the single concatenated line works for aliasing.

For instance, the wp @domain plugin list does not work. None of them do.

Does not work:

@domain:
  ssh: domain
  path: /home/user/public_html

Does work:

@domain
  ssh: domain/home/user/public_html

The specific output when failing is:

WP_CLI_RUNTIME_ALIAS={"@domain":{"path":"\/home\/user\/public_html"}}: Command not found.

Describe how other contributors can replicate this bug

Access to the correct type of host. I haven't tested this on either FreeBSD only, or tcsh only...

Describe what you expect as the correct outcome

No errors and command would output what is wanted.

Let us know what environment you are running this on

wp @domain cli info
OS:     FreeBSD 14.3-RELEASE-p8 FreeBSD 14.3-RELEASE-p8 GENERIC amd64
Shell:  /bin/tcsh
PHP binary:     /usr/local/bin/php
PHP version:    8.4.16
php.ini used:   /usr/local/etc/php.ini
MySQL binary:   /usr/local/bin/mysql
MySQL version:  mysql  Ver 8.0.44 for FreeBSD14.3 on amd64 (Source distribution)
SQL modes:
WP-CLI root dir:        phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:      phar://wp-cli.phar/vendor
WP_CLI phar path:       /home/user/public_html
WP-CLI packages dir:    /home/user/.wp-cli/packages/
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 2.6.0

This was created per conversation had with @swissspidy on the #cli Slack Channel:
https://wordpress.slack.com/archives/C02RP4T41/p1770177817812479

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Aliases with separate path line fail on FreeBSD/tcsh #6230

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.