From 4afcbbb2096df7db98663b2aeb93f315b85431a1 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 24 Mar 2026 07:09:24 +0100
Subject: [PATCH] fix(deployment): properly escape shell arguments in railpack
 prepare command

---
 app/Jobs/ApplicationDeploymentJob.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 13511957f..f4ec4abda 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2454,13 +2454,13 @@ private function build_railpack_image(): void
             $prepare_command .= " {$this->env_railpack_args}";
         }
         if ($this->application->build_command) {
-            $prepare_command .= " --build-cmd \"{$this->application->build_command}\"";
+            $prepare_command .= ' --build-cmd '.escapeShellValue($this->application->build_command);
         }
         if ($this->application->start_command) {
-            $prepare_command .= " --start-cmd \"{$this->application->start_command}\"";
+            $prepare_command .= ' --start-cmd '.escapeShellValue($this->application->start_command);
         }
         if ($this->application->install_command) {
-            $prepare_command .= " --env RAILPACK_INSTALL_CMD=\"{$this->application->install_command}\"";
+            $prepare_command .= ' --env '.escapeShellValue("RAILPACK_INSTALL_CMD={$this->application->install_command}");
         }
 
         $prepare_command .= " --plan-out /artifacts/railpack-plan.json {$this->workdir}";