Sanitize shell input

go.mod

@@ -3,6 +3,7 @@ module pak
 go 1.15
 
 require (
+	github.com/alessio/shellescape v1.4.1
 	github.com/pelletier/go-toml v1.8.2-0.20201124181426-2e01f733df54
 	github.com/rs/zerolog v1.20.0
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -1,3 +1,5 @@
+github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
+github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

main.go

@@ -20,6 +20,7 @@ package main
 
 import (
 	"fmt"
+	"github.com/alessio/shellescape"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	flag "github.com/spf13/pflag"
@@ -155,7 +156,7 @@ func main() {
 		cmdArr = append(cmdArr, strings.Join(args[1:], " "))
 	}
 	// Create space separated string from cmdArr
-	cmdStr := strings.Join(cmdArr, " ")
+	cmdStr := shellescape.QuoteCommand(cmdArr)
 	// Instantiate exec.Command object with command sh, flag -c, and cmdStr
 	command := exec.Command("sh", "-c", cmdStr)
 	// Set standard outputs for command