🛡️ Sentinel: [CRITICAL] Fix command injection in docker-logs

[bobdivx]

🚨 Severity: CRITICAL
💡 Vulnerability: Command injection in src/pages/api/docker-logs.ts through un-sanitized containerId and tail query parameters.
🎯 Impact: Attackers could inject arbitrary shell commands, potentially gaining remote code execution on the server.
🔧 Fix: Replaced execSync with execFileAsync and passed arguments as a strictly formatted array, avoiding shell interpolation. Added flag injection mitigation via explicit hyphen checking on inputs.
✅ Verification: Ran pnpm test successfully. Prettier formatted. Journal entry created in .jules/sentinel.md.

---

PR created automatically by Jules for task 13569164561529663768 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
forge	Ready	Preview, Comment	May 24, 2026 5:39pm

[gemini-code-assist]

Code Review

This pull request addresses a command injection vulnerability in the Docker logs API by replacing execSync with execFileAsync and implementing strict validation for the containerId and tail parameters. It also includes documentation of the fix and an increased timeout for unit tests. Feedback focuses on removing temporary utility scripts from the repository and refining the log parsing logic to correctly handle empty output by avoiding single-element arrays containing empty strings.

[gemini-code-assist]

This file appears to be a temporary script used to apply changes to the codebase. Such artifacts should not be committed to the repository as they clutter the source tree and are not part of the application's runtime or build process.

[gemini-code-assist]

This file seems to be a scratchpad or utility script used during development to modify tests. It should be removed from the pull request to maintain a clean repository structure.

[gemini-code-assist]

When the output string is empty (after trimming), split("\n") will return an array containing a single empty string [""] instead of an empty array []. This might lead to unexpected empty lines being displayed in the UI.

Suggested change

	logs = output.trim().split("\n");
	logs = output.trim() ? output.trim().split("\n") : [];

[gemini-code-assist]

Similar to the success case, if err.stderr results in an empty string after trimming, split("\n") will return [""]. It is better to return an empty array in such cases.

Suggested change

	logs = err.stderr.toString().trim().split("\n");
	logs = err.stderr.toString().trim() ? err.stderr.toString().trim().split("\n") : [];