🛡️ Sentinel: [CRITICAL] Fix command injection in docker logs#78
Conversation
Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a critical command injection vulnerability in the Docker logs API route by replacing execSync with execFileSync and adding strict input validation for the containerId and tail parameters. It also documents this vulnerability in a new sentinel markdown file. The review feedback recommends refactoring the synchronous process execution (execFileSync) to an asynchronous approach (execFile wrapped in promisify) to prevent blocking the Node.js event loop and degrading API performance under concurrent load.
| import type { APIRoute } from 'astro'; | ||
| import { execSync } from 'child_process'; | ||
| import type { APIRoute } from "astro"; | ||
| import { execFileSync } from "child_process"; |
There was a problem hiding this comment.
Using synchronous process execution (execFileSync) blocks the single-threaded Node.js event loop. This can severely degrade the performance and responsiveness of the API under concurrent requests. It is highly recommended to use asynchronous execution instead.
import { execFile } from "child_process";
import { promisify } from "util";
const execFileAsync = promisify(execFile);| const output = execFileSync( | ||
| "docker", | ||
| ["logs", "--tail", tail, containerId], | ||
| { stdio: ["pipe", "pipe", "pipe"] }, | ||
| ).toString(); | ||
| logs = output.trim().split("\n"); |
There was a problem hiding this comment.
Refactor the synchronous execution to use the asynchronous execFileAsync to prevent blocking the event loop.
| const output = execFileSync( | |
| "docker", | |
| ["logs", "--tail", tail, containerId], | |
| { stdio: ["pipe", "pipe", "pipe"] }, | |
| ).toString(); | |
| logs = output.trim().split("\n"); | |
| const { stdout } = await execFileAsync( | |
| "docker", | |
| ["logs", "--tail", tail, containerId] | |
| ); | |
| logs = stdout.trim().split("\n"); |
1 participant
🚨 Severity: CRITICAL
💡 Vulnerability: Command injection vulnerability in
src/pages/api/docker-logs.tswhere unvalidatedidandtailquery parameters were directly interpolated into anexecSyncshell command.🎯 Impact: An attacker could execute arbitrary shell commands on the server running the API by providing crafted
idortailvalues.🔧 Fix: Refactored the endpoint to use
execFileSyncwith an array of arguments, entirely bypassing shell execution. Added strict input validation to ensure parameters only contain alphanumeric characters, hyphens, or underscores, and do not start with a hyphen to prevent flag injection.✅ Verification: Ran
pnpm run checkandpnpm testto ensure no regressions.PR created automatically by Jules for task 7391640736258588607 started by @bobdivx