🛡️ Sentinel: [CRITICAL] Fix command injection in docker logs API#82
🛡️ Sentinel: [CRITICAL] Fix command injection in docker logs API#82bobdivx wants to merge 1 commit into
Conversation
Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a command injection vulnerability in the Docker logs API endpoint by replacing shell-based execution with execFileAsync and introducing input validation. Feedback on these changes suggests relaxing the regex validation to accommodate valid Docker container names (which may include dots or leading slashes) and the 'all' option for the tail parameter. Additionally, simplifying the stdout and stderr merging logic using filter(Boolean) is recommended to improve readability and handle empty lines more cleanly.
| // Commande Docker pour récupérer les logs | ||
| const command = `docker logs --tail ${tail} ${containerId}`; | ||
| // Validation stricte pour éviter l'injection de commandes/flags | ||
| if (!/^[a-zA-Z0-9_-]+$/.test(containerId) || !/^\d+$/.test(tail)) { |
There was a problem hiding this comment.
Issue: Overly Restrictive Regex Validation
Docker container names can contain dots (.) and often start with a leading slash (/) when retrieved from the Docker API (e.g., /my-container). The current regex /^[a-zA-Z0-9_-]+$/ will reject these valid names, causing the API to return a 400 error and breaking the logs view for those containers.
Additionally, the tail parameter in Docker logs can accept "all" to retrieve all logs. Restricting it to only digits /^\d+$/ prevents this valid use case.
Recommendation
Update the regex to:
- Allow an optional leading slash and dots in the container ID/name.
- Ensure the container ID/name starts with an alphanumeric character (or a slash followed by one) to prevent flag injection (e.g., passing
--helpas a container ID). - Allow
"all"as a valid value fortail.
| if (!/^[a-zA-Z0-9_-]+$/.test(containerId) || !/^\d+$/.test(tail)) { | |
| if (!/^\/?[a-zA-Z0-9][a-zA-Z0-9_.-]*$/.test(containerId) || !/^(?:\d+|all)$/.test(tail)) { |
| logs = stdout ? stdout.trim().split('\n') : []; | ||
| if (stderr && stderr.trim().length > 0 && logs.length === 0) { | ||
| logs = stderr.trim().split('\n'); | ||
| } else if (stderr && stderr.trim().length > 0) { | ||
| logs.push(...stderr.trim().split('\n')); | ||
| } |
There was a problem hiding this comment.
Improvement: Simplify stdout/stderr Merging
The current logic for merging stdout and stderr is verbose and can introduce empty strings into the logs array if stdout or stderr contains only whitespace.
Using filter(Boolean) simplifies the merging logic, improves readability, and ensures no empty lines are added.
const stdoutLines = stdout ? stdout.trim().split('\n').filter(Boolean) : [];
const stderrLines = stderr ? stderr.trim().split('\n').filter(Boolean) : [];
logs = [...stdoutLines, ...stderrLines];1 participant
🚨 Severity: CRITICAL
💡 Vulnerability: The
docker-logs.tsAPI route constructed a shell command using raw, unsanitized user inputs (idandtailquery parameters) via string interpolation and executed it usingexecSync. This allowed arbitrary command injection.🎯 Impact: An attacker could inject malicious shell commands (e.g., using
;or&&) through theidortailparameters to achieve Remote Code Execution (RCE) on the server running the API.🔧 Fix: Refactored the endpoint to use
execFileAsyncwith an array of arguments, bypassing the shell. Additionally, strict regex validation was added to theidandtailparameters to prevent argument/flag injection.✅ Verification: Run
pnpm testandpnpm run checkto verify the code behaves as expected.PR created automatically by Jules for task 6683742158593781981 started by @bobdivx