From 0a0863b2ddeac23b22336d92be9b7befc3a8d37c Mon Sep 17 00:00:00 2001 From: Steven Nguyen Date: Tue, 12 Mar 2024 21:50:21 +0100 Subject: [PATCH] Escape commands passed to run and execute Each element in commands should be treated as a single argument so we should escape it as an argument to prevent anything from breakint out to execute anything else. --- src/Orchestration/Adapter/DockerCLI.php | 8 ++------ tests/Orchestration/Base.php | 9 +++++++-- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/Orchestration/Adapter/DockerCLI.php b/src/Orchestration/Adapter/DockerCLI.php index a24fc73..441cf95 100644 --- a/src/Orchestration/Adapter/DockerCLI.php +++ b/src/Orchestration/Adapter/DockerCLI.php @@ -312,9 +312,7 @@ public function run(string $image, $output = ''; foreach ($command as $key => $value) { - if (str_contains($value, ' ')) { - $command[$key] = "'".$value."'"; - } + $command[$key] = \escapeshellarg($command[$key]); } $labelString = ''; @@ -389,9 +387,7 @@ public function execute( int $timeout = -1 ): bool { foreach ($command as $key => $value) { - if (str_contains($value, ' ')) { - $command[$key] = "'".$value."'"; - } + $command[$key] = \escapeshellarg($command[$key]); } $parsedVariables = []; diff --git a/tests/Orchestration/Base.php b/tests/Orchestration/Base.php index 8679f6c..d3aec30 100644 --- a/tests/Orchestration/Base.php +++ b/tests/Orchestration/Base.php @@ -2,6 +2,7 @@ namespace Utopia\Tests; +use Utopia\CLI\Console; use PHPUnit\Framework\TestCase; use Utopia\Orchestration\Orchestration; @@ -492,10 +493,14 @@ public function testUsageStats(): void $this->assertNotEmpty($containerId2); sleep(2); + $output = ''; + Console::execute('docker ps -a', '', $output); + var_dump($output); + // This allows CPU-heavy load check $output = ''; - static::getOrchestration()->execute($containerId1, ['screen', '-d', '-m', "'stress --cpu 1 --timeout 5'"], $output); // Run in screen so it's background task - static::getOrchestration()->execute($containerId2, ['screen', '-d', '-m', "'stress --cpu 1 --timeout 5'"], $output); + static::getOrchestration()->execute($containerId1, ['screen', '-d', '-m', 'stress --cpu 1 --timeout 5'], $output); // Run in screen so it's background task + static::getOrchestration()->execute($containerId2, ['screen', '-d', '-m', 'stress --cpu 1 --timeout 5'], $output); // Set CPU stress-test start \sleep(1);