Escape commands passed to run and execute

Each element in commands should be treated as a single argument so we should escape it as an argument to prevent anything from breakint out to execute anything else.
utopia-php · May 10, 2024 · 450018e · 450018e
1 parent b5eaf86
commit 450018e
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/src/Orchestration/Adapter/DockerCLI.php b/src/Orchestration/Adapter/DockerCLI.php
@@ -312,9 +312,7 @@ public function run(string $image,
         $output = '';
 
         foreach ($command as $key => $value) {
-            if (str_contains($value, ' ')) {
-                $command[$key] = "'".$value."'";
-            }
+            $command[$key] = \escapeshellarg($command[$key]);
         }
 
         $labelString = '';
@@ -389,9 +387,7 @@ public function execute(
         int $timeout = -1
     ): bool {
         foreach ($command as $key => $value) {
-            if (str_contains($value, ' ')) {
-                $command[$key] = "'".$value."'";
-            }
+            $command[$key] = \escapeshellarg($command[$key]);
         }
 
         $parsedVariables = [];