From 450018e5c911b99e6b268f7a2f850a35475ad832 Mon Sep 17 00:00:00 2001
From: Steven Nguyen <stnguyen90@users.noreply.github.com>
Date: Tue, 12 Mar 2024 21:50:21 +0100
Subject: [PATCH] Escape commands passed to run and execute

Each element in commands should be treated as a single argument so
we should escape it as an argument to prevent anything from
breakint out to execute anything else.
---
 src/Orchestration/Adapter/DockerCLI.php | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/Orchestration/Adapter/DockerCLI.php b/src/Orchestration/Adapter/DockerCLI.php
index a24fc73..441cf95 100644
--- a/src/Orchestration/Adapter/DockerCLI.php
+++ b/src/Orchestration/Adapter/DockerCLI.php
@@ -312,9 +312,7 @@ public function run(string $image,
         $output = '';
 
         foreach ($command as $key => $value) {
-            if (str_contains($value, ' ')) {
-                $command[$key] = "'".$value."'";
-            }
+            $command[$key] = \escapeshellarg($command[$key]);
         }
 
         $labelString = '';
@@ -389,9 +387,7 @@ public function execute(
         int $timeout = -1
     ): bool {
         foreach ($command as $key => $value) {
-            if (str_contains($value, ' ')) {
-                $command[$key] = "'".$value."'";
-            }
+            $command[$key] = \escapeshellarg($command[$key]);
         }
 
         $parsedVariables = [];