🛡️ Sentinel: [CRITICAL] Fix Command Injection in docker logs

[bobdivx]

🚨 Severity: CRITICAL
💡 Vulnerability: User input (id and tail) was passed directly into a shell command string evaluated by execSync in the docker-logs API endpoint.
🎯 Impact: An attacker could perform arbitrary command execution by passing a malicious payload like id=fake-container; echo 'vulnerable'.
🔧 Fix: Refactored the endpoint to use execFileSync passing arguments as an array, bypassing shell evaluation. Added regex validation to block invalid characters and leading hyphens (preventing flag injection). Sanitized the tail parameter by parsing it strictly as an integer.
✅ Verification: pnpm run check and pnpm test pass. The fix ensures that inputs containing command separators or flags are rejected safely.

---

PR created automatically by Jules for task 8291986119183605751 started by @bobdivx

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
forge	Ready	Preview, Comment	May 10, 2026 5:53pm

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request fixes a command injection vulnerability in the Docker logs API by replacing string-interpolated execSync calls with execFileSync and adding strict input validation for the containerId and tail parameters. Review feedback suggests further optimizing the implementation by using asynchronous execFile to prevent blocking the event loop and improving the log parsing logic to handle different line endings and empty outputs more robustly.

[gemini-code-assist]

Using synchronous child process methods like execFileSync in an asynchronous API route blocks the Node.js event loop, which can severely impact the performance and scalability of the server. It is recommended to use the asynchronous execFile version, ideally promisified to maintain clean async/await syntax, as seen in other parts of the codebase (e.g., src/pages/api/docker/containers.ts).

import { execFile } from 'child_process';
import { promisify } from 'util';

const execFileAsync = promisify(execFile);

[gemini-code-assist]

Switching to the asynchronous execFileAsync prevents blocking the event loop while waiting for the Docker command to complete. This is especially important for log retrieval which might take some time depending on the container's output.

        const { stdout: output } = await execFileAsync('docker', ['logs', '--tail', tailParam, containerId], {
          encoding: 'utf-8'
        });

[gemini-code-assist]

The current split logic can result in an array containing an empty string if the output is empty or contains only whitespace. Using a regex for line breaks and filtering out empty strings ensures a cleaner result and better compatibility with different operating systems (handling \r\n).

Suggested change

	logs = output.trim().split('\n');
	logs = output.trim().split(/\r?\n/).filter(Boolean);