🛡️ Sentinel: [CRITICAL] Fix command injection in docker logs API

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-11-28 - [Command Injection via execSync in API Routes]
+**Vulnerability:** Found a critical command injection vulnerability in `src/pages/api/docker-logs.ts` where unsanitized user query parameters (`id` and `tail`) were directly concatenated into a shell command (`docker logs --tail ${tail} ${containerId}`) and executed using `execSync`.
+**Learning:** Using `exec` or `execSync` with template strings containing user input is extremely dangerous, even for seemingly innocuous APIs. Additionally, we must check for flag injection (e.g., input starting with `-`).
+**Prevention:** Always use `execFile`, `execFileSync`, or `spawn` combined with an array of arguments to execute system commands. This bypasses the shell completely. Additionally, always explicitly validate user inputs to ensure they do not start with a hyphen (`-`) to prevent argument/flag injection into the target executable. Also sanitize error messages before returning them to avoid leaking sensitive internal system paths or structures.