Closed
Description
This code appears to use child processes but doesn't sanitize the input. A project I was working on used this code for something like the following to run something in a container of the user's choosing:
docker.command('run <...> -d ' + containerName).then(...)If the user just entered a semicolon after the container name, they could easily inject/run arbitrary commands on the host machine.
It's easy enough to only allow valid container names and nothing more in this instance, but the problem was not knowing that there was no sanitization being done behind the scenes. A more ambitious goal might be to make sure no malicious user input can get through, but until that's implemented there should at least be a note in the documentation about it.