From ebac90097a60a855b6e358233445e2b7a9b1a3ba Mon Sep 17 00:00:00 2001 From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com> Date: Mon, 8 Dec 2025 20:09:00 +0100 Subject: [PATCH] fix: Escape container name in orphaned PR cleanup job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add shell escaping with escapeshellarg() for container names in the docker rm command to prevent command injection. Also add validation to skip containers with missing names and log a warning. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- app/Jobs/CleanupOrphanedPreviewContainersJob.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/app/Jobs/CleanupOrphanedPreviewContainersJob.php b/app/Jobs/CleanupOrphanedPreviewContainersJob.php index 790ad1489..5d3bed457 100644 --- a/app/Jobs/CleanupOrphanedPreviewContainersJob.php +++ b/app/Jobs/CleanupOrphanedPreviewContainersJob.php @@ -179,6 +179,16 @@ private function isOrphanedContainer($container): bool private function removeContainer($container, Server $server): void { $containerName = data_get($container, 'Names'); + + if (empty($containerName)) { + Log::warning('CleanupOrphanedPreviewContainersJob - Cannot remove container: missing container name', [ + 'container_data' => $container, + 'server' => $server->name, + ]); + + return; + } + $applicationId = $this->extractApplicationId($container); $pullRequestId = $this->extractPullRequestId($container); @@ -189,9 +199,11 @@ private function removeContainer($container, Server $server): void 'server' => $server->name, ]); + $escapedContainerName = escapeshellarg($containerName); + try { instant_remote_process( - ["docker rm -f {$containerName}"], + ["docker rm -f {$escapedContainerName}"], $server, false );