Rewrite command validation so it get recognize by semgrep.

sonic-net · Nov 19, 2024 · 5fb0882 · 5fb0882
1 parent 892edae
commit 5fb0882
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/host_modules/docker_service.py b/host_modules/docker_service.py
@@ -103,6 +103,8 @@ def run(self, image, command, kwargs):
             client = docker.from_env()
             if not DockerService.validate_image(image):
                 return errno.EPERM, "Image {} is not allowed.".format(image)
+            if not DockerService.validate_command(command):
+                return errno.EPERM, "Command {} is not allowed.".format(command)
             container = client.containers.run(image, command, **kwargs)
             return 0, "Container {} has been started.".format(container.name)
         except docker.errors.ImageNotFound:
@@ -138,4 +140,20 @@ def validate_image(image):
         """
         base_image_name = image.split(":")[0]
         known_images = DockerService.get_used_images_name()
-        return base_image_name in known_images
+        return base_image_name in known_images
+
+
+    @staticmethod
+    def validate_command(command):
+        """
+        Validate the command.
+
+        Args:
+            command (str): The command to run in the container.
+
+        Returns:
+            bool: True if the command is allowed to be use for run/create command.
+        """
+        if command != "":
+            return False
+        return True