From 5fb088234040dbfc0da409544b88f629d18cc46b Mon Sep 17 00:00:00 2001
From: Dawei Huang <daweihuang@microsoft.com>
Date: Tue, 19 Nov 2024 21:21:54 +0000
Subject: [PATCH] Rewrite command validation so it get recognize by semgrep.

---
 host_modules/docker_service.py | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/host_modules/docker_service.py b/host_modules/docker_service.py
index 4aac4643..275c33f8 100644
--- a/host_modules/docker_service.py
+++ b/host_modules/docker_service.py
@@ -103,6 +103,8 @@ def run(self, image, command, kwargs):
             client = docker.from_env()
             if not DockerService.validate_image(image):
                 return errno.EPERM, "Image {} is not allowed.".format(image)
+            if not DockerService.validate_command(command):
+                return errno.EPERM, "Command {} is not allowed.".format(command)
             container = client.containers.run(image, command, **kwargs)
             return 0, "Container {} has been started.".format(container.name)
         except docker.errors.ImageNotFound:
@@ -138,4 +140,20 @@ def validate_image(image):
         """
         base_image_name = image.split(":")[0]
         known_images = DockerService.get_used_images_name()
-        return base_image_name in known_images
\ No newline at end of file
+        return base_image_name in known_images
+
+
+    @staticmethod
+    def validate_command(command):
+        """
+        Validate the command.
+
+        Args:
+            command (str): The command to run in the container.
+
+        Returns:
+            bool: True if the command is allowed to be use for run/create command.
+        """
+        if command != "":
+            return False
+        return True
\ No newline at end of file