fix: Escape container name in orphaned PR cleanup job

Add shell escaping with escapeshellarg() for container names in the docker rm command to prevent command injection. Also add validation to skip containers with missing names and log a warning. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-17 17:21:04 +00:00 · 2025-12-08 20:09:00 +01:00
parent 86a02a12e6
commit ebac90097a
1 changed files with 13 additions and 1 deletions
--- a/app/Jobs/CleanupOrphanedPreviewContainersJob.php
+++ b/app/Jobs/CleanupOrphanedPreviewContainersJob.php
@@ -179,6 +179,16 @@ class CleanupOrphanedPreviewContainersJob implements ShouldBeEncrypted, ShouldBe
    private function removeContainer($container, Server $server): void
    {
        $containerName = data_get($container, 'Names');
+
+        if (empty($containerName)) {
+            Log::warning('CleanupOrphanedPreviewContainersJob - Cannot remove container: missing container name', [
+                'container_data' => $container,
+                'server' => $server->name,
+            ]);
+
+            return;
+        }
+
        $applicationId = $this->extractApplicationId($container);
        $pullRequestId = $this->extractPullRequestId($container);

@@ -189,9 +199,11 @@ class CleanupOrphanedPreviewContainersJob implements ShouldBeEncrypted, ShouldBe
            'server' => $server->name,
        ]);

+        $escapedContainerName = escapeshellarg($containerName);
+
        try {
            instant_remote_process(
-                ["docker rm -f {$containerName}"],
+                ["docker rm -f {$escapedContainerName}"],
                $server,
                false
            );