Closed tcompa closed 18 hours ago
The new function validate_cmd
is to be placed in https://github.com/fractal-analytics-platform/fractal-server/blob/main/fractal_server/string_tools.py, and used in front of any subprocess.run
or FractalSSH.run_command
call.
If we move https://github.com/fractal-analytics-platform/fractal-server/blob/main/fractal_server/app/runner/run_subprocess.py up one level, we could include validate_cmd
in this wrapper and then try to always use the wrapper rather than the raw function.
validate_cmd
as described above (exceptions from the linked list: /
, "
, '
, ~
) - in string-toolssanitize_cmd
, with the same logicvalidate_cmd
explicitly before any call to subprocess.run
and any fabric.Connection.run
(e.g. self._connection.run
somewhere)
A couple of examples are the
FractalSSH.remove_folder
method https://github.com/fractal-analytics-platform/fractal-server/blob/05474dbf6b18848b893b994c50ed9d2e6777bba8/fractal_server/ssh/_fabric.py#L291-L308 or the followingTaskCollectCustomV2
validator: https://github.com/fractal-analytics-platform/fractal-server/blob/fd3503ccdcffd429391fffb4f728ae4fca0b9998/fractal_server/app/schemas/v2/task_collection.py#L146-L155Rather than re-defining this validation layer in multiple places, we should have a single validation function similar to these examples, and apply it every time we call e.g.
subprocess.run
orfabric.Connection.run
.