Potential fix for code scanning alert no. 1: Uncontrolled command line

[karam-ajaj]

Potential fix for https://github.com/karam-ajaj/atlas/security/code-scanning/1

In general, to fix uncontrolled command line usage, any user-provided value that influences a command should be either (a) selected from a hard-coded allowlist or (b) passed through strict validation that limits it to safe characters and reasonable length, and commands should be invoked with shell=False and argument lists.

In this file, the Docker container branch in stream_log already uses validate_container_name before building cmd. The remaining untrusted influence is the filename path segment for log files. We should introduce a validate_log_filename helper that mirrors the container name validation but is tailored to filenames, and apply it before constructing the filepath and cmd. The helper should reject empty names, overly long names, names with path separators (/ or \), and characters outside a conservative set such as letters, digits, dots, underscores, and hyphens. This keeps existing behavior (reading logs from within LOGS_DIR) while ensuring that only simple file names are accepted; deeper directory traversal remains blocked by the existing os.path.commonpath check.

Concretely:

• Add a new function validate_log_filename(name: str) -> str near validate_container_name that raises HTTPException with 400 for invalid input.
• In stream_log, inside the else branch (non-container: case), call validate_log_filename(filename) and use the returned safe value when building the path.
• Keep the rest of the logic (path normalization, commonpath check, existence check, tail invocation) unchanged.

All required imports (HTTPException, re, os, subprocess) are already present; no new imports are necessary.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses a code scanning security alert by adding input validation to prevent uncontrolled command line injection in the log streaming endpoint. The fix introduces a new validation function for log filenames and applies it before constructing file paths and passing them to subprocess calls.

• Adds validate_log_filename() function following the same pattern as existing validate_container_name() validation
• Applies validation to the stream_log endpoint's non-container branch before file path construction
• Uses character whitelisting and path separator rejection to prevent directory traversal and command injection

[Copilot]

The validation regex allows dots in filenames, which could potentially be used for path traversal via sequences like .. (parent directory). While the os.path.normpath and os.path.commonpath checks on lines 296-298 provide defense in depth, it would be safer to either disallow consecutive dots or add explicit validation to reject names containing .. sequences before the path construction step. This would provide earlier detection of malicious input.