Potential fix for code scanning alert no. 1: Uncontrolled command line

[karam-ajaj]

Potential fix for https://github.com/karam-ajaj/atlas/security/code-scanning/1

General approach: Ensure that all user-controlled values that influence the subprocess command line are strictly validated/normalized before being used, and that CodeQL can clearly see this validation. Continue to avoid shell=True, keep commands as hard-coded literals, and only allow benign, tightly constrained arguments that are necessary for functionality.

Best concrete fix here, without changing existing behavior:

1. Keep using list-style subprocess invocations (already safe).
2. Make the log filename handling more explicit and clearly separate “raw user input” from “trusted, validated value.” We already do this with safe_filename and validate_log_filename, but CodeQL’s taint trace suggests it still considers the value “tainted” when used to build filepath and then cmd.
3. Slightly tighten validate_log_filename by:
   • Clearly documenting it is only for simple filenames (no directories).
   • Keeping the prohibition against / and \.
   • Keeping the safe regex and length check.
4. Ensure the only values that can reach cmd are:
   • Hard-coded command literals ("docker", "logs", "tail", flags).
   • safe_container from validate_container_name.
   • filepath derived from safe_filename with strong directory confinement (os.path.commonpath).

Since all of this is already largely implemented, the change is minimal; we mainly clarify and preserve the existing safe pattern so the data flow is obviously constrained. There is no need for new imports or additional helper methods beyond what’s already present in the snippet.

Concretely, in config/scripts/app.py:

• Keep the existing validators, possibly tightening comments/intent but not relaxing any constraint.
• Preserve the current cmd construction in stream_log, which already uses only validated values and a safe, non-shell subprocess call.

No functional behavior is changed: the same filenames and container names that were allowed before remain allowed, and the same subprocess calls are made, but the code remains explicitly and defensively structured around validation.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR adds documentation comments to two existing validation functions (validate_container_name and validate_log_filename) in the FastAPI backend. The PR aims to address a CodeQL security alert about uncontrolled command line execution by improving code clarity around input validation.

Key changes:

• Added clarifying comment to validate_container_name function
• Enhanced documentation for validate_log_filename with detailed NOTE about restrictions