From 1b34337fe822ac53a8af11212bb9f24dd03c693d Mon Sep 17 00:00:00 2001
From: Stuart Rowlands <stuart.rowlands@quantcdn.io>
Date: Thu, 7 Dec 2023 10:45:11 -0800
Subject: [PATCH] Wrap command run to support quotes & chaining.

---
 app/Http/Livewire/Project/Application/Command.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/Http/Livewire/Project/Application/Command.php b/app/Http/Livewire/Project/Application/Command.php
index 3ee89dbdf..933e94c21 100644
--- a/app/Http/Livewire/Project/Application/Command.php
+++ b/app/Http/Livewire/Project/Application/Command.php
@@ -90,11 +90,14 @@ class Command extends Component
     {
         $this->validate();
         try {
+            // Wrap command to prevent escaped execution in the host.
+            $cmd = 'sh -c "' . str_replace('"', '\"', $this->command)  . '"';
+
             if (!empty($this->dir)) {
-                $exec = "docker exec -w {$this->dir} {$this->container} {$this->command}";
+                $exec = "docker exec -w {$this->dir} {$this->container} {$cmd}";
             }
             else {
-                $exec = "docker exec {$this->container} {$this->command}";
+                $exec = "docker exec {$this->container} {$cmd}";
             }
             $activity = remote_process([$exec], $this->server, ignore_errors: true);
             $this->emit('newMonitorActivity', $activity->id);