Add single quotes for inner command.

Change to bash as interpreter.
Forbid single quotes for user commands.

internal/api/runners.go

@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 )
 
 const (
@@ -31,6 +32,8 @@ const (
 	PrivilegedExecutionKey  = "privilegedExecution"
 )
 
+var ErrForbiddenCharacter = errors.New("use of forbidden character")
+
 type RunnerController struct {
 	manager      runner.Accessor
 	runnerRouter *mux.Router
@@ -160,6 +163,11 @@ func (r *RunnerController) execute(writer http.ResponseWriter, request *http.Req
 	if err := parseJSONRequestBody(writer, request, executionRequest); err != nil {
 		return
 	}
+	forbiddenCharacters := "'"
+	if strings.ContainsAny(executionRequest.Command, forbiddenCharacters) {
+		writeClientError(writer, ErrForbiddenCharacter, http.StatusBadRequest)
+		return
+	}
 
 	var scheme string
 	if config.Config.Server.TLS.Active {

internal/api/runners_test.go

@@ -236,6 +236,21 @@ func (s *RunnerRouteTestSuite) TestExecuteRoute() {
 
 		s.Equal(http.StatusBadRequest, recorder.Code)
 	})
+
+	s.Run("forbidden characters in command", func() {
+		recorder := httptest.NewRecorder()
+		executionRequest := dto.ExecutionRequest{
+			Command:   "echo 'forbidden'",
+			TimeLimit: 10,
+		}
+		body, err := json.Marshal(executionRequest)
+		s.Require().NoError(err)
+		request, err := http.NewRequest(http.MethodPost, path.String(), bytes.NewReader(body))
+		s.Require().NoError(err)
+
+		s.router.ServeHTTP(recorder, request)
+		s.Equal(http.StatusBadRequest, recorder.Code)
+	})
 }
 
 func TestUpdateFileSystemRouteTestSuite(t *testing.T) {