From 6bdefd9b795e17ebcca1d98229b950d3359a252e Mon Sep 17 00:00:00 2001
From: "Jakub K." <kuba.kawa@hotmail.com>
Date: Tue, 8 Oct 2024 14:15:48 +0200
Subject: [PATCH] Fix code scanning alert no. 48: Uncontrolled command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../ProcessManagement/PluginProcesManager.cs         | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Dashboard/Dashboard.Broker/ProcessManagement/PluginProcesManager.cs b/Dashboard/Dashboard.Broker/ProcessManagement/PluginProcesManager.cs
index bcb9c16..e4cfb88 100644
--- a/Dashboard/Dashboard.Broker/ProcessManagement/PluginProcesManager.cs
+++ b/Dashboard/Dashboard.Broker/ProcessManagement/PluginProcesManager.cs
@@ -3,6 +3,7 @@
 using System.Diagnostics;
 using System.IO;
 using System.Security.Cryptography;
+using System.Linq;
 using System.Text;
 using Common.Logging;
 using Dashboard.Broker.DataAccess.Providers;
@@ -72,6 +73,11 @@ private Process ConfigureNewProcess(string fileLocation, string startingProgram,
         {
             var startingFile = Path.Combine(_brokerEnvironment.MapPath(fileLocation), startingProgram);
 
+            if (!IsValidConfiguration(configuration))
+            {
+                throw new ArgumentException("Invalid configuration parameter", nameof(configuration));
+            }
+
             var jobProcess = new Process
             {
                 StartInfo =
@@ -98,5 +104,11 @@ private string GetConfigurationCheckSum(PluginExecutionInfo executionInfo)
                 return BitConverter.ToString(cryptoProvider.ComputeHash(Encoding.UTF8.GetBytes(identifier)));
             }
         }
+
+        private bool IsValidConfiguration(string configuration)
+        {
+            // Allow only alphanumeric characters and a few safe symbols
+            return configuration.All(c => char.IsLetterOrDigit(c) || c == '-' || c == '_' || c == '.');
+        }
     }
 }