fix: 解决终端连接注入漏洞问题

backend/app/api/v1/terminal.go

@@ -163,11 +163,11 @@ func (b *BaseApi) ContainerWsSsh(c *gin.Context) {
 	}
 	defer wsConn.Close()
 
-	cmds := fmt.Sprintf("docker exec %s %s", containerID, command)
+	cmds := []string{"exec", containerID, command}
 	if len(user) != 0 {
-		cmds = fmt.Sprintf("docker exec -u %s %s %s", user, containerID, command)
+		cmds = []string{"exec", "-u", user, containerID, command}
 	}
-	stdout, err := cmd.Exec(cmds)
+	stdout, err := cmd.ExecWithCheck("docker", cmds...)
 	if wshandleError(wsConn, errors.WithMessage(err, stdout)) {
 		return
 	}

backend/utils/terminal/local_cmd.go

@@ -8,6 +8,7 @@ import (
 	"unsafe"
 
 	"github.com/1Panel-dev/1Panel/backend/global"
+	"github.com/1Panel-dev/1Panel/backend/utils/cmd"
 	"github.com/creack/pty"
 	"github.com/pkg/errors"
 )
@@ -26,6 +27,9 @@ type LocalCommand struct {
 }
 
 func NewCommand(commands string) (*LocalCommand, error) {
+	if cmd.CheckIllegal(commands) {
+		return nil, errors.New("There are invalid characters in the command you're executing.")
+	}
 	cmd := exec.Command("sh", "-c", commands)
 
 	pty, err := pty.Start(cmd)