update proxy e2e tests for new ui

[filipslezaklab]

No description provided.

To fix this issue, we should avoid constructing the shell command using interpolation and passing it to execSync() as a single string, as this allows shell interpretation of dynamic arguments such as file paths. Instead, we should use execFileSync() and pass the command and its arguments as an array, which gives the shell no opportunity to misinterpret path values, regardless of what they contain.

Specifically, change the construction in the dbRestore function on lines 12-15 so that:

• The base command (docker, not dockerCompose) is used as the executable.
• All subcommands ("compose", "-f", <dockerFilePath>, "exec", "db", "pg_restore", "--clean", "-U", "defguard", "-d", "defguard", "/tmp/db.dump") are passed as discrete arguments, with variables (paths) inserted only as elements of the array.

This requires adjusting both the use of dockerCompose and string interpolation, to use proper argument arrays.

Summary:

• In the block for dbRestore, replace the dynamic/interpolated string for restore with an array of arguments for execFileSync.
• Import execFileSync from child_process (it is not currently imported), and use it in place of execSync.
• Similar changes should be considered for other uses of execSync with command strings containing dynamic paths (though only line 14 is flagged for now).

---

To fix this vulnerability, commands executed by execSync should be refactored to avoid shell interpolation of environment-derived strings (a file path, in this case). Instead of constructing a shell command string with the file path embedded, use execFileSync from the child_process module, which accepts commands and arguments as separate parameters, preventing the shell from interpreting special characters in dynamic data. In file e2e/utils/docker.ts, change calls such as execSync(${dockerCompose} stop core) to use execFileSync, passing the command and relevant arguments as an array. This requires splitting up ${dockerCompose} (which is itself a string) into its components:

• command: 'docker'
• arguments: ['compose', '-f', dockerFilePath, 'stop', 'core']

Do the same for all similar cases in the file, including dbRestore and dockerRestart steps.
The refactor only needs to change lines calling execSync with shell-constructed string; other path calculation code remains untouched.
You'll also need to import execFileSync instead of (or in addition to) execSync.
Update the method implementations so all shell commands provide their dynamic data as arguments.

---

To fix this vulnerability, the shell command must avoid passing dynamic paths as part of the command string. Instead, use the execFileSync method from child_process, which allows you to specify the command and its arguments as an array, ensuring that special shell characters in paths are correctly handled as arguments and not interpreted by the shell.

• Edit all use of execSync shell commands that interpolate dockerFilePath or otherwise use paths derived from the environment.
• Specifically, update the dockerRestart function (lines 17–21) and dbRestore (lines 12–15), replacing commands like `${dockerCompose} start core` with argument arrays.
• To do so, construct argument arrays representing: ["compose", "-f", dockerFilePath, "stop", "core"], ["compose", "-f", dockerFilePath, "start", "core"], etc.
• Change all corresponding execSync calls to execFileSync.
• Import execFileSync from child_process at the top of the file.

---

General approach:
Replace the use of execSync with dynamically built shell commands with the safer alternative spawnSync (or execFileSync), providing the command and arguments as separate array entries. This avoids the shell interpreting the command string and any included special characters.

Detailed steps:

• In dockerUp in e2e/utils/setup.ts, instead of creating a literal string (command = ...) and passing it to execSync, construct the Docker command and its arguments as an array, and call spawnSync or execFileSync with shell: false.

• Adapt the call so that the executable is docker, the arguments are the split up version of dockerCompose plus the actual operation (up, --wait), and the file path (-f, ...).

• As dockerCompose is defined as a string like docker compose -f ${dockerFilePath}, for this fix, we should export the split-out elements instead (e.g., separate the command from its arguments).
  However, since we can only edit the provided snippets, and since dockerCompose is imported from the other file, we cannot change its representation in general—so we must minimally adjust within the constraints.

• The best edit, given the constraints, is to parse the space-separated dockerCompose into command and arguments directly in the edited region, or reconstruct them locally to remove string interpolation of untrusted data.

• After splitting/extracting, run with spawnSync instead of execSync for consistency and direct control of arguments.

Required changes:

• In e2e/utils/setup.ts, update the implementation of dockerUp (lines 20-22) to:
  • Replace the use of execSync(command) with a safe call to spawnSync, providing the exec and args as an array, not through the shell.
  • Parse dockerCompose safely to extract docker, arguments, and append the up/--wait suffix.
• Handle errors (throw if process fails, matching prior behavior).
• No additional imports are required, as spawnSync and execSync are already imported.

---

To fix this issue, instead of building a shell command string by concatenating environment-derived paths, we should use execFileSync, which executes the file directly with argument vectors instead of parsing a shell string. This ensures all special shell characters in arguments are handled safely, and cannot cause command injection.

• In e2e/utils/docker.ts, refactor usages of execSync where shell commands are built with tainted paths (including the exported dockerCompose string).
• Instead of exporting a string command (dockerCompose), export an object containing the command, and file path argument separately, i.e.:
  { cmd: 'docker', args: ['compose', '-f', dockerFilePath] }
• In dependent files (such as e2e/utils/teardown.ts), destructure and use those values with execFileSync, using the arguments array and adding any further CLI args (like "down") directly to the argument array.
• Add any missing imports of execFileSync (and preserve execSync only if needed for legacy code).

You only need to update code that is directly shown in the snippets.

• In e2e/utils/docker.ts, update the export and relevant usages.
• In e2e/utils/teardown.ts, update to use execFileSync, using arguments array.

No functionality change—just a safer way to invoke the same commands.

---