Limit path to HESTIA_CMD dir only (hestiacp#2742)

* Limit path to HESTIA_CMD dir only

* Make suggested changes

Author: jaapmarcus

web/src/app/System/HestiaApp.php

@@ -16,8 +16,13 @@ public function __construct()
 
     public function run(string $cmd, $args, &$cmd_result=null): bool
     {
-        $cli_script = HESTIA_CMD . '/' . basename($cmd);
-        $cli_arguments = '';
+        $cli_script = realpath(HESTIA_CMD . '/' . $cmd);
+        if(!str_starts_with((string)$cli_script, HESTIA_CMD."/" )){
+            $errstr = "$cmd is trying to traverse outside of " .HESTIA_CMD;
+            trigger_error($errstr);
+            throw new \Exception($errstr);   
+        }
+        $cli_script = escapeshellarg($cli_script);
 
         if (!empty($args) && is_array($args)) {
             foreach ($args as $arg) {