chore: Implement security fixes (#683)

* chore: Update Dockerfile to use non-root user

* fix(anta): Update regexp syntax for better readability

* Update Dockerfile

* Update Dockerfile

* Update Dockerfile

* Update Dockerfile

* fix(anta): Update regexp syntax for better readability

---------

Co-authored-by: Matthieu Tâche <mtache@arista.com>

Dockerfile

@@ -10,17 +10,24 @@ RUN pip install --upgrade pip
 WORKDIR /local
 COPY . /local
 
-ENV PYTHONPATH=/local
-ENV PATH=$PATH:/root/.local/bin
+RUN python -m venv /opt/venv
 
-RUN pip --no-cache-dir install --user .
+
+ENV PATH="/opt/venv/bin:$PATH"
+
+RUN apk add --no-cache build-base # Add build-base package
+RUN pip --no-cache-dir install "." &&\
+    pip --no-cache-dir install ".[cli]"
 
 # ----------------------------------- #
 
 ### BASE
 
 FROM python:${PYTHON_VER}-${IMG_OPTION} AS BASE
 
+# Add a system user
+RUN adduser --system anta
+
 # Opencontainer labels
 # Labels version and revision will be updating
 # during the CI with accurate information
@@ -40,7 +47,12 @@ LABEL   "org.opencontainers.image.title"="anta" \
         "org.opencontainers.image.revision"="dev" \
         "org.opencontainers.image.version"="dev"
 
-COPY --from=BUILDER /root/.local/ /root/.local
-ENV PATH=$PATH:/root/.local/bin
+# Copy artifacts from builder
+COPY --from=BUILDER /opt/venv /opt/venv
+
+# Define PATH and default user
+ENV PATH="/opt/venv/bin:$PATH"
+
+USER anta
 
-ENTRYPOINT [ "/root/.local/bin/anta" ]
+ENTRYPOINT [ "/opt/venv/bin/anta" ]

anta/cli/exec/utils.py

@@ -60,7 +60,7 @@ async def collect_commands(
     async def collect(dev: AntaDevice, command: str, outformat: Literal["json", "text"]) -> None:
         outdir = Path() / root_dir / dev.name / outformat
         outdir.mkdir(parents=True, exist_ok=True)
-        safe_command = re.sub(r"(/|\|$)", "_", command)
+        safe_command = re.sub(r"[\\\/\s]", "_", command)
         c = AntaCommand(command=command, ofmt=outformat)
         await dev.collect(c)
         if not c.collected: