Talos NextFlow implementation lacks data sanitisation #643
Description
Chatbot: The cohort value flowing from the TSV into this process is interpolated without quoting into the --output parameter of the talos.validate_moi invocation, alongside the optional history_arg. An attacker controlling cohort (or a file path used in history_arg) could inject shell metacharacters so the generated script line contains extra commands (for example --output foo.json; rm -rf /), leading to arbitrary command execution. This should be mitigated by validating and/or shell-escaping these values before use, or by passing them as structured Nextflow inputs instead of embedding them directly into the script string.
Could use a string replacement, e.g.
https://stackoverflow.com/questions/36426677/removing-special-characters-from-a-string-in-a-groovy-script
def clean_cohort = cohort.replaceAll("[^a-zA-Z0-9]+","")
Plugins? Not really the right type of sanitation
https://training.nextflow.io/2.8.1/hello_nf-core/05_input_validation/