From a7fe82a62ec8f6d42c842d33c665f5de35a58fc8 Mon Sep 17 00:00:00 2001
From: leafspark <78000825+leafspark@users.noreply.github.com>
Date: Sat, 21 Sep 2024 16:35:20 -0700
Subject: [PATCH] Fix code scanning alert #1: Uncontrolled command line

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/graph.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/graph.py b/src/graph.py
index b8bedb8..f115e5b 100644
--- a/src/graph.py
+++ b/src/graph.py
@@ -250,6 +250,7 @@ def index():
         for name in os.listdir(data_dir)
         if name.endswith(".sqlite") and os.path.isfile(os.path.join(data_dir, name))
     ]
+    valid_model_names = set(model_names)
 
     if request.method == "POST":
         selected_model = request.form.get("model_select")
@@ -272,13 +273,19 @@ def index():
                 "An error occurred while creating the plot. Please try again later."
             )
 
-        command = [
-            "python",
-            "get_data.py",
-            "--hours",
-            "24",
-            f".\\data\\{selected_model}.sqlite",
-        ]
+        if selected_model in valid_model_names:
+            command = [
+                "python",
+                "get_data.py",
+                "--hours",
+                "24",
+                f".\\data\\{selected_model}.sqlite",
+            ]
+            result = subprocess.run(command, capture_output=True, text=True)
+        else:
+            logging.error(f"Invalid model selected: {selected_model}")
+            error_message = "Invalid model selected. Please choose a valid model."
+            result = None
 
         result = subprocess.run(command, capture_output=True, text=True)
     else: