Potential fix for code scanning alert no. 13: Uncontrolled command line

[ArshVermaGit]

Potential fix for https://github.com/ArshVermaGit/SentinelOps-Autonomous-DevOps-AI/security/code-scanning/13

Best fix: enforce a strict allowlist so git commands only run for repositories already present in linked_repos.json, with canonicalized path comparison to prevent bypasses (relative-path tricks, symlink-ish variations, ~, etc.). This preserves existing behavior for legitimate linked repos and blocks arbitrary user-provided paths.

Single best implementation in the shown code:

1. In sentinelops-backend/app/services/local_git_service.py, add helper methods to canonicalize paths and check whether a path is linked.
2. In _run_git, reject execution unless repo_path is in the linked-repo allowlist.
3. In get_repo_status, fail early with an "error" response if the requested path is not linked (before calling any git command), and canonicalize the path.
4. Keep subprocess.run list-style usage as-is (already safer than shell), but add this authorization guard at the service boundary so all three alert variants are addressed centrally.

No router changes are strictly required once service-level allowlisting is enforced.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Welcome to SentinelOps! 🚀 Thanks for your first PR. We'll analyze it for risks and get back to you soon.

[ArshVermaGit]

This is a strong and well-targeted security hardening change that addresses the root cause rather than just patching individual call sites. Enforcing a strict allowlist tied to linked_repos.json, combined with canonicalized path comparison, effectively prevents command execution against arbitrary filesystem paths while preserving existing behavior for legitimate repositories. I particularly like that the fix is implemented centrally within _run_git, ensuring consistent enforcement across all git operations without requiring scattered router-level checks. Handling normalization edge cases (~, relative paths, symlink-like variations) shows good defensive thinking and significantly reduces the risk of bypass techniques. Keeping subprocess.run in list form maintains existing safety guarantees while adding a proper authorization boundary at the service layer. Overall, this is a clean, minimal, and high-impact mitigation that meaningfully improves command execution safety without introducing unnecessary complexity.