rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: scope server and project queries to current team

Browse source 
Ensure Server and Project lookups in Livewire components and API
controllers use team-scoped queries (ownedByCurrentTeam / whereTeamId)
instead of unscoped find/where calls. This enforces consistent
multi-tenant isolation across all user-facing code paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Andras Bacsai 2026-03-28 12:29:08 +01:00
parent e39678aea5
commit e36622fdfb
13 changed files with 199 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/Http/Controllers/Api/DeployController.php
View file

@ -250,7 +250,7 @@ public function cancel_deployment(Request $request)
]);
// Get the server
$server = Server::find($build_server_id);
$server = Server::whereTeamId($teamId)->find($build_server_id);
if ($server) {
// Add cancellation log entry

6
app/Livewire/Boarding/Index.php
View file

@ -121,7 +121,7 @@ public function mount()
}
if ($this->selectedExistingServer) {
$this->createdServer = Server::find($this->selectedExistingServer);
$this->createdServer = Server::ownedByCurrentTeam()->find($this->selectedExistingServer);
if ($this->createdServer) {
$this->serverPublicKey = $this->createdServer->privateKey->getPublicKey();
$this->updateServerDetails();
@ -145,7 +145,7 @@ public function mount()
}
if ($this->selectedProject) {
$this->createdProject = Project::find($this->selectedProject);
$this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
if (! $this->createdProject) {
$this->projects = Project::ownedByCurrentTeam(['name'])->get();
}
@ -431,7 +431,7 @@ public function getProjects()
public function selectExistingProject()
{
$this->createdProject = Project::find($this->selectedProject);
$this->createdProject = Project::ownedByCurrentTeam()->find($this->selectedProject);
$this->currentState = 'create-resource';
}

4
app/Livewire/GlobalSearch.php
View file

@ -1203,7 +1203,7 @@ public function selectServer($serverId, $shouldProgress = true)
public function loadDestinations()
{
$this->loadingDestinations = true;
$server = Server::find($this->selectedServerId);
$server = Server::ownedByCurrentTeam()->find($this->selectedServerId);
if (! $server) {
$this->loadingDestinations = false;
@ -1280,7 +1280,7 @@ public function selectProject($projectUuid, $shouldProgress = true)
public function loadEnvironments()
{
$this->loadingEnvironments = true;
$project = Project::where('uuid', $this->selectedProjectUuid)->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->selectedProjectUuid)->first();
if (! $project) {
$this->loadingEnvironments = false;

2
app/Livewire/Project/CloneMe.php
View file

@ -54,7 +54,7 @@ protected function messages(): array
public function mount($project_uuid)
{
$this->project_uuid = $project_uuid;
$this->project = Project::where('uuid', $project_uuid)->firstOrFail();
$this->project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->firstOrFail();
$this->environment = $this->project->environments->where('uuid', $this->environment_uuid)->first();
$this->project_id = $this->project->id;
$this->servers = currentTeam()

4
app/Livewire/Project/DeleteProject.php
View file

@ -21,7 +21,7 @@ class DeleteProject extends Component
public function mount()
{
$this->parameters = get_route_parameters();
$this->projectName = Project::findOrFail($this->project_id)->name;
$this->projectName = Project::ownedByCurrentTeam()->findOrFail($this->project_id)->name;
}
public function delete()
@ -29,7 +29,7 @@ public function delete()
$this->validate([
'project_id' => 'required|int',
]);
$project = Project::findOrFail($this->project_id);
$project = Project::ownedByCurrentTeam()->findOrFail($this->project_id);
$this->authorize('delete', $project);
if ($project->isEmpty()) {

2
app/Livewire/Project/New/DockerCompose.php
View file

@ -41,7 +41,7 @@ public function submit()
// Validate for command injection BEFORE saving to database
validateDockerComposeForInjection($this->dockerComposeRaw);
$project = Project::where('uuid', $this->parameters['project_uuid'])->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$destination_uuid = $this->query['destination'];

2
app/Livewire/Project/New/DockerImage.php
View file

@ -121,7 +121,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
$project = Project::where('uuid', $this->parameters['project_uuid'])->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
// Append @sha256 to image name if using digest and not already present

2
app/Livewire/Project/New/GithubPrivateRepository.php
View file

@ -185,7 +185,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
$project = Project::where('uuid', $this->parameters['project_uuid'])->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$application = Application::create([

2
app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
View file

@ -144,7 +144,7 @@ public function submit()
// Note: git_repository has already been validated and transformed in get_git_source()
// It may now be in SSH format (git@host:repo.git) which is valid for deploy keys
$project = Project::where('uuid', $this->parameters['project_uuid'])->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
if ($this->git_source === 'other') {
$application_init = [

2
app/Livewire/Project/New/PublicGitRepository.php
View file

@ -278,7 +278,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
$project = Project::where('uuid', $project_uuid)->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $project_uuid)->first();
$environment = $project->load(['environments'])->environments->where('uuid', $environment_uuid)->first();
if ($this->build_pack === 'dockercompose' && isDev() && $this->new_compose_services) {

4
app/Livewire/Project/New/Select.php
View file

@ -65,7 +65,7 @@ public function mount()
$this->existingPostgresqlUrl = 'postgres://coolify:password@coolify-db:5432';
}
$projectUuid = data_get($this->parameters, 'project_uuid');
$project = Project::whereUuid($projectUuid)->firstOrFail();
$project = Project::ownedByCurrentTeam()->whereUuid($projectUuid)->firstOrFail();
$this->environments = $project->environments;
$this->selectedEnvironment = $this->environments->where('uuid', data_get($this->parameters, 'environment_uuid'))->firstOrFail()->name;
@ -79,7 +79,7 @@ public function mount()
$this->type = $queryType;
$this->server_id = $queryServerId;
$this->destination_uuid = $queryDestination;
$this->server = Server::find($queryServerId);
$this->server = Server::ownedByCurrentTeam()->find($queryServerId);
$this->current_step = 'select-postgresql-type';
}
} catch (\Exception $e) {

2
app/Livewire/Project/New/SimpleDockerfile.php
View file

@ -45,7 +45,7 @@ public function submit()
}
$destination_class = $destination->getMorphClass();
$project = Project::where('uuid', $this->parameters['project_uuid'])->first();
$project = Project::ownedByCurrentTeam()->where('uuid', $this->parameters['project_uuid'])->first();
$environment = $project->load(['environments'])->environments->where('uuid', $this->parameters['environment_uuid'])->first();
$port = get_port_from_dockerfile($this->dockerfile);

182
tests/Feature/CrossTeamIdorServerProjectTest.php Normal file
View file

@ -0,0 +1,182 @@
<?php
use App\Livewire\Boarding\Index as BoardingIndex;
use App\Livewire\GlobalSearch;
use App\Livewire\Project\CloneMe;
use App\Livewire\Project\DeleteProject;
use App\Models\Environment;
use App\Models\Project;
use App\Models\Server;
use App\Models\StandaloneDocker;
use App\Models\Team;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;
uses(RefreshDatabase::class);
beforeEach(function () {
// Attacker: Team A
$this->userA = User::factory()->create();
$this->teamA = Team::factory()->create();
$this->userA->teams()->attach($this->teamA, ['role' => 'owner']);
$this->serverA = Server::factory()->create(['team_id' => $this->teamA->id]);
$this->projectA = Project::factory()->create(['team_id' => $this->teamA->id]);
$this->environmentA = Environment::factory()->create(['project_id' => $this->projectA->id]);
// Victim: Team B
$this->userB = User::factory()->create();
$this->teamB = Team::factory()->create();
$this->userB->teams()->attach($this->teamB, ['role' => 'owner']);
$this->serverB = Server::factory()->create(['team_id' => $this->teamB->id]);
$this->projectB = Project::factory()->create(['team_id' => $this->teamB->id]);
$this->environmentB = Environment::factory()->create(['project_id' => $this->projectB->id]);
// Act as attacker (Team A)
$this->actingAs($this->userA);
session(['currentTeam' => $this->teamA]);
});
describe('Boarding Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('boarding mount cannot load server from another team via selectedExistingServer', function () {
$component = Livewire::test(BoardingIndex::class, [
'selectedServerType' => 'remote',
'selectedExistingServer' => $this->serverB->id,
]);
// The server from Team B should NOT be loaded
expect($component->get('createdServer'))->toBeNull();
});
test('boarding mount can load own team server via selectedExistingServer', function () {
$component = Livewire::test(BoardingIndex::class, [
'selectedServerType' => 'remote',
'selectedExistingServer' => $this->serverA->id,
]);
// Own team server should load successfully
expect($component->get('createdServer'))->not->toBeNull();
expect($component->get('createdServer')->id)->toBe($this->serverA->id);
});
});
describe('Boarding Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('boarding mount cannot load project from another team via selectedProject', function () {
$component = Livewire::test(BoardingIndex::class, [
'selectedProject' => $this->projectB->id,
]);
// The project from Team B should NOT be loaded
expect($component->get('createdProject'))->toBeNull();
});
test('boarding selectExistingProject cannot load project from another team', function () {
$component = Livewire::test(BoardingIndex::class)
->set('selectedProject', $this->projectB->id)
->call('selectExistingProject');
expect($component->get('createdProject'))->toBeNull();
});
test('boarding selectExistingProject can load own team project', function () {
$component = Livewire::test(BoardingIndex::class)
->set('selectedProject', $this->projectA->id)
->call('selectExistingProject');
expect($component->get('createdProject'))->not->toBeNull();
expect($component->get('createdProject')->id)->toBe($this->projectA->id);
});
});
describe('GlobalSearch Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('loadDestinations cannot access server from another team', function () {
$component = Livewire::test(GlobalSearch::class)
->set('selectedServerId', $this->serverB->id)
->call('loadDestinations');
// Should dispatch error because server is not found (team-scoped)
$component->assertDispatched('error');
});
});
describe('GlobalSearch Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('loadEnvironments cannot access project from another team', function () {
$component = Livewire::test(GlobalSearch::class)
->set('selectedProjectUuid', $this->projectB->uuid)
->call('loadEnvironments');
// Should not load environments from another team's project
expect($component->get('availableEnvironments'))->toBeEmpty();
});
});
describe('DeleteProject IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('cannot mount DeleteProject with project from another team', function () {
// Should throw ModelNotFoundException (404) because team-scoped query won't find it
Livewire::test(DeleteProject::class, ['project_id' => $this->projectB->id])
->assertStatus(500); // findOrFail throws ModelNotFoundException
})->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
test('can mount DeleteProject with own team project', function () {
$component = Livewire::test(DeleteProject::class, ['project_id' => $this->projectA->id]);
expect($component->get('projectName'))->toBe($this->projectA->name);
});
});
describe('CloneMe Project IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('cannot mount CloneMe with project UUID from another team', function () {
// Should throw ModelNotFoundException because team-scoped query won't find it
Livewire::test(CloneMe::class, [
'project_uuid' => $this->projectB->uuid,
'environment_uuid' => $this->environmentB->uuid,
]);
})->throws(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
test('can mount CloneMe with own team project UUID', function () {
$component = Livewire::test(CloneMe::class, [
'project_uuid' => $this->projectA->uuid,
'environment_uuid' => $this->environmentA->uuid,
]);
expect($component->get('project_id'))->toBe($this->projectA->id);
});
});
describe('DeployController API Server IDOR (GHSA-qfcc-2fm3-9q42)', function () {
test('deploy cancel API cannot access build server from another team', function () {
// Create a deployment queue entry that references Team B's server as build_server
$application = \App\Models\Application::factory()->create([
'environment_id' => $this->environmentA->id,
'destination_id' => StandaloneDocker::factory()->create(['server_id' => $this->serverA->id])->id,
'destination_type' => StandaloneDocker::class,
]);
$deployment = \App\Models\ApplicationDeploymentQueue::create([
'application_id' => $application->id,
'deployment_uuid' => 'test-deploy-' . fake()->uuid(),
'server_id' => $this->serverA->id,
'build_server_id' => $this->serverB->id, // Cross-team build server
'status' => \App\Enums\ApplicationDeploymentStatus::IN_PROGRESS->value,
]);
$token = $this->userA->createToken('test-token', ['*']);
$response = $this->withHeaders([
'Authorization' => 'Bearer ' . $token->plainTextToken,
])->deleteJson("/api/v1/deployments/{$deployment->deployment_uuid}");
// The cancellation should proceed but the build_server should NOT be found
// (team-scoped query returns null for Team B's server)
// The deployment gets cancelled but no remote process runs on the wrong server
$response->assertOk();
// Verify the deployment was cancelled
$deployment->refresh();
expect($deployment->status)->toBe(
\App\Enums\ApplicationDeploymentStatus::CANCELLED_BY_USER->value
);
});
});