fix(docker): add path validation to prevent command injection in file locations

Add regex validation to dockerfileLocation and dockerComposeLocation fields to ensure they contain only valid path characters (alphanumeric, dots, hyphens, and slashes) and must start with /. Include custom validation messages for clarity.
2026-03-10 22:40:45 +01:00 · 2026-03-10 22:40:45 +01:00 · ee5dd71266
commit ee5dd71266
parent d174724bf6
1 changed files with 4 additions and 2 deletions
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@ -198,8 +198,8 @@ protected function rules(): array
            'dockerfile' => 'nullable',
            'dockerRegistryImageName' => 'nullable',
            'dockerRegistryImageTag' => 'nullable',
-            'dockerfileLocation' => 'nullable',
-            'dockerComposeLocation' => 'nullable',
+            'dockerfileLocation' => ['nullable', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
+            'dockerComposeLocation' => ['nullable', 'regex:/^\/[a-zA-Z0-9._\-\/]+$/'],
            'dockerCompose' => 'nullable',
            'dockerComposeRaw' => 'nullable',
            'dockerfileTargetBuild' => 'nullable',
@ -231,6 +231,8 @@ protected function messages(): array
        return array_merge(
            ValidationPatterns::combinedMessages(),
            [
+                'dockerfileLocation.regex' => 'The Dockerfile location must be a valid path starting with / and containing only alphanumeric characters, dots, hyphens, and slashes.',
+                'dockerComposeLocation.regex' => 'The Docker Compose location must be a valid path starting with / and containing only alphanumeric characters, dots, hyphens, and slashes.',
                'name.required' => 'The Name field is required.',
                'gitRepository.required' => 'The Git Repository field is required.',
                'gitBranch.required' => 'The Git Branch field is required.',