This commit addresses a critical security issue where malicious Docker Compose
data was being saved to the database before validation occurred.
Problem:
- Service models were saved to database first
- Validation ran afterwards during parse()
- Malicious data persisted even when validation failed
- User saw error but damage was already done
Solution:
1. Created validateDockerComposeForInjection() to validate YAML before save
2. Added pre-save validation to all Service creation/update points:
- Livewire: DockerCompose.php, StackForm.php
- API: ServicesController.php (create, update, one-click)
3. Validates service names and volume paths (string + array formats)
4. Blocks shell metacharacters: backticks, $(), |, ;, &, >, <, newlines
Security fixes:
- Volume source paths (string format) - validated before save
- Volume source paths (array format) - validated before save
- Service names - validated before save
- Environment variable patterns - safe ${VAR} allowed, ${VAR:-$(cmd)} blocked
Testing:
- 60 security tests pass (176 assertions)
- PreSaveValidationTest.php: 15 tests for pre-save validation
- ValidateShellSafePathTest.php: 15 tests for core validation
- VolumeSecurityTest.php: 15 tests for volume parsing
- ServiceNameSecurityTest.php: 15 tests for service names
Related commits:
- Previous: Added validation during parse() phase
- This commit: Moves validation before database save
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Problem:
- Cache::remember() does not cache null return values
- When no FQDN was configured, the closure returned null
- This caused DB queries on every request, defeating the cache
Solution:
- Use empty string ('') as sentinel value instead of null
- Convert sentinel back to null after retrieving from cache
- Now both positive and negative results are cached properly
Changes:
- Return empty string from closure instead of null
- Add explicit sentinel-to-null conversion after cache retrieval
- Add test to verify negative caching works correctly
This ensures zero DB queries even when FQDN is not configured.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit fixes a critical Host Header Injection vulnerability in the password reset flow that could lead to account takeover.
Security Issue:
- Attackers could inject malicious host headers (e.g., legitimate.domain.evil.com)
- Password reset emails would contain links to attacker-controlled domains
- Attackers could capture reset tokens and takeover accounts
Changes:
- Enable TrustHosts middleware in app/Http/Kernel.php
- Update TrustHosts to trust configured FQDN from InstanceSettings
- Add intelligent caching (5-min TTL) to avoid DB query on every request
- Automatic cache invalidation when FQDN is updated
- Support for domains, IP addresses (IPv4/IPv6), and ports
- Graceful fallback during installation when DB doesn't exist
Test Coverage:
- Domain validation (with/without ports)
- IP address validation (IPv4, IPv6)
- Malicious host rejection
- Cache creation and invalidation
- Installation edge cases
Performance:
- 99.9% reduction in DB queries (1 query per 5 minutes vs every request)
- Zero performance impact on production workloads
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Replace manual regex parsing with DockerImageParser in ApplicationsController
- Fix double-decoration bug where image names like nginx@sha256:hash would
become nginx:hash@sha256 causing malformed references
- Add auto-parse feature in Livewire DockerImage component
- Users can now paste complete references like nginx:stable@sha256:abc123...
and fields auto-populate
- Update UI placeholder with examples: nginx, docker.io/nginx:latest,
ghcr.io/user/app:v1.2.3, nginx:stable@sha256:abc123...
- Add comprehensive unit tests for auto-parse functionality
- All tests passing (20 tests, 73 assertions)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixes#6847
The API endpoints for environment variables were rejecting valid fields
like is_buildtime, is_runtime, is_multiline, and is_shown_once with
422 errors, even though the code was using these fields internally.
Changes:
- Added missing fields to $allowedFields in create_env()
- Added missing fields to $allowedFields in update_env_by_uuid()
- Updated allowed fields in create_bulk_envs()
- Added validation rules for is_runtime and is_buildtime
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Enhanced logic to process Docker image name and tag, including stripping 'sha256:' prefix and removing '@sha256' suffix.
- Implemented validation to check for valid SHA256 hashes and conditionally append '@sha256' to the image name.
- Defaulted the image tag to 'latest' if not provided, improving user experience and data integrity.
- Replace OA\Schema with OA\Items for array items in DatabasesController
- Replace OA\Items with OA\Schema for array type properties in GithubController
- Update generated OpenAPI documentation files (openapi.json and openapi.yaml)
- Modified the update_by_uuid method to use only the specified allowed fields from the request for database updates, enhancing data integrity and security.
- Changed security scheme from 'api_token' to 'bearerAuth' for the update and delete GitHub app endpoints.
- Ensured consistent authentication handling across GitHub app operations.
- Added authorization checks for updating and deleting backups in DatabasesController.
- Implemented validation for S3 storage UUID when saving backups, ensuring it belongs to the current team.
- Improved error handling during backup deletion with transaction management for better data integrity.
- Modified backup retrieval logic in DatabasesController to utilize the new ownedByCurrentTeamAPI method for improved access control based on team ID.
- Enhanced code consistency and maintainability by centralizing team-based filtering in the ScheduledDatabaseBackup model.
- Updated backup retrieval logic in DatabasesController to utilize the new ownedByCurrentTeam method for improved access control.
- Enhanced code readability and maintainability by centralizing team-based filtering in the ScheduledDatabaseBackup model.
- Modified backup configuration queries in the DatabasesController to filter by team ID, ensuring proper access control.
- Enhanced S3 storage retrieval to use the current team context for better data integrity.
- Added a relationship method in ScheduledDatabaseBackup model to associate backups with teams.
- Removed obsolete backup-related parameters from the OpenAPI specification in the DatabasesController.
- Streamlined the API documentation to enhance clarity and focus on current functionality.
- Updated validation rules for 'custom_user' and 'custom_port' fields to be nullable in the GithubController.
- Refactored API request handling in GithubController, GithubPrivateRepository, and helper functions to use a consistent Http::GitHub method with timeout and retry logic.
- Improved error handling for repository and branch loading processes.
- Implemented endpoints to update and delete GitHub apps in the GithubController.
- Added OpenAPI annotations for the new endpoints, including request and response specifications.
- Removed the 'is_public' field from the app creation and update processes, defaulting it to false.
- Enhanced validation for update requests to ensure proper data handling.
- Implemented a new GithubController with endpoints to create GitHub apps, load repositories, and fetch branches for a given repository.
- Added OpenAPI annotations for API documentation.
- Included validation for incoming requests and error handling for various scenarios.
- Refactored backup configuration retrieval and update logic to use UUIDs instead of IDs.
- Added new endpoint to list backup executions for a specific backup configuration.
- Improved error handling and validation for backup operations.
- Updated API documentation to reflect changes in parameter names and descriptions.
- Introduced `ValidGitRepositoryUrl` and `ValidGitBranch` validation rules to ensure safe and valid input for Git repository URLs and branch names.
- Updated relevant Livewire components and API controllers to utilize the new validation rules, enhancing security against command injection and invalid inputs.
- Refactored existing validation logic to improve consistency and maintainability across the application.
- Introduced `ValidationPatterns` class to standardize validation rules and messages for name and description fields across the application.
- Updated various components and models to utilize the new validation patterns, ensuring consistent sanitization and validation logic.
- Replaced the `HasSafeNameAttribute` trait with `HasSafeStringAttribute` to enhance attribute handling and maintain consistency in name sanitization.
- Enhanced the `CleanupNames` command to align with the new validation rules, allowing for a broader range of valid characters in names.
- Introduced `CleanupNames` command to sanitize name fields by removing invalid characters, ensuring only letters, numbers, spaces, dashes, underscores, and dots are retained.
- Implemented options for dry run, model-specific cleaning, database backup, and forced execution.
- Updated `Init` command to call the new `cleanup:names` command.
- Enhanced project and environment validation to enforce name sanitization rules.
- Added `HasSafeNameAttribute` trait to relevant models for consistent name handling.
- Add checks to ensure docker_compose_raw is provided and correctly base64 encoded.
- Implement detailed error responses for validation failures to improve user feedback.
- Ensure docker_compose_raw is provided and base64 encoded before processing.
- Return appropriate validation error messages for missing or incorrectly formatted input.
Add separate API to create services with custom Docker compose instead
of oneclick services implement as a POST to /services/compose.
This is somewhat similar to /applications/dockercompose but that API is
the only one in ApplicationsController that actually works with the `Service` model.
- Replace `! $type` checks with `blank($type)` for consistency
- Modify email settings configuration to handle null/disabled states
- Ensure proper fallback and configuration of email providers
The repo:push payload lacks the destination branch name, using push.changes.0.new.name instead. While sufficient for updates, this causes failures in preview deployments when a PR receives new commits—Coolify looks for git_branch in the applications table but finds the source branch instead.
By also processing pullrequest:updated, we ensure preview deployments remain in sync. However, this event triggers on various actions (e.g., PR title changes, reviewer updates), causing extra redeploys. Since Coolify doesn’t store commit hashes for preview deployments, handling these extra redeploys is our best workaround for Bitbucket.
- Introduced `environment_uuid` as a required field in various API endpoints and schemas.
- Updated descriptions to clarify that either `environment_name` or `environment_uuid` must be provided.
- Modified routes and controller methods to accommodate the new UUID parameter.
- Adjusted frontend components to utilize `environment_uuid` for better consistency and clarity.
- Removed deprecated fields related to environment handling.
This change enhances the API's flexibility in identifying environments, improving overall usability.
