rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
14807 commits 1 branch 0 tags 63 MiB
Commit graph

14807 commits

This branch
This branch
All branches
Author SHA1 Message Date
Andras Bacsai
0256043ca5
fix(modal): make confirmation modal close after dispatching Livewire actions (#8892) 2026-03-11 06:48:10 +01:00
Andras Bacsai
88f582225b chore: prepare for PR 2026-03-11 06:47:38 +01:00
Andras Bacsai
497b2b64ca
fix: Build-time environment variables break Next.js (#8890) 2026-03-11 06:47:18 +01:00
Andras Bacsai
eb8752c202
Merge branch 'next' into 8873-investigate-bug 2026-03-11 06:46:09 +01:00
Andras Bacsai
96b35bd2d8
fix: prevent command injection and fix developer view shared variables error (#8889) 2026-03-11 06:42:12 +01:00
Andras Bacsai
7aa744af90 chore: prepare for PR 2026-03-11 06:38:40 +01:00
Andras Bacsai
5cac559602 chore: prepare for PR 2026-03-11 06:36:12 +01:00
Andras Bacsai
d9cdbc6096 Merge remote-tracking branch 'origin/next' into next 2026-03-10 23:17:39 +01:00
Andras Bacsai
dc34d21cda
build(deps): bump league/commonmark from 2.8.0 to 2.8.1 (#8793) 2026-03-10 22:59:02 +01:00
Andras Bacsai
1edb2acdbf
build(deps): bump rollup from 4.57.1 to 4.59.0 (#8691) 2026-03-10 22:58:36 +01:00
Andras Bacsai
d174724bf6 Merge branch 'ghsa-mw5w-2vvh-mgf4-investigation' 2026-03-10 22:22:51 +01:00
Andras Bacsai
fcd574e1eb fix(log-drain): prevent command injection by base64-encoding environment variables 
Replace direct shell interpolation of environment values with base64 encoding
to prevent command injection attacks. Environment configuration is now built as
a single string, base64-encoded, then decoded to file atomically.

Also add regex validation to restrict environment field values to safe
characters (alphanumeric, underscore, hyphen, dot) at the application layer.

Fixes GHSA-3xm2-hqg8-4m2p
 2026-03-10 22:22:51 +01:00
Andras Bacsai
a1c30cb0e7 fix(git-ref-validation): prevent command injection via git references 
Add validateGitRef() helper function that uses an allowlist approach to prevent
OS command injection through git commit SHAs, branch names, and tags. Only allows
alphanumeric characters, dots, hyphens, underscores, and slashes.

Changes include:
- Add validateGitRef() helper in bootstrap/helpers/shared.php
- Apply validation in Rollback component when accepting rollback commit
- Add regex validation to git commit SHA fields in Livewire components
- Apply regex validation to API rules for git_commit_sha
- Use escapeshellarg() in git log and git checkout commands
- Add comprehensive unit tests covering injection payloads

Addresses GHSA-mw5w-2vvh-mgf4
 2026-03-10 22:22:48 +01:00
Andras Bacsai
096d4369e5 fix(sentinel): add token validation to prevent command injection 
Add validation to ensure sentinel tokens contain only safe characters
(alphanumeric, dots, hyphens, underscores, plus, forward slash, equals),
preventing OS command injection vulnerabilities when tokens are
interpolated into shell commands.

- Add ServerSetting::isValidSentinelToken() validation method
- Validate tokens in StartSentinel action and metrics queries
- Improve shell argument escaping with escapeshellarg()
- Add comprehensive test coverage for token validation
 2026-03-10 22:19:19 +01:00
Andras Bacsai
6fbb5e626a Squashed commit from '565g-9j4m-wqmr-cross-team-idor-logs-fix' 2026-03-10 22:11:52 +01:00
Andras Bacsai
c15bcd5634 fix(api): require write permission for validation endpoints 
Validation operations should require write permissions as they trigger
state-changing actions. Updated middleware for:
- POST /api/v1/cloud-tokens/{uuid}/validate
- GET /api/v1/servers/{uuid}/validate

Added tests to verify read-only tokens cannot access these endpoints.
 2026-03-10 22:11:52 +01:00
Andras Bacsai
633b1803e1
fix(docker): prevent false container exits on failed docker queries (#8860) 2026-03-10 21:59:47 +01:00
Andras Bacsai
458f048c4e fix(push-server): track last_online_at and reset database restart state 
- Update last_online_at timestamp when resource status is confirmed active
- Reset restart_count, last_restart_at, and last_restart_type when marking database as exited
- Remove unused updateServiceSubStatus() method
 2026-03-10 21:46:26 +01:00
Andras Bacsai
0a1782175a Merge remote-tracking branch 'origin/next' into 8826-investigate-postgresql-restart 2026-03-10 21:46:03 +01:00
Andras Bacsai
a3e59e5c96
fix(docker-cleanup): respect keep for rollback setting for Nixpacks build images (#8859) 2026-03-10 21:42:45 +01:00
Andras Bacsai
d6ac8de6b7 Merge remote-tracking branch 'origin/next' into 8765-investigate-docker-cleanup-keep 2026-03-10 21:41:25 +01:00
Andras Bacsai
473371e7ed chore(realtime): upgrade coolify-realtime to 1.0.11 2026-03-10 21:14:30 +01:00
Andras Bacsai
b71d1561f3 chore(realtime): upgrade npm dependencies 
Update dependencies in coolify-realtime package:
- @xterm/addon-fit 0.10.0 → 0.11.0
- @xterm/xterm 5.5.0 → 6.0.0
- axios 1.12.0 → 1.13.6
- cookie 1.0.2 → 1.1.1
- dotenv 16.5.0 → 17.3.1
- node-pty 1.0.0 → 1.1.0 (now uses node-addon-api instead of nan)
- ws 8.18.1 → 8.19.0
 2026-03-10 21:07:14 +01:00
Andras Bacsai
d46c2c8152
fix(terminal): resolve WebSocket connection and host authorization issues (#8862) 2026-03-10 20:57:14 +01:00
Andras Bacsai
1d3dfe4dc8 chore(version): bump coolify, realtime, and sentinel versions 2026-03-10 20:40:49 +01:00
Andras Bacsai
5c5f67f48b chore: prepare for PR 2026-03-10 20:37:22 +01:00
Andras Bacsai
e41dbde46b chore: prepare for PR 2026-03-10 18:34:37 +01:00
Andras Bacsai
9702543e20 chore: prepare for PR 2026-03-10 18:32:19 +01:00
Andras Bacsai
201998638a
fix(env-parser): capture clean variable names without trailing braces in bash-style defaults (#8855) 2026-03-10 18:06:51 +01:00
Andras Bacsai
0679e91c85 fix(parser): use firstOrCreate instead of updateOrCreate for environment variables 
Prevent unnecessary updates to existing environment variable records.
The previous implementation would update matching records, but the intent
is to retrieve or create the record without modifying existing ones.
 2026-03-10 18:06:01 +01:00
Andras Bacsai
a362282976 chore: prepare for PR 2026-03-10 17:37:13 +01:00
Andras Bacsai
872e300cf9 fix(subscription): use optional chaining for preview object access 
Add optional chaining operator (?.) to all preview property accesses in the
subscription actions view to prevent potential null reference errors when the
preview object is undefined.
 2026-03-10 17:14:08 +01:00
Andras Bacsai
470cc15e62 feat(jobs): implement encrypted queue jobs 
- Add ShouldBeEncrypted interface to all queue jobs to encrypt sensitive
  job payloads
- Configure explicit retry policies for messaging jobs (5 attempts,
  10-second backoff)
 2026-03-10 14:05:05 +01:00
Andras Bacsai
6bcae50e49
fix(database): close confirmation modal after database import/restore (#8697) 2026-03-10 10:38:22 +01:00
Andras Bacsai
db55c8160a Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-10 10:38:10 +01:00
Andras Bacsai
60dfadf036
feat: add configurable proxy timeout for public database TCP proxy (#8673) 2026-03-10 10:08:35 +01:00
Andras Bacsai
27e2680d70 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-10 10:01:46 +01:00
Andras Bacsai
65d61a4af3
fix(proxy): mounting error for nginx.conf in dev (#8662) 2026-03-10 10:01:33 +01:00
Andras Bacsai
b5151815c1 Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-10 10:01:14 +01:00
Andras Bacsai
184fbb98f3 fix(proxy): add validation and normalization for database proxy timeout 
- Extract proxy timeout configuration logic into dedicated method
- Add min:1 validation rule for publicPortTimeout
- Normalize invalid timeout values (null, 0, negative) to default 3600s
- Add tests for timeout configuration normalization and validation
 2026-03-10 09:59:19 +01:00
Andras Bacsai
a5367408d0
fix(docker-compose): respect preserveRepository setting when executing start command (#8848) 2026-03-10 09:45:43 +01:00
Andras Bacsai
574f849778
fix: enable preview deployment page for deploy key applications (#8579) 2026-03-10 09:45:24 +01:00
Andras Bacsai
19d1662fac Merge remote-tracking branch 'origin/next' into fix/preview-deployments-invisible 2026-03-10 09:44:31 +01:00
Andras Bacsai
e3daba0b1d chore: prepare for PR 2026-03-10 09:43:29 +01:00
Andras Bacsai
5b701ebb07 refactor(application-source): use Laravel helpers for null checks 
Replace is_null() and !is_null() with blank() and filled() helper functions
for better readability and Laravel idiomatic style.
 2026-03-09 17:23:34 +01:00
Andras Bacsai
01aa534556 fix(application-source): support localhost key with id=0 
Previously, the view checked $privateKeyId with ! operator, which
incorrectly treats 0 (localhost key) as falsy. Changed to explicit
is_null() checks to distinguish between null (no key) and 0 (localhost).
Added test coverage for both cases.
 2026-03-09 17:20:33 +01:00
dependabot[bot]
ee03fa2fb3
build(deps): bump league/commonmark from 2.8.0 to 2.8.1 
Bumps [league/commonmark](https://github.com/thephpleague/commonmark) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1)

---
updated-dependencies:
- dependency-name: league/commonmark
  dependency-version: 2.8.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-07 03:01:56 +00:00
Andras Bacsai
7bee8a5668 Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-06 08:04:07 +01:00
Andras Bacsai
4615cfd007 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-06 08:04:07 +01:00
Andras Bacsai
31caef990d Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-06 08:04:06 +01:00