rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
14849 commits 1 branch 0 tags 63 MiB
Commit graph

14849 commits

This branch
This branch
All branches
Author SHA1 Message Date
Andras Bacsai
a1c30cb0e7 fix(git-ref-validation): prevent command injection via git references 
Add validateGitRef() helper function that uses an allowlist approach to prevent
OS command injection through git commit SHAs, branch names, and tags. Only allows
alphanumeric characters, dots, hyphens, underscores, and slashes.

Changes include:
- Add validateGitRef() helper in bootstrap/helpers/shared.php
- Apply validation in Rollback component when accepting rollback commit
- Add regex validation to git commit SHA fields in Livewire components
- Apply regex validation to API rules for git_commit_sha
- Use escapeshellarg() in git log and git checkout commands
- Add comprehensive unit tests covering injection payloads

Addresses GHSA-mw5w-2vvh-mgf4
 2026-03-10 22:22:48 +01:00
Andras Bacsai
096d4369e5 fix(sentinel): add token validation to prevent command injection 
Add validation to ensure sentinel tokens contain only safe characters
(alphanumeric, dots, hyphens, underscores, plus, forward slash, equals),
preventing OS command injection vulnerabilities when tokens are
interpolated into shell commands.

- Add ServerSetting::isValidSentinelToken() validation method
- Validate tokens in StartSentinel action and metrics queries
- Improve shell argument escaping with escapeshellarg()
- Add comprehensive test coverage for token validation
 2026-03-10 22:19:19 +01:00
Andras Bacsai
6fbb5e626a Squashed commit from '565g-9j4m-wqmr-cross-team-idor-logs-fix' 2026-03-10 22:11:52 +01:00
Andras Bacsai
c15bcd5634 fix(api): require write permission for validation endpoints 
Validation operations should require write permissions as they trigger
state-changing actions. Updated middleware for:
- POST /api/v1/cloud-tokens/{uuid}/validate
- GET /api/v1/servers/{uuid}/validate

Added tests to verify read-only tokens cannot access these endpoints.
 2026-03-10 22:11:52 +01:00
Andras Bacsai
633b1803e1
fix(docker): prevent false container exits on failed docker queries (#8860) 2026-03-10 21:59:47 +01:00
Andras Bacsai
458f048c4e fix(push-server): track last_online_at and reset database restart state 
- Update last_online_at timestamp when resource status is confirmed active
- Reset restart_count, last_restart_at, and last_restart_type when marking database as exited
- Remove unused updateServiceSubStatus() method
 2026-03-10 21:46:26 +01:00
Andras Bacsai
0a1782175a Merge remote-tracking branch 'origin/next' into 8826-investigate-postgresql-restart 2026-03-10 21:46:03 +01:00
Andras Bacsai
a3e59e5c96
fix(docker-cleanup): respect keep for rollback setting for Nixpacks build images (#8859) 2026-03-10 21:42:45 +01:00
Andras Bacsai
d6ac8de6b7 Merge remote-tracking branch 'origin/next' into 8765-investigate-docker-cleanup-keep 2026-03-10 21:41:25 +01:00
Andras Bacsai
473371e7ed chore(realtime): upgrade coolify-realtime to 1.0.11 2026-03-10 21:14:30 +01:00
Andras Bacsai
b71d1561f3 chore(realtime): upgrade npm dependencies 
Update dependencies in coolify-realtime package:
- @xterm/addon-fit 0.10.0 → 0.11.0
- @xterm/xterm 5.5.0 → 6.0.0
- axios 1.12.0 → 1.13.6
- cookie 1.0.2 → 1.1.1
- dotenv 16.5.0 → 17.3.1
- node-pty 1.0.0 → 1.1.0 (now uses node-addon-api instead of nan)
- ws 8.18.1 → 8.19.0
 2026-03-10 21:07:14 +01:00
Andras Bacsai
d46c2c8152
fix(terminal): resolve WebSocket connection and host authorization issues (#8862) 2026-03-10 20:57:14 +01:00
Andras Bacsai
1d3dfe4dc8 chore(version): bump coolify, realtime, and sentinel versions 2026-03-10 20:40:49 +01:00
Andras Bacsai
5c5f67f48b chore: prepare for PR 2026-03-10 20:37:22 +01:00
Andras Bacsai
e41dbde46b chore: prepare for PR 2026-03-10 18:34:37 +01:00
Andras Bacsai
9702543e20 chore: prepare for PR 2026-03-10 18:32:19 +01:00
Andras Bacsai
201998638a
fix(env-parser): capture clean variable names without trailing braces in bash-style defaults (#8855) 2026-03-10 18:06:51 +01:00
Andras Bacsai
0679e91c85 fix(parser): use firstOrCreate instead of updateOrCreate for environment variables 
Prevent unnecessary updates to existing environment variable records.
The previous implementation would update matching records, but the intent
is to retrieve or create the record without modifying existing ones.
 2026-03-10 18:06:01 +01:00
Andras Bacsai
a362282976 chore: prepare for PR 2026-03-10 17:37:13 +01:00
Andras Bacsai
872e300cf9 fix(subscription): use optional chaining for preview object access 
Add optional chaining operator (?.) to all preview property accesses in the
subscription actions view to prevent potential null reference errors when the
preview object is undefined.
 2026-03-10 17:14:08 +01:00
Andras Bacsai
470cc15e62 feat(jobs): implement encrypted queue jobs 
- Add ShouldBeEncrypted interface to all queue jobs to encrypt sensitive
  job payloads
- Configure explicit retry policies for messaging jobs (5 attempts,
  10-second backoff)
 2026-03-10 14:05:05 +01:00
Andras Bacsai
6bcae50e49
fix(database): close confirmation modal after database import/restore (#8697) 2026-03-10 10:38:22 +01:00
Andras Bacsai
db55c8160a Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-10 10:38:10 +01:00
Andras Bacsai
60dfadf036
feat: add configurable proxy timeout for public database TCP proxy (#8673) 2026-03-10 10:08:35 +01:00
Andras Bacsai
27e2680d70 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-10 10:01:46 +01:00
Andras Bacsai
65d61a4af3
fix(proxy): mounting error for nginx.conf in dev (#8662) 2026-03-10 10:01:33 +01:00
Andras Bacsai
b5151815c1 Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-10 10:01:14 +01:00
Andras Bacsai
184fbb98f3 fix(proxy): add validation and normalization for database proxy timeout 
- Extract proxy timeout configuration logic into dedicated method
- Add min:1 validation rule for publicPortTimeout
- Normalize invalid timeout values (null, 0, negative) to default 3600s
- Add tests for timeout configuration normalization and validation
 2026-03-10 09:59:19 +01:00
Andras Bacsai
a5367408d0
fix(docker-compose): respect preserveRepository setting when executing start command (#8848) 2026-03-10 09:45:43 +01:00
Andras Bacsai
574f849778
fix: enable preview deployment page for deploy key applications (#8579) 2026-03-10 09:45:24 +01:00
Andras Bacsai
19d1662fac Merge remote-tracking branch 'origin/next' into fix/preview-deployments-invisible 2026-03-10 09:44:31 +01:00
Andras Bacsai
e3daba0b1d chore: prepare for PR 2026-03-10 09:43:29 +01:00
Andras Bacsai
5b701ebb07 refactor(application-source): use Laravel helpers for null checks 
Replace is_null() and !is_null() with blank() and filled() helper functions
for better readability and Laravel idiomatic style.
 2026-03-09 17:23:34 +01:00
Andras Bacsai
01aa534556 fix(application-source): support localhost key with id=0 
Previously, the view checked $privateKeyId with ! operator, which
incorrectly treats 0 (localhost key) as falsy. Changed to explicit
is_null() checks to distinguish between null (no key) and 0 (localhost).
Added test coverage for both cases.
 2026-03-09 17:20:33 +01:00
dependabot[bot]
ee03fa2fb3
build(deps): bump league/commonmark from 2.8.0 to 2.8.1 
Bumps [league/commonmark](https://github.com/thephpleague/commonmark) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1)

---
updated-dependencies:
- dependency-name: league/commonmark
  dependency-version: 2.8.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-07 03:01:56 +00:00
Andras Bacsai
7bee8a5668 Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-06 08:04:07 +01:00
Andras Bacsai
4615cfd007 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-06 08:04:07 +01:00
Andras Bacsai
31caef990d Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-06 08:04:06 +01:00
Andras Bacsai
380a34c7d6 Merge remote-tracking branch 'origin/next' into fix/preview-deployments-invisible 2026-03-06 08:03:45 +01:00
ShadowArcanist
a73360e503 feat(ui): add log filter based on log level 2026-03-06 10:53:30 +05:30
ShadowArcanist
1f5395dd84 fix(ui): info logs were not highlighted with blue color 2026-03-06 10:06:50 +05:30
Andras Bacsai
11007771f0
Fix/wrong destinations api (#8646) 2026-03-05 16:32:09 +01:00
Andras Bacsai
db52a20ed8
chore(templates): update n8n templates to 2.10.2 (#8679) 2026-03-05 16:23:47 +01:00
Andras Bacsai
8dfb393de0
chore(ui): add container labels header (#8752) 2026-03-05 14:19:00 +01:00
Andras Bacsai
4015e03153 fix(proxy): remove ipv6 cidr network remediation 
stop explicitly re-creating networks while ensuring them since the previous IPv6 CIDR gateway workaround is no longer needed and was duplicating effort.
 2026-03-04 11:36:52 +01:00
Andras Bacsai
d0929a5883 docs(readme): move MVPS to Huge Sponsors section 
Promote MVPS from the Big Sponsors list to Huge Sponsors to reflect its updated sponsorship tier.
 2026-03-04 09:02:22 +01:00
Andras Bacsai
86cbd82991 docs(readme): add VPSDime to Big Sponsors list 
Include VPSDime with its referral link and hosting description in README.
 2026-03-03 22:07:36 +01:00
Cinzya
80be2628d0 chore(ui): add labels header 2026-03-03 20:57:03 +01:00
Andras Bacsai
b8d57bfd3c
fix(ip-allowlist): add IPv6 CIDR support for API access restrictions (#8750) 2026-03-03 17:05:51 +01:00
Andras Bacsai
0ca5596b1f fix(server-limit): re-enable force-disabled servers at limit 
Handle non-positive disable counts with `<= 0` so teams at or under the
server limit correctly re-enable force-disabled servers. Add a feature test
suite for ServerLimitCheckJob covering under-limit, at-limit, over-limit,
and no-op behavior.
 2026-03-03 17:03:59 +01:00