coolify

rosslh/coolify

Fork 0

Commit graph

Author	SHA1	Message	Date
Andras Bacsai	2264a2ef76	docs(tests): replace advisory ID with descriptive comment in healthcheck injection test	2026-04-20 13:28:55 +02:00
Andras Bacsai	64753b4136	fix(database): prevent command injection in healthcheck via CMD exec-form Replace CMD-SHELL string interpolation with CMD exec-form arrays in healthcheck configs for PostgreSQL, Dragonfly, KeyDB, and ClickHouse. CMD-SHELL passes the string to /bin/sh -c, allowing command injection through user-controlled fields (username, password, dbname). CMD exec-form bypasses the shell entirely — each value is a discrete argv element. Fixes GHSA-gvc4-f276-r88p. Adds regression tests covering semicolon, pipe, backtick, $(), background operator, redirect, newline, and null-byte injection vectors.	2026-04-20 13:17:15 +02:00

Author

SHA1

Message

Date

Andras Bacsai

2264a2ef76

docs(tests): replace advisory ID with descriptive comment in healthcheck injection test

2026-04-20 13:28:55 +02:00

Andras Bacsai

64753b4136

fix(database): prevent command injection in healthcheck via CMD exec-form

Replace CMD-SHELL string interpolation with CMD exec-form arrays in
healthcheck configs for PostgreSQL, Dragonfly, KeyDB, and ClickHouse.

CMD-SHELL passes the string to /bin/sh -c, allowing command injection
through user-controlled fields (username, password, dbname). CMD
exec-form bypasses the shell entirely — each value is a discrete argv
element.

Fixes GHSA-gvc4-f276-r88p.

Adds regression tests covering semicolon, pipe, backtick, $(),
background operator, redirect, newline, and null-byte injection vectors.

2026-04-20 13:17:15 +02:00

2 commits