rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app/Actions
History
Andras Bacsai 64753b4136 fix(database): prevent command injection in healthcheck via CMD exec-form 
Replace CMD-SHELL string interpolation with CMD exec-form arrays in
healthcheck configs for PostgreSQL, Dragonfly, KeyDB, and ClickHouse.

CMD-SHELL passes the string to /bin/sh -c, allowing command injection
through user-controlled fields (username, password, dbname). CMD
exec-form bypasses the shell entirely — each value is a discrete argv
element.

Fixes GHSA-gvc4-f276-r88p.

Adds regression tests covering semicolon, pipe, backtick, $(),
background operator, redirect, newline, and null-byte injection vectors.
2026-04-20 13:17:15 +02:00
..
Application fix(restart): reset restart count when resource is manually stopped 2025-12-27 15:21:19 +01:00
CoolifyTask refactor: simplify remote process chain and harden ActivityMonitor 2026-03-26 13:26:16 +01:00
Database fix(database): prevent command injection in healthcheck via CMD exec-form 2026-04-20 13:17:15 +02:00
Docker chore: prepare for PR 2026-03-10 18:34:37 +01:00
Fortify fix(models): replace forceFill/forceCreate with fill/create and add fillable guards 2026-03-31 13:45:31 +02:00
Proxy feat(proxy): validate stored config matches current proxy type 2026-03-24 21:32:34 +01:00
Server fix(server): exclude persistent resources from container prune 2026-04-19 15:17:47 +02:00
Service fix: add validation and escaping for Docker network names 2026-03-28 12:28:59 +01:00
Shared fix: don't show health status for exited containers 2025-11-24 09:09:37 +01:00
Stripe feat(subscription): add billing interval to price preview 2026-03-27 19:05:13 +01:00
User Changes auto-committed by Conductor 2025-10-16 17:13:47 +02:00