rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app
History
Andras Bacsai f254af0459 security: escape all shell directory paths in Git deployment commands 
Ensures all `cd` commands in Git deployment operations use properly escaped
directory paths via `escapeshellarg()` to prevent shell injection vulnerabilities
and handle special characters correctly.

**Changes:**

1. `setGitImportSettings()` method:
   - Added `$escapedBaseDir` variable for consistent path escaping
   - Replaced all 5 instances of `cd {$baseDir}` with `cd {$escapedBaseDir}`
   - Affects: commit checkout, submodules, and LFS operations

2. `generateGitImportCommands()` method (deploy_key type):
   - Replaced 3 instances in pull request handling for GitLab, GitHub/Gitea, Bitbucket

3. `generateGitImportCommands()` method (other type):
   - Replaced 3 instances in pull request handling for GitLab, GitHub/Gitea, Bitbucket

**Security Impact:**
- Prevents shell injection from malicious directory paths
- Fixes parsing issues with special characters (@, ~, spaces)
- Consistent escaping across all deployment types: source, deploy_key, other
- Complements existing URL escaping for comprehensive security

**Testing:**
- All existing unit tests pass (5/5 Git ls-remote parsing tests)
- Code formatted with Laravel Pint

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-14 17:23:28 +02:00
..
Actions fix: prevent container name conflict when updating database port mappings 2025-10-13 10:01:54 +02:00
Console feat: add artisan command to clear global search cache 2025-10-11 13:36:14 +02:00
Contracts refactor: streamline job status retrieval and clean up repository interface 2025-01-10 19:53:13 +01:00
Data Fix styling 2024-06-19 06:59:46 +00:00
Enums Add new role enum and apply authorization 2024-10-28 17:08:24 +01:00
Events work work on hetzner integration 2025-10-09 16:54:13 +02:00
Exceptions feat(exceptions): introduce NonReportableException to handle known errors and update Handler for selective reporting 2025-09-08 09:18:25 +02:00
Helpers feat(ssh-multiplexing): add connection age metadata handling to improve multiplexed connection management 2025-09-10 08:38:36 +02:00
Http Merge pull request #6860 from coollabsio/fix-api-env-vars-fields 2025-10-13 10:45:35 +02:00
Jobs Update app/Jobs/ApplicationDeploymentJob.php 2025-10-14 15:21:38 +02:00
Listeners refactor(proxy): streamline proxy status handling and improve dashboard availability checks 2025-06-11 12:02:39 +02:00
Livewire fix: prevent duplicate services on image change and enable real-time UI refresh 2025-10-14 10:12:36 +02:00
Models security: escape all shell directory paths in Git deployment commands 2025-10-14 17:23:28 +02:00
Notifications Merge pull request #6837 from coollabsio/andrasbacsai/custom-webhooks 2025-10-12 10:57:47 +02:00
Policies feat: add cloud-init script support for Hetzner server creation 2025-10-10 19:37:16 +02:00
Providers fix: register WebhookNotificationSettings with NotificationPolicy 2025-10-10 17:48:14 +02:00
Repositories refactor: streamline job status retrieval and clean up repository interface 2025-01-10 19:53:13 +01:00
Rules feat: add YAML validation for cloud-init scripts 2025-10-11 13:56:55 +02:00
Services debug: add ray logging for Hetzner createServer API request/response 2025-10-11 11:17:44 +02:00
Support feat(validation): centralize validation patterns for names and descriptions 2025-08-19 12:14:48 +02:00
Traits Merge pull request #6837 from coollabsio/andrasbacsai/custom-webhooks 2025-10-12 10:57:47 +02:00
View/Components feat: add support for selecting additional SSH keys from Hetzner in server creation form 2025-10-10 12:17:05 +02:00