rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app
History
Andras Bacsai a1c30cb0e7 fix(git-ref-validation): prevent command injection via git references 
Add validateGitRef() helper function that uses an allowlist approach to prevent
OS command injection through git commit SHAs, branch names, and tags. Only allows
alphanumeric characters, dots, hyphens, underscores, and slashes.

Changes include:
- Add validateGitRef() helper in bootstrap/helpers/shared.php
- Apply validation in Rollback component when accepting rollback commit
- Add regex validation to git commit SHA fields in Livewire components
- Apply regex validation to API rules for git_commit_sha
- Use escapeshellarg() in git log and git checkout commands
- Add comprehensive unit tests covering injection payloads

Addresses GHSA-mw5w-2vvh-mgf4
2026-03-10 22:22:48 +01:00
..
Actions chore: prepare for PR 2026-03-10 18:32:19 +01:00
Console feat(jobs): optimize async job dispatches and enhance Stripe subscription sync 2026-02-28 13:18:44 +01:00
Contracts
Data feat(proxy): add Traefik version tracking with notifications and dismissible UI warnings 2025-11-18 14:53:49 +01:00
Enums
Events Make proxy restart run as background job to prevent localhost lockout 2025-12-03 10:30:12 +01:00
Exceptions feat(api): Improve OpenAPI spec and add rate limit handling for Hetzner 2025-12-11 12:12:43 +01:00
Helpers chore: prepare for PR 2026-03-03 11:51:38 +01:00
Http Fix/wrong destinations api (#8646) 2026-03-05 16:32:09 +01:00
Jobs fix(git-ref-validation): prevent command injection via git references 2026-03-10 22:22:48 +01:00
Listeners fix(proxy): defer UI refresh until Traefik version check completes 2025-12-27 15:16:58 +01:00
Livewire fix(git-ref-validation): prevent command injection via git references 2026-03-10 22:22:48 +01:00
Models fix(git-ref-validation): prevent command injection via git references 2026-03-10 22:22:48 +01:00
Notifications Fix: Allow test emails to be sent to any email address 2025-12-12 11:12:19 +01:00
Policies chore: prepare for PR 2026-02-25 11:18:46 +01:00
Providers Remove webhook maintenance mode replay feature 2025-12-02 13:36:32 +01:00
Repositories
Rules fix(server): handle limit edge case and IPv6 allowlist dedupe 2026-03-03 17:03:46 +01:00
Services feat(scheduler): add pagination to skipped jobs and filter manager start events 2026-02-28 16:23:58 +01:00
Support fix(validation): add @, / and & support to names and descriptions 2026-01-19 18:50:56 +01:00
Traits refactor(ssh-retry): remove Sentry tracking from retry logic 2026-02-15 14:14:23 +01:00
View/Components feat: add availableSharedVariables method and enhance env-var-input component for better password handling 2025-11-27 10:23:46 +01:00