rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/bootstrap/helpers
History
Andras Bacsai a1c30cb0e7 fix(git-ref-validation): prevent command injection via git references 
Add validateGitRef() helper function that uses an allowlist approach to prevent
OS command injection through git commit SHAs, branch names, and tags. Only allows
alphanumeric characters, dots, hyphens, underscores, and slashes.

Changes include:
- Add validateGitRef() helper in bootstrap/helpers/shared.php
- Apply validation in Rollback component when accepting rollback commit
- Add regex validation to git commit SHA fields in Livewire components
- Apply regex validation to API rules for git_commit_sha
- Use escapeshellarg() in git log and git checkout commands
- Add comprehensive unit tests covering injection payloads

Addresses GHSA-mw5w-2vvh-mgf4
2026-03-10 22:22:48 +01:00
..
api.php fix(git-ref-validation): prevent command injection via git references 2026-03-10 22:22:48 +01:00
applications.php chore: prepare for PR 2026-02-25 11:18:46 +01:00
constants.php fix(template): make databasus connect to predefined network 2025-12-28 21:30:01 +08:00
databases.php fix: handle redis_password in API database creation 2025-10-24 18:04:30 +02:00
docker.php chore: prepare for PR 2026-03-01 18:49:40 +01:00
domains.php fix(api): include docker_compose_domains in domain conflict check 2026-01-14 15:22:43 +01:00
github.php feat(github): implement processing for GitHub pull request webhooks and add helper functions for commit and PR file retrieval 2026-01-05 11:13:18 +01:00
notifications.php refactor(configuration): centralize configuration management in ConfigurationRepository 2025-03-24 21:01:27 +01:00
parsers.php fix(parser): use firstOrCreate instead of updateOrCreate for environment variables 2026-03-10 18:06:01 +01:00
proxy.php fix(proxy): remove ipv6 cidr network remediation 2026-03-04 11:36:52 +01:00
remoteProcess.php feat(logs): Add loading indicator to download all logs buttons 2026-01-02 12:04:17 +01:00
services.php chore: prepare for PR 2026-03-10 17:37:13 +01:00
shared.php fix(git-ref-validation): prevent command injection via git references 2026-03-10 22:22:48 +01:00
socialite.php refactor(dashboard): remove deployment loading logic and introduce DeploymentsIndicator component for better UI management 2025-09-30 11:43:30 +02:00
subscriptions.php chore: prepare for PR 2026-02-24 10:17:16 +01:00
sudo.php fix: add additional bash keywords to prevent sudo prefix in command parsing 2025-11-27 10:51:59 +01:00
timezone.php refactor: improve data formatting and UI 2025-01-15 18:35:20 +01:00
versions.php refactor(proxy): implement centralized caching for versions.json and improve UX 2025-11-18 14:53:49 +01:00