cb1f571eb4
This commit addresses a critical security issue where malicious Docker Compose
data was being saved to the database before validation occurred.
Problem:
- Service models were saved to database first
- Validation ran afterwards during parse()
- Malicious data persisted even when validation failed
- User saw error but damage was already done
Solution:
1. Created validateDockerComposeForInjection() to validate YAML before save
2. Added pre-save validation to all Service creation/update points:
- Livewire: DockerCompose.php, StackForm.php
- API: ServicesController.php (create, update, one-click)
3. Validates service names and volume paths (string + array formats)
4. Blocks shell metacharacters: backticks, $(), |, ;, &, >, <, newlines
Security fixes:
- Volume source paths (string format) - validated before save
- Volume source paths (array format) - validated before save
- Service names - validated before save
- Environment variable patterns - safe ${VAR} allowed, ${VAR:-$(cmd)} blocked
Testing:
- 60 security tests pass (176 assertions)
- PreSaveValidationTest.php: 15 tests for pre-save validation
- ValidateShellSafePathTest.php: 15 tests for core validation
- VolumeSecurityTest.php: 15 tests for volume parsing
- ServiceNameSecurityTest.php: 15 tests for service names
Related commits:
- Previous: Added validation during parse() phase
- This commit: Moves validation before database save
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
131 lines
4.5 KiB
PHP
131 lines
4.5 KiB
PHP
<?php
|
|
|
|
namespace App\Livewire\Project\Service;
|
|
|
|
use App\Models\Service;
|
|
use App\Support\ValidationPatterns;
|
|
use Illuminate\Support\Collection;
|
|
use Livewire\Component;
|
|
|
|
class StackForm extends Component
|
|
{
|
|
public Service $service;
|
|
|
|
public Collection $fields;
|
|
|
|
protected $listeners = ['saveCompose'];
|
|
|
|
protected function rules(): array
|
|
{
|
|
$baseRules = [
|
|
'service.docker_compose_raw' => 'required',
|
|
'service.docker_compose' => 'required',
|
|
'service.name' => ValidationPatterns::nameRules(),
|
|
'service.description' => ValidationPatterns::descriptionRules(),
|
|
'service.connect_to_docker_network' => 'nullable',
|
|
];
|
|
|
|
// Add dynamic field rules
|
|
foreach ($this->fields ?? collect() as $key => $field) {
|
|
$rules = data_get($field, 'rules', 'nullable');
|
|
$baseRules["fields.$key.value"] = $rules;
|
|
}
|
|
|
|
return $baseRules;
|
|
}
|
|
|
|
protected function messages(): array
|
|
{
|
|
return array_merge(
|
|
ValidationPatterns::combinedMessages(),
|
|
[
|
|
'service.name.required' => 'The Name field is required.',
|
|
'service.name.regex' => 'The Name may only contain letters, numbers, spaces, dashes (-), underscores (_), dots (.), slashes (/), colons (:), and parentheses ().',
|
|
'service.description.regex' => 'The Description contains invalid characters. Only letters, numbers, spaces, and common punctuation (- _ . : / () \' " , ! ? @ # % & + = [] {} | ~ ` *) are allowed.',
|
|
'service.docker_compose_raw.required' => 'The Docker Compose Raw field is required.',
|
|
'service.docker_compose.required' => 'The Docker Compose field is required.',
|
|
]
|
|
);
|
|
}
|
|
|
|
public $validationAttributes = [];
|
|
|
|
public function mount()
|
|
{
|
|
$this->fields = collect([]);
|
|
$extraFields = $this->service->extraFields();
|
|
foreach ($extraFields as $serviceName => $fields) {
|
|
foreach ($fields as $fieldKey => $field) {
|
|
$key = data_get($field, 'key');
|
|
$value = data_get($field, 'value');
|
|
$rules = data_get($field, 'rules', 'nullable');
|
|
$isPassword = data_get($field, 'isPassword', false);
|
|
$customHelper = data_get($field, 'customHelper', false);
|
|
$this->fields->put($key, [
|
|
'serviceName' => $serviceName,
|
|
'key' => $key,
|
|
'name' => $fieldKey,
|
|
'value' => $value,
|
|
'isPassword' => $isPassword,
|
|
'rules' => $rules,
|
|
'customHelper' => $customHelper,
|
|
]);
|
|
|
|
$this->validationAttributes["fields.$key.value"] = $fieldKey;
|
|
}
|
|
}
|
|
$this->fields = $this->fields->groupBy('serviceName')->map(function ($group) {
|
|
return $group->sortBy(function ($field) {
|
|
return data_get($field, 'isPassword') ? 1 : 0;
|
|
})->mapWithKeys(function ($field) {
|
|
return [$field['key'] => $field];
|
|
});
|
|
})->flatMap(function ($group) {
|
|
return $group;
|
|
});
|
|
}
|
|
|
|
public function saveCompose($raw)
|
|
{
|
|
$this->service->docker_compose_raw = $raw;
|
|
$this->submit(notify: true);
|
|
}
|
|
|
|
public function instantSave()
|
|
{
|
|
$this->service->save();
|
|
$this->dispatch('success', 'Service settings saved.');
|
|
}
|
|
|
|
public function submit($notify = true)
|
|
{
|
|
try {
|
|
$this->validate();
|
|
|
|
// Validate for command injection BEFORE saving to database
|
|
validateDockerComposeForInjection($this->service->docker_compose_raw);
|
|
|
|
$this->service->save();
|
|
$this->service->saveExtraFields($this->fields);
|
|
$this->service->parse();
|
|
$this->service->refresh();
|
|
$this->service->saveComposeConfigs();
|
|
$this->dispatch('refreshEnvs');
|
|
$this->dispatch('refreshServices');
|
|
$notify && $this->dispatch('success', 'Service saved.');
|
|
} catch (\Throwable $e) {
|
|
return handleError($e, $this);
|
|
} finally {
|
|
if (is_null($this->service->config_hash)) {
|
|
$this->service->isConfigurationChanged(true);
|
|
} else {
|
|
$this->dispatch('configurationChanged');
|
|
}
|
|
}
|
|
}
|
|
|
|
public function render()
|
|
{
|
|
return view('livewire.project.service.stack-form');
|
|
}
|
|
}
|