rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app
History
Andras Bacsai e1d4b4682e fix: harden TrustHosts middleware and use base_url() for password reset links 
- Fix circular cache dependency in TrustHosts where handle() checked cache
  before hosts() could populate it, causing host validation to never activate
- Validate both Host and X-Forwarded-Host headers against trusted hosts list
  (X-Forwarded-Host is checked before TrustProxies applies it to the request)
- Use base_url() instead of url() for password reset link generation so the
  URL is derived from server-side config (FQDN / public IP) instead of the
  request context
- Strip port from X-Forwarded-Host before matching (e.g. host:443 → host)
- Add tests for host validation, cache population, and reset URL generation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-26 18:39:54 +01:00
..
Actions refactor: simplify remote process chain and harden ActivityMonitor 2026-03-26 13:26:16 +01:00
Console feat(sync): sync install.sh, docker-compose, and env files to GitHub 2026-03-25 07:07:22 +01:00
Contracts refactor: streamline job status retrieval and clean up repository interface 2025-01-10 19:53:13 +01:00
Data refactor: simplify remote process chain and harden ActivityMonitor 2026-03-26 13:26:16 +01:00
Enums Add new role enum and apply authorization 2024-10-28 17:08:24 +01:00
Events Make proxy restart run as background job to prevent localhost lockout 2025-12-03 10:30:12 +01:00
Exceptions feat(api): Improve OpenAPI spec and add rate limit handling for Hetzner 2025-12-11 12:12:43 +01:00
Helpers fix(ssh): handle chmod failures gracefully and simplify key management 2026-03-16 21:27:10 +01:00
Http fix: harden TrustHosts middleware and use base_url() for password reset links 2026-03-26 18:39:54 +01:00
Jobs fix(backup): use escapeshellarg for credentials in database backup commands 2026-03-25 23:43:57 +01:00
Listeners fix(proxy): defer UI refresh until Traefik version check completes 2025-12-27 15:16:58 +01:00
Livewire fix: add URL validation for GitHub source api_url and html_url fields 2026-03-26 13:45:33 +01:00
Models fix(storage): use escapeshellarg for volume names in shell commands 2026-03-26 11:06:30 +01:00
Notifications fix: harden TrustHosts middleware and use base_url() for password reset links 2026-03-26 18:39:54 +01:00
Policies chore: prepare for PR 2026-02-25 11:18:46 +01:00
Providers Remove webhook maintenance mode replay feature 2025-12-02 13:36:32 +01:00
Repositories refactor: streamline job status retrieval and clean up repository interface 2025-01-10 19:53:13 +01:00
Rules fix: add URL validation for GitHub source api_url and html_url fields 2026-03-26 13:45:33 +01:00
Services refactor: remove verbose logging and use explicit exception types 2026-03-20 15:57:26 +01:00
Support fix(storage): use escapeshellarg for volume names in shell commands 2026-03-26 11:06:30 +01:00
Traits feat(deployment): add command_hidden flag to hide command text in logs 2026-03-25 16:48:49 +01:00
View/Components feat: add availableSharedVariables method and enhance env-var-input component for better password handling 2025-11-27 10:23:46 +01:00