rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/bootstrap/helpers
History
Andras Bacsai cb1f571eb4 fix: prevent command injection in Docker Compose parsing - add pre-save validation 
This commit addresses a critical security issue where malicious Docker Compose
data was being saved to the database before validation occurred.

Problem:
- Service models were saved to database first
- Validation ran afterwards during parse()
- Malicious data persisted even when validation failed
- User saw error but damage was already done

Solution:
1. Created validateDockerComposeForInjection() to validate YAML before save
2. Added pre-save validation to all Service creation/update points:
   - Livewire: DockerCompose.php, StackForm.php
   - API: ServicesController.php (create, update, one-click)
3. Validates service names and volume paths (string + array formats)
4. Blocks shell metacharacters: backticks, $(), |, ;, &, >, <, newlines

Security fixes:
- Volume source paths (string format) - validated before save
- Volume source paths (array format) - validated before save
- Service names - validated before save
- Environment variable patterns - safe ${VAR} allowed, ${VAR:-$(cmd)} blocked

Testing:
- 60 security tests pass (176 assertions)
- PreSaveValidationTest.php: 15 tests for pre-save validation
- ValidateShellSafePathTest.php: 15 tests for core validation
- VolumeSecurityTest.php: 15 tests for volume parsing
- ServiceNameSecurityTest.php: 15 tests for service names

Related commits:
- Previous: Added validation during parse() phase
- This commit: Moves validation before database save

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-16 09:51:37 +02:00
..
api.php feat(domains): add force_domain_override option and enhance domain conflict detection responses 2025-08-28 11:21:30 +02:00
applications.php refactor(clone): enhance application cloning by separating production and preview environment variable handling 2025-09-11 12:52:35 +02:00
constants.php update bitnami to bitnamilegacy 2025-10-03 15:48:11 +01:00
databases.php feat(backup): enhance backup job with S3 upload handling and notifications 2025-10-07 15:02:23 +02:00
docker.php Changes auto-committed by Conductor 2025-10-16 08:51:15 +02:00
domains.php feat(domains): add force_domain_override option and enhance domain conflict detection responses 2025-08-28 11:21:30 +02:00
github.php refactor(github): enhance API request handling and validation 2025-09-22 15:41:56 +02:00
notifications.php refactor(configuration): centralize configuration management in ConfigurationRepository 2025-03-24 21:01:27 +01:00
parsers.php fix: prevent command injection in Docker Compose parsing - add pre-save validation 2025-10-16 09:51:37 +02:00
proxy.php feat(proxy): enhance proxy configuration regeneration by extracting custom commands 2025-10-07 11:11:13 +02:00
remoteProcess.php refactor(remoteProcess): remove redundant file transfer functions for improved clarity 2025-09-22 12:54:37 +02:00
services.php Revert "refactor(file-transfer): replace base64 encoding with direct file transfer method in various components for improved clarity and efficiency" 2025-09-15 17:56:48 +02:00
shared.php fix: prevent command injection in Docker Compose parsing - add pre-save validation 2025-10-16 09:51:37 +02:00
socialite.php refactor(dashboard): remove deployment loading logic and introduce DeploymentsIndicator component for better UI management 2025-09-30 11:43:30 +02:00
subscriptions.php feat(email): implement email change request and verification process 2025-08-18 14:54:08 +02:00
sudo.php feat(sudo-helper): add helper functions for command parsing and ownership management with sudo 2025-09-09 09:00:42 +02:00
timezone.php refactor: improve data formatting and UI 2025-01-15 18:35:20 +01:00