rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coolify/app
History
Andras Bacsai fcd574e1eb fix(log-drain): prevent command injection by base64-encoding environment variables 
Replace direct shell interpolation of environment values with base64 encoding
to prevent command injection attacks. Environment configuration is now built as
a single string, base64-encoded, then decoded to file atomically.

Also add regex validation to restrict environment field values to safe
characters (alphanumeric, underscore, hyphen, dot) at the application layer.

Fixes GHSA-3xm2-hqg8-4m2p
2026-03-10 22:22:51 +01:00
..
Actions fix(log-drain): prevent command injection by base64-encoding environment variables 2026-03-10 22:22:51 +01:00
Console feat(jobs): optimize async job dispatches and enhance Stripe subscription sync 2026-02-28 13:18:44 +01:00
Contracts
Data feat(proxy): add Traefik version tracking with notifications and dismissible UI warnings 2025-11-18 14:53:49 +01:00
Enums
Events Make proxy restart run as background job to prevent localhost lockout 2025-12-03 10:30:12 +01:00
Exceptions feat(api): Improve OpenAPI spec and add rate limit handling for Hetzner 2025-12-11 12:12:43 +01:00
Helpers chore: prepare for PR 2026-03-03 11:51:38 +01:00
Http Fix/wrong destinations api (#8646) 2026-03-05 16:32:09 +01:00
Jobs fix(push-server): track last_online_at and reset database restart state 2026-03-10 21:46:26 +01:00
Listeners fix(proxy): defer UI refresh until Traefik version check completes 2025-12-27 15:16:58 +01:00
Livewire fix(log-drain): prevent command injection by base64-encoding environment variables 2026-03-10 22:22:51 +01:00
Models fix(sentinel): add token validation to prevent command injection 2026-03-10 22:19:19 +01:00
Notifications Fix: Allow test emails to be sent to any email address 2025-12-12 11:12:19 +01:00
Policies chore: prepare for PR 2026-02-25 11:18:46 +01:00
Providers Remove webhook maintenance mode replay feature 2025-12-02 13:36:32 +01:00
Repositories
Rules fix(server): handle limit edge case and IPv6 allowlist dedupe 2026-03-03 17:03:46 +01:00
Services feat(scheduler): add pagination to skipped jobs and filter manager start events 2026-02-28 16:23:58 +01:00
Support fix(validation): add @, / and & support to names and descriptions 2026-01-19 18:50:56 +01:00
Traits fix(sentinel): add token validation to prevent command injection 2026-03-10 22:19:19 +01:00
View/Components feat: add availableSharedVariables method and enhance env-var-input component for better password handling 2025-11-27 10:23:46 +01:00