tiennm99/coolify
1
0
Fork 0
mirror of https://github.com/tiennm99/coolify.git synced 2026-04-17 23:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enhance security by validating and escaping database names, file paths, and proxy configuration filenames to prevent command injection

Browse Source
This commit is contained in:
Andras Bacsai
2025-11-27 14:36:31 +01:00
parent e60e74ac90
commit 0073d045fb
11 changed files with 439 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
View File

@@ -26,12 +26,19 @@ class DynamicConfigurationNavbar extends Component
$proxy_path = $this->server->proxyPath();
$proxy_type = $this->server->proxyType();
$file = str_replace('|', '.', $fileName);
// Validate filename to prevent command injection
validateShellSafePath($file, 'proxy configuration filename');
if ($proxy_type === 'CADDY' && $file === 'Caddyfile') {
$this->dispatch('error', 'Cannot delete Caddyfile.');
return;
}
instant_remote_process(["rm -f {$proxy_path}/dynamic/{$file}"], $this->server);
$fullPath = "{$proxy_path}/dynamic/{$file}";
$escapedPath = escapeshellarg($fullPath);
instant_remote_process(["rm -f {$escapedPath}"], $this->server);
if ($proxy_type === 'CADDY') {
$this->server->reloadCaddy();
}