fix: enhance security by validating and escaping database names, file paths, and proxy configuration filenames to prevent command injection

app/Livewire/Server/Proxy/NewDynamicConfiguration.php

@@ -41,6 +41,10 @@ class NewDynamicConfiguration extends Component
                 'fileName' => 'required',
                 'value' => 'required',
             ]);
+
+            // Validate filename to prevent command injection
+            validateShellSafePath($this->fileName, 'proxy configuration filename');
+
             if (data_get($this->parameters, 'server_uuid')) {
                 $this->server = Server::ownedByCurrentTeam()->whereUuid(data_get($this->parameters, 'server_uuid'))->first();
             }
@@ -65,8 +69,10 @@ class NewDynamicConfiguration extends Component
             }
             $proxy_path = $this->server->proxyPath();
             $file = "{$proxy_path}/dynamic/{$this->fileName}";
+            $escapedFile = escapeshellarg($file);
+
             if ($this->newFile) {
-                $exists = instant_remote_process(["test -f $file && echo 1 || echo 0"], $this->server);
+                $exists = instant_remote_process(["test -f {$escapedFile} && echo 1 || echo 0"], $this->server);
                 if ($exists == 1) {
                     $this->dispatch('error', 'File already exists');
 
@@ -80,7 +86,7 @@ class NewDynamicConfiguration extends Component
             }
             $base64_value = base64_encode($this->value);
             instant_remote_process([
-                "echo '{$base64_value}' | base64 -d | tee {$file} > /dev/null",
+                "echo '{$base64_value}' | base64 -d | tee {$escapedFile} > /dev/null",
             ], $this->server);
             if ($proxy_type === 'CADDY') {
                 $this->server->reloadCaddy();