tiennm99/coolify
1
0
Fork 0
mirror of https://github.com/tiennm99/coolify.git synced 2026-04-17 23:20:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: enhance validation for database names and filenames to prevent command injection

Browse Source
This commit is contained in:
Andras Bacsai
2025-11-27 14:51:23 +01:00
parent 0073d045fb
commit 281a706231
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
View File

@@ -25,6 +25,11 @@ class DynamicConfigurationNavbar extends Component
$this->authorize('update', $this->server);
$proxy_path = $this->server->proxyPath();
$proxy_type = $this->server->proxyType();
// Decode filename: pipes are used to encode dots for Livewire property binding
// (e.g., 'my|service.yaml' -> 'my.service.yaml')
// This must happen BEFORE validation because validateShellSafePath() correctly
// rejects pipe characters as dangerous shell metacharacters
$file = str_replace('|', '.', $fileName);
// Validate filename to prevent command injection