fix: improve robustness and security in database restore flows

- Add null checks for server instances in restore events to prevent errors - Escape S3 credentials to prevent command injection vulnerabilities - Fix file upload clearing custom location to prevent UI confusion - Optimize isSafeTmpPath helper by avoiding redundant dirname calls - Remove unnecessary --rm flag from long-running S3 restore container - Prioritize uploaded files over custom location in import logic - Add comprehensive unit tests for restore event null server handling 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-17 21:20:29 +00:00 · 2025-11-17 14:13:10 +01:00
parent 94560ea6c7
commit fbdd8e5f03
8 changed files with 166 additions and 19 deletions
--- a/app/Livewire/Project/Database/Import.php
+++ b/app/Livewire/Project/Database/Import.php
@@ -187,22 +187,22 @@ EOD;
        try {
            $this->importRunning = true;
            $this->importCommands = [];
-            if (filled($this->customLocation)) {
-                $backupFileName = '/tmp/restore_'.$this->resource->uuid;
-                $this->importCommands[] = "docker cp {$this->customLocation} {$this->container}:{$backupFileName}";
-                $tmpPath = $backupFileName;
-            } else {
-                $backupFileName = "upload/{$this->resource->uuid}/restore";
-                $path = Storage::path($backupFileName);
-                if (! Storage::exists($backupFileName)) {
-                    $this->dispatch('error', 'The file does not exist or has been deleted.');
+            $backupFileName = "upload/{$this->resource->uuid}/restore";

-                    return;
-                }
+            // Check if an uploaded file exists first (takes priority over custom location)
+            if (Storage::exists($backupFileName)) {
+                $path = Storage::path($backupFileName);
                $tmpPath = '/tmp/'.basename($backupFileName).'_'.$this->resource->uuid;
                instant_scp($path, $tmpPath, $this->server);
                Storage::delete($backupFileName);
                $this->importCommands[] = "docker cp {$tmpPath} {$this->container}:{$tmpPath}";
+            } elseif (filled($this->customLocation)) {
+                $tmpPath = '/tmp/restore_'.$this->resource->uuid;
+                $this->importCommands[] = "docker cp {$this->customLocation} {$this->container}:{$tmpPath}";
+            } else {
+                $this->dispatch('error', 'The file does not exist or has been deleted.');
+
+                return;
            }

            // Copy the restore command to a script file
@@ -383,7 +383,7 @@ EOD;
            $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";

            // 2. Start helper container on the database network
-            $commands[] = "docker run -d --network {$destinationNetwork} --name {$containerName} --rm {$fullImageName} sleep 3600";
+            $commands[] = "docker run -d --network {$destinationNetwork} --name {$containerName} {$fullImageName} sleep 3600";

            // 3. Configure S3 access in helper container
            $escapedEndpoint = escapeshellarg($endpoint);