Commit Graph
14807 Commits
Author SHA1 Message Date
Andras BacsaiandGitHub 0256043ca5 fix(modal): make confirmation modal close after dispatching Livewire actions (#8892) 2026-03-11 06:48:10 +01:00
Andras Bacsai 88f582225b chore: prepare for PR 2026-03-11 06:47:38 +01:00
Andras BacsaiandGitHub 497b2b64ca fix: Build-time environment variables break Next.js (#8890) 2026-03-11 06:47:18 +01:00
Andras BacsaiandGitHub eb8752c202 Merge branch 'next' into 8873-investigate-bug 2026-03-11 06:46:09 +01:00
Andras BacsaiandGitHub 96b35bd2d8 fix: prevent command injection and fix developer view shared variables error (#8889) 2026-03-11 06:42:12 +01:00
Andras Bacsai 7aa744af90 chore: prepare for PR 2026-03-11 06:38:40 +01:00
Andras Bacsai 5cac559602 chore: prepare for PR 2026-03-11 06:36:12 +01:00
Andras Bacsai d9cdbc6096 Merge remote-tracking branch 'origin/next' into next 2026-03-10 23:17:39 +01:00
Andras BacsaiandGitHub dc34d21cda build(deps): bump league/commonmark from 2.8.0 to 2.8.1 (#8793) 2026-03-10 22:59:02 +01:00
Andras BacsaiandGitHub 1edb2acdbf build(deps): bump rollup from 4.57.1 to 4.59.0 (#8691) 2026-03-10 22:58:36 +01:00
Andras Bacsai d174724bf6 Merge branch 'ghsa-mw5w-2vvh-mgf4-investigation' 2026-03-10 22:22:51 +01:00
Andras Bacsai fcd574e1eb fix(log-drain): prevent command injection by base64-encoding environment variables
Replace direct shell interpolation of environment values with base64 encoding
to prevent command injection attacks. Environment configuration is now built as
a single string, base64-encoded, then decoded to file atomically.

Also add regex validation to restrict environment field values to safe
characters (alphanumeric, underscore, hyphen, dot) at the application layer.

Fixes GHSA-3xm2-hqg8-4m2p
2026-03-10 22:22:51 +01:00
Andras Bacsai a1c30cb0e7 fix(git-ref-validation): prevent command injection via git references
Add validateGitRef() helper function that uses an allowlist approach to prevent
OS command injection through git commit SHAs, branch names, and tags. Only allows
alphanumeric characters, dots, hyphens, underscores, and slashes.

Changes include:
- Add validateGitRef() helper in bootstrap/helpers/shared.php
- Apply validation in Rollback component when accepting rollback commit
- Add regex validation to git commit SHA fields in Livewire components
- Apply regex validation to API rules for git_commit_sha
- Use escapeshellarg() in git log and git checkout commands
- Add comprehensive unit tests covering injection payloads

Addresses GHSA-mw5w-2vvh-mgf4
2026-03-10 22:22:48 +01:00
Andras Bacsai 096d4369e5 fix(sentinel): add token validation to prevent command injection
Add validation to ensure sentinel tokens contain only safe characters
(alphanumeric, dots, hyphens, underscores, plus, forward slash, equals),
preventing OS command injection vulnerabilities when tokens are
interpolated into shell commands.

- Add ServerSetting::isValidSentinelToken() validation method
- Validate tokens in StartSentinel action and metrics queries
- Improve shell argument escaping with escapeshellarg()
- Add comprehensive test coverage for token validation
2026-03-10 22:19:19 +01:00
Andras Bacsai 6fbb5e626a Squashed commit from '565g-9j4m-wqmr-cross-team-idor-logs-fix' 2026-03-10 22:11:52 +01:00
Andras Bacsai c15bcd5634 fix(api): require write permission for validation endpoints
Validation operations should require write permissions as they trigger
state-changing actions. Updated middleware for:
- POST /api/v1/cloud-tokens/{uuid}/validate
- GET /api/v1/servers/{uuid}/validate

Added tests to verify read-only tokens cannot access these endpoints.
2026-03-10 22:11:52 +01:00
Andras BacsaiandGitHub 633b1803e1 fix(docker): prevent false container exits on failed docker queries (#8860) 2026-03-10 21:59:47 +01:00
Andras Bacsai 458f048c4e fix(push-server): track last_online_at and reset database restart state
- Update last_online_at timestamp when resource status is confirmed active
- Reset restart_count, last_restart_at, and last_restart_type when marking database as exited
- Remove unused updateServiceSubStatus() method
2026-03-10 21:46:26 +01:00
Andras Bacsai 0a1782175a Merge remote-tracking branch 'origin/next' into 8826-investigate-postgresql-restart 2026-03-10 21:46:03 +01:00
Andras BacsaiandGitHub a3e59e5c96 fix(docker-cleanup): respect keep for rollback setting for Nixpacks build images (#8859) 2026-03-10 21:42:45 +01:00
Andras Bacsai d6ac8de6b7 Merge remote-tracking branch 'origin/next' into 8765-investigate-docker-cleanup-keep 2026-03-10 21:41:25 +01:00
Andras Bacsai 473371e7ed chore(realtime): upgrade coolify-realtime to 1.0.11 2026-03-10 21:14:30 +01:00
Andras Bacsai b71d1561f3 chore(realtime): upgrade npm dependencies
Update dependencies in coolify-realtime package:
- @xterm/addon-fit 0.10.0 → 0.11.0
- @xterm/xterm 5.5.0 → 6.0.0
- axios 1.12.0 → 1.13.6
- cookie 1.0.2 → 1.1.1
- dotenv 16.5.0 → 17.3.1
- node-pty 1.0.0 → 1.1.0 (now uses node-addon-api instead of nan)
- ws 8.18.1 → 8.19.0
2026-03-10 21:07:14 +01:00
Andras BacsaiandGitHub d46c2c8152 fix(terminal): resolve WebSocket connection and host authorization issues (#8862) 2026-03-10 20:57:14 +01:00
Andras Bacsai 1d3dfe4dc8 chore(version): bump coolify, realtime, and sentinel versions 2026-03-10 20:40:49 +01:00
Andras Bacsai 5c5f67f48b chore: prepare for PR 2026-03-10 20:37:22 +01:00
Andras Bacsai e41dbde46b chore: prepare for PR 2026-03-10 18:34:37 +01:00
Andras Bacsai 9702543e20 chore: prepare for PR 2026-03-10 18:32:19 +01:00
Andras BacsaiandGitHub 201998638a fix(env-parser): capture clean variable names without trailing braces in bash-style defaults (#8855) 2026-03-10 18:06:51 +01:00
Andras Bacsai 0679e91c85 fix(parser): use firstOrCreate instead of updateOrCreate for environment variables
Prevent unnecessary updates to existing environment variable records.
The previous implementation would update matching records, but the intent
is to retrieve or create the record without modifying existing ones.
2026-03-10 18:06:01 +01:00
Andras Bacsai a362282976 chore: prepare for PR 2026-03-10 17:37:13 +01:00
Andras Bacsai 872e300cf9 fix(subscription): use optional chaining for preview object access
Add optional chaining operator (?.) to all preview property accesses in the
subscription actions view to prevent potential null reference errors when the
preview object is undefined.
2026-03-10 17:14:08 +01:00
Andras Bacsai 470cc15e62 feat(jobs): implement encrypted queue jobs
- Add ShouldBeEncrypted interface to all queue jobs to encrypt sensitive
  job payloads
- Configure explicit retry policies for messaging jobs (5 attempts,
  10-second backoff)
2026-03-10 14:05:05 +01:00
Andras BacsaiandGitHub 6bcae50e49 fix(database): close confirmation modal after database import/restore (#8697) 2026-03-10 10:38:22 +01:00
Andras Bacsai db55c8160a Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-10 10:38:10 +01:00
Andras BacsaiandGitHub 60dfadf036 feat: add configurable proxy timeout for public database TCP proxy (#8673) 2026-03-10 10:08:35 +01:00
Andras Bacsai 27e2680d70 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-10 10:01:46 +01:00
Andras BacsaiandGitHub 65d61a4af3 fix(proxy): mounting error for nginx.conf in dev (#8662) 2026-03-10 10:01:33 +01:00
Andras Bacsai b5151815c1 Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-10 10:01:14 +01:00
Andras Bacsai 184fbb98f3 fix(proxy): add validation and normalization for database proxy timeout
- Extract proxy timeout configuration logic into dedicated method
- Add min:1 validation rule for publicPortTimeout
- Normalize invalid timeout values (null, 0, negative) to default 3600s
- Add tests for timeout configuration normalization and validation
2026-03-10 09:59:19 +01:00
Andras BacsaiandGitHub a5367408d0 fix(docker-compose): respect preserveRepository setting when executing start command (#8848) 2026-03-10 09:45:43 +01:00
Andras BacsaiandGitHub 574f849778 fix: enable preview deployment page for deploy key applications (#8579) 2026-03-10 09:45:24 +01:00
Andras Bacsai 19d1662fac Merge remote-tracking branch 'origin/next' into fix/preview-deployments-invisible 2026-03-10 09:44:31 +01:00
Andras Bacsai e3daba0b1d chore: prepare for PR 2026-03-10 09:43:29 +01:00
Andras Bacsai 5b701ebb07 refactor(application-source): use Laravel helpers for null checks
Replace is_null() and !is_null() with blank() and filled() helper functions
for better readability and Laravel idiomatic style.
2026-03-09 17:23:34 +01:00
Andras Bacsai 01aa534556 fix(application-source): support localhost key with id=0
Previously, the view checked $privateKeyId with ! operator, which
incorrectly treats 0 (localhost key) as falsy. Changed to explicit
is_null() checks to distinguish between null (no key) and 0 (localhost).
Added test coverage for both cases.
2026-03-09 17:20:33 +01:00
dependabot[bot]andGitHub ee03fa2fb3 build(deps): bump league/commonmark from 2.8.0 to 2.8.1
Bumps [league/commonmark](https://github.com/thephpleague/commonmark) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/thephpleague/commonmark/releases)
- [Changelog](https://github.com/thephpleague/commonmark/blob/2.8/CHANGELOG.md)
- [Commits](https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1)

---
updated-dependencies:
- dependency-name: league/commonmark
  dependency-version: 2.8.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-03-07 03:01:56 +00:00
Andras Bacsai 7bee8a5668 Merge remote-tracking branch 'origin/next' into fix/database-import-modal-not-closing-v2 2026-03-06 08:04:07 +01:00
Andras Bacsai 4615cfd007 Merge remote-tracking branch 'origin/next' into fix/configurable-proxy-timeout 2026-03-06 08:04:07 +01:00
Andras Bacsai 31caef990d Merge remote-tracking branch 'origin/next' into fix/dev-dbproxy 2026-03-06 08:04:06 +01:00