Andras Bacsai 64753b4136 fix(database): prevent command injection in healthcheck via CMD exec-form ...

Replace CMD-SHELL string interpolation with CMD exec-form arrays in
healthcheck configs for PostgreSQL, Dragonfly, KeyDB, and ClickHouse.

CMD-SHELL passes the string to /bin/sh -c, allowing command injection
through user-controlled fields (username, password, dbname). CMD
exec-form bypasses the shell entirely — each value is a discrete argv
element.

Fixes GHSA-gvc4-f276-r88p.

Adds regression tests covering semicolon, pipe, backtick, $(),
background operator, redirect, newline, and null-byte injection vectors.

2026-04-20 13:17:15 +02:00

..

Browser

test: add dashboard test and improve browser test coverage

2026-02-11 16:37:40 +01:00

Feature

refactor(cli): validate --date and escape shell args on logs:scheduled

2026-04-20 12:09:48 +02:00

Traits

test: setup database for upcoming tests

2024-12-04 12:43:52 +01:00

Unit

fix(database): prevent command injection in healthcheck via CMD exec-form

2026-04-20 13:17:15 +02:00

v4

fix(models): replace forceFill/forceCreate with fill/create and add fillable guards

2026-03-31 13:45:31 +02:00

CreatesApplication.php

Fix styling

2024-06-10 20:43:34 +00:00

DuskTestCase.php

Refactor DuskTestCase.php to use a hardcoded base URL

2024-10-17 21:26:06 +02:00

Pest.php

test: add Pest browser testing with SQLite :memory: schema

2026-02-11 15:25:47 +01:00

TestCase.php

…