mirror of
https://github.com/coollabsio/coolify.git
synced 2026-03-11 08:55:47 +00:00
This commit addresses a critical security issue where malicious Docker Compose
data was being saved to the database before validation occurred.
Problem:
- Service models were saved to database first
- Validation ran afterwards during parse()
- Malicious data persisted even when validation failed
- User saw error but damage was already done
Solution:
1. Created validateDockerComposeForInjection() to validate YAML before save
2. Added pre-save validation to all Service creation/update points:
- Livewire: DockerCompose.php, StackForm.php
- API: ServicesController.php (create, update, one-click)
3. Validates service names and volume paths (string + array formats)
4. Blocks shell metacharacters: backticks, $(), |, ;, &, >, <, newlines
Security fixes:
- Volume source paths (string format) - validated before save
- Volume source paths (array format) - validated before save
- Service names - validated before save
- Environment variable patterns - safe ${VAR} allowed, ${VAR:-$(cmd)} blocked
Testing:
- 60 security tests pass (176 assertions)
- PreSaveValidationTest.php: 15 tests for pre-save validation
- ValidateShellSafePathTest.php: 15 tests for core validation
- VolumeSecurityTest.php: 15 tests for volume parsing
- ServiceNameSecurityTest.php: 15 tests for service names
Related commits:
- Previous: Added validation during parse() phase
- This commit: Moves validation before database save
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| Rules | ||
| ApplicationGitSecurityTest.php | ||
| ApplicationWatchPathsTest.php | ||
| BashEnvEscapingTest.php | ||
| CloudInitScriptValidationTest.php | ||
| DatalistComponentTest.php | ||
| DockerComposeLabelParsingTest.php | ||
| DockerImageAutoParseTest.php | ||
| DockerImageParserTest.php | ||
| GitLsRemoteParsingTest.php | ||
| GlobalSearchNewImageQuickActionTest.php | ||
| HetznerDeletionFailedNotificationTest.php | ||
| HetznerSshKeysTest.php | ||
| ParseDockerVolumeStringTest.php | ||
| PreSaveValidationTest.php | ||
| PrivateKeyStorageTest.php | ||
| ProxyCustomCommandsTest.php | ||
| ServiceConfigurationRefreshTest.php | ||
| ServiceNameSecurityTest.php | ||
| ServiceParserImageUpdateTest.php | ||
| SshRetryMechanismTest.php | ||
| ValidateShellSafePathTest.php | ||
| ValidGitRepositoryUrlTest.php | ||
| ValidHostnameTest.php | ||
| VolumeArrayFormatSecurityTest.php | ||
| VolumeSecurityTest.php | ||