refactor: implement safe URL validation for whitelabeling settings in both client and server schemas

2026-06-15 20:25:23 +02:00 · 2026-03-10 00:55:01 -06:00
parent 33532d3cf7
commit 2e03cf3d48
3 changed files with 24 additions and 37 deletions
--- a/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx
+++ b/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx
@@ -30,15 +30,21 @@ import { Textarea } from "@/components/ui/textarea";
 import { api } from "@/utils/api";
 import { WhitelabelingPreview } from "./whitelabeling-preview";

+const safeUrlField = z
+	.string()
+	.refine((val) => val === "" || /^https?:\/\//i.test(val), {
+		message: "Only http:// and https:// URLs are allowed",
+	});
+
 const formSchema = z.object({
 	appName: z.string(),
 	appDescription: z.string(),
-	logoUrl: z.string(),
-	faviconUrl: z.string(),
+	logoUrl: safeUrlField,
+	faviconUrl: safeUrlField,
 	customCss: z.string(),
-	loginLogoUrl: z.string(),
-	supportUrl: z.string(),
-	docsUrl: z.string(),
+	loginLogoUrl: safeUrlField,
+	supportUrl: safeUrlField,
+	docsUrl: safeUrlField,
 	errorPageTitle: z.string(),
 	errorPageDescription: z.string(),
 	metaTitle: z.string(),
--- a/packages/server/src/db/schema/web-server-settings.ts
+++ b/packages/server/src/db/schema/web-server-settings.ts
@@ -187,16 +187,23 @@ export const apiUpdateDockerCleanup = z.object({
 });

 // Whitelabeling validation schemas
+const safeUrl = z
+	.string()
+	.refine((url) => /^https?:\/\//i.test(url), {
+		message: "Only http:// and https:// URLs are allowed",
+	})
+	.nullable();
+
 export const whitelabelingConfigSchema = z.object({
 	appName: z.string().nullable(),
 	appDescription: z.string().nullable(),
-	logoUrl: z.string().nullable(),
-	faviconUrl: z.string().nullable(),
+	logoUrl: safeUrl,
+	faviconUrl: safeUrl,
 	primaryColor: z.string().nullable(),
 	customCss: z.string().nullable(),
-	loginLogoUrl: z.string().nullable(),
-	supportUrl: z.string().nullable(),
-	docsUrl: z.string().nullable(),
+	loginLogoUrl: safeUrl,
+	supportUrl: safeUrl,
+	docsUrl: safeUrl,
 	errorPageTitle: z.string().nullable(),
 	errorPageDescription: z.string().nullable(),
 	metaTitle: z.string().nullable(),
--- a/packages/server/src/verification/send-verification-email.tsx
+++ b/packages/server/src/verification/send-verification-email.tsx
@@ -1,7 +1,4 @@
-import {
-	sendDiscordNotification,
-	sendEmailNotification,
-} from "../utils/notifications/utils";
+import { sendEmailNotification } from "../utils/notifications/utils";
 export const sendEmail = async ({
 	email,
 	subject,
@@ -26,26 +23,3 @@ export const sendEmail = async ({

 	return true;
 };
-
-export const sendDiscordNotificationWelcome = async (email: string) => {
-	await sendDiscordNotification(
-		{
-			webhookUrl: process.env.DISCORD_WEBHOOK_URL || "",
-		},
-		{
-			title: "New User Registered",
-			color: 0x00ff00,
-			fields: [
-				{
-					name: "Email",
-					value: email,
-					inline: true,
-				},
-			],
-			timestamp: new Date(),
-			footer: {
-				text: "Dokploy User Registration Notification",
-			},
-		},
-	);
-};