From 2e03cf3d4803b7904f66187cc4327cae549e8422 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Tue, 10 Mar 2026 00:55:01 -0600 Subject: [PATCH] refactor: implement safe URL validation for whitelabeling settings in both client and server schemas --- .../whitelabeling/whitelabeling-settings.tsx | 16 +++++++---- .../src/db/schema/web-server-settings.ts | 17 +++++++---- .../verification/send-verification-email.tsx | 28 +------------------ 3 files changed, 24 insertions(+), 37 deletions(-) diff --git a/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx b/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx index f754a7352..c9d2ed7e7 100644 --- a/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx +++ b/apps/dokploy/components/proprietary/whitelabeling/whitelabeling-settings.tsx @@ -30,15 +30,21 @@ import { Textarea } from "@/components/ui/textarea"; import { api } from "@/utils/api"; import { WhitelabelingPreview } from "./whitelabeling-preview"; +const safeUrlField = z + .string() + .refine((val) => val === "" || /^https?:\/\//i.test(val), { + message: "Only http:// and https:// URLs are allowed", + }); + const formSchema = z.object({ appName: z.string(), appDescription: z.string(), - logoUrl: z.string(), - faviconUrl: z.string(), + logoUrl: safeUrlField, + faviconUrl: safeUrlField, customCss: z.string(), - loginLogoUrl: z.string(), - supportUrl: z.string(), - docsUrl: z.string(), + loginLogoUrl: safeUrlField, + supportUrl: safeUrlField, + docsUrl: safeUrlField, errorPageTitle: z.string(), errorPageDescription: z.string(), metaTitle: z.string(), diff --git a/packages/server/src/db/schema/web-server-settings.ts b/packages/server/src/db/schema/web-server-settings.ts index 7bd99ab94..dd4e80dbb 100644 --- a/packages/server/src/db/schema/web-server-settings.ts +++ b/packages/server/src/db/schema/web-server-settings.ts @@ -187,16 +187,23 @@ export const apiUpdateDockerCleanup = z.object({ }); // Whitelabeling validation schemas +const safeUrl = z + .string() + .refine((url) => /^https?:\/\//i.test(url), { + message: "Only http:// and https:// URLs are allowed", + }) + .nullable(); + export const whitelabelingConfigSchema = z.object({ appName: z.string().nullable(), appDescription: z.string().nullable(), - logoUrl: z.string().nullable(), - faviconUrl: z.string().nullable(), + logoUrl: safeUrl, + faviconUrl: safeUrl, primaryColor: z.string().nullable(), customCss: z.string().nullable(), - loginLogoUrl: z.string().nullable(), - supportUrl: z.string().nullable(), - docsUrl: z.string().nullable(), + loginLogoUrl: safeUrl, + supportUrl: safeUrl, + docsUrl: safeUrl, errorPageTitle: z.string().nullable(), errorPageDescription: z.string().nullable(), metaTitle: z.string().nullable(), diff --git a/packages/server/src/verification/send-verification-email.tsx b/packages/server/src/verification/send-verification-email.tsx index c673c0f77..d38c2cdfc 100644 --- a/packages/server/src/verification/send-verification-email.tsx +++ b/packages/server/src/verification/send-verification-email.tsx @@ -1,7 +1,4 @@ -import { - sendDiscordNotification, - sendEmailNotification, -} from "../utils/notifications/utils"; +import { sendEmailNotification } from "../utils/notifications/utils"; export const sendEmail = async ({ email, subject, @@ -26,26 +23,3 @@ export const sendEmail = async ({ return true; }; - -export const sendDiscordNotificationWelcome = async (email: string) => { - await sendDiscordNotification( - { - webhookUrl: process.env.DISCORD_WEBHOOK_URL || "", - }, - { - title: "New User Registered", - color: 0x00ff00, - fields: [ - { - name: "Email", - value: email, - inline: true, - }, - ], - timestamp: new Date(), - footer: { - text: "Dokploy User Registration Notification", - }, - }, - ); -};