Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy.git synced 2026-06-15 20:25:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(wss): add directory validation for WebSocket server log paths

Browse Source
This commit is contained in:
Mauricio Siu
2026-01-27 09:56:28 -06:00
parent 24c1c2a377
commit 5967f48c6b
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/dokploy/server/wss/listen-deployment.ts
View File

@@ -3,6 +3,7 @@ import type http from "node:http";
import { findServerById, IS_CLOUD, validateRequest } from "@dokploy/server";
import { Client } from "ssh2";
import { WebSocketServer } from "ws";
import { readValidDirectory } from "./utils";
export const setupDeploymentLogsWebSocketServer = (
server: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>,
@@ -40,6 +41,11 @@ export const setupDeploymentLogsWebSocketServer = (
return;
}
if (!readValidDirectory(logPath)) {
ws.close(4000, "Invalid log path");
return;
}
if (!user || !session) {
ws.close();
return;

11
apps/dokploy/server/wss/utils.ts
View File

@@ -32,6 +32,17 @@ export const isValidShell = (shell: string): boolean => {
return allowedShells.includes(shell);
};
export const readValidDirectory = (directory: string) => {
const { BASE_PATH } = paths();
const resolvedBase = path.resolve(BASE_PATH);
const resolvedDir = path.resolve(directory);
return (
resolvedDir === resolvedBase ||
resolvedDir.startsWith(resolvedBase + path.sep)
);
};
export const getShell = () => {
if (IS_CLOUD) {
return "NO_AVAILABLE";