From 5967f48c6b4a225a32d979c8e4b701b4648472d8 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Tue, 27 Jan 2026 09:56:28 -0600
Subject: [PATCH] feat(wss): add directory validation for WebSocket server log
 paths

---
 apps/dokploy/server/wss/listen-deployment.ts |  6 ++++++
 apps/dokploy/server/wss/utils.ts             | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/apps/dokploy/server/wss/listen-deployment.ts b/apps/dokploy/server/wss/listen-deployment.ts
index 75ddf7d1d..8aeee2410 100644
--- a/apps/dokploy/server/wss/listen-deployment.ts
+++ b/apps/dokploy/server/wss/listen-deployment.ts
@@ -3,6 +3,7 @@ import type http from "node:http";
 import { findServerById, IS_CLOUD, validateRequest } from "@dokploy/server";
 import { Client } from "ssh2";
 import { WebSocketServer } from "ws";
+import { readValidDirectory } from "./utils";
 
 export const setupDeploymentLogsWebSocketServer = (
 	server: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>,
@@ -40,6 +41,11 @@ export const setupDeploymentLogsWebSocketServer = (
 			return;
 		}
 
+		if (!readValidDirectory(logPath)) {
+			ws.close(4000, "Invalid log path");
+			return;
+		}
+
 		if (!user || !session) {
 			ws.close();
 			return;
diff --git a/apps/dokploy/server/wss/utils.ts b/apps/dokploy/server/wss/utils.ts
index be2197501..c749fbc51 100644
--- a/apps/dokploy/server/wss/utils.ts
+++ b/apps/dokploy/server/wss/utils.ts
@@ -32,6 +32,17 @@ export const isValidShell = (shell: string): boolean => {
 	return allowedShells.includes(shell);
 };
 
+export const readValidDirectory = (directory: string) => {
+	const { BASE_PATH } = paths();
+
+	const resolvedBase = path.resolve(BASE_PATH);
+	const resolvedDir = path.resolve(directory);
+
+	return (
+		resolvedDir === resolvedBase ||
+		resolvedDir.startsWith(resolvedBase + path.sep)
+	);
+};
 export const getShell = () => {
 	if (IS_CLOUD) {
 		return "NO_AVAILABLE";