Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy.git synced 2026-06-15 20:25:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor: improve path validation in Traefik configuration schema

Browse Source 
- Enhanced the `apiReadTraefikConfig` schema by reintroducing path validation logic to prevent directory traversal attacks and unauthorized access.
- The validation now includes checks for null bytes and ensures paths start with a defined main Traefik path, improving security and robustness.

These changes strengthen the integrity of the configuration handling by ensuring only valid paths are accepted.
This commit is contained in:
Mauricio Siu
2026-06-06 13:54:58 -06:00
parent aa545ec71c
commit 705ca54ccc
1 changed files with 25 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
packages/server/src/db/schema/user.ts
View File

@@ -1,3 +1,4 @@
import { paths } from "@dokploy/server/constants";
import { relations, sql } from "drizzle-orm"; import { relations, sql } from "drizzle-orm";
import { import {
boolean, boolean,
@@ -172,29 +173,31 @@ export const apiModifyTraefikConfig = z.object({
serverId: z.string().optional(), serverId: z.string().optional(),
}); });
export const apiReadTraefikConfig = z.object({ export const apiReadTraefikConfig = z.object({
path: z.string().min(1), path: z
// .refine( .string()
// (path) => { .min(1)
// // Prevent directory traversal attacks .refine(
// if (path.includes("../") || path.includes("..\\")) { (path) => {
// return false; // Prevent directory traversal attacks
// } if (path.includes("../") || path.includes("..\\")) {
return false;
}
// const { MAIN_TRAEFIK_PATH } = paths(); const { MAIN_TRAEFIK_PATH } = paths();
// if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) { if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
// return false; return false;
// } }
// // Prevent null bytes and other dangerous characters // Prevent null bytes and other dangerous characters
// if (path.includes("\0") || path.includes("\x00")) { if (path.includes("\0") || path.includes("\x00")) {
// return false; return false;
// } }
// return true; return true;
// }, },
// { {
// message: message:
// "Invalid path: path traversal or unauthorized directory access detected", "Invalid path: path traversal or unauthorized directory access detected",
// }, },
// ), ),
serverId: z.string().optional(), serverId: z.string().optional(),
}); });