Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy.git synced 2026-06-16 04:35:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent to pass invalid docker container names

Browse Source
This commit is contained in:
Mauricio Siu
2026-01-26 16:37:15 +02:00
parent 84fa805acc
commit 7362cc49d2
5 changed files with 132 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/dokploy/server/wss/docker-container-logs.ts
View File

@@ -1,5 +1,5 @@
import type http from "node:http";
import { findServerById, validateRequest } from "@dokploy/server";
import { findServerById, IS_CLOUD, validateRequest } from "@dokploy/server";
import { spawn } from "node-pty";
import { Client } from "ssh2";
import { WebSocketServer } from "ws";
@@ -111,6 +111,11 @@ export const setupDockerContainerLogsWebSocketServer = (
client.end();
});
} else {
if (IS_CLOUD) {
ws.send("This feature is not available in the cloud version.");
ws.close();
return;
}
const shell = getShell();
const baseCommand = `docker ${runType === "swarm" ? "service" : "container"} logs --timestamps ${
runType === "swarm" ? "--raw" : ""

129
apps/dokploy/server/wss/docker-container-terminal.ts
View File

@@ -1,9 +1,9 @@
import type http from "node:http";
import { findServerById, validateRequest } from "@dokploy/server";
import { findServerById, IS_CLOUD, validateRequest } from "@dokploy/server";
import { spawn } from "node-pty";
import { Client } from "ssh2";
import { WebSocketServer } from "ws";
import { getShell } from "./utils";
import { getShell, isValidContainerId, isValidShell } from "./utils";
export const setupDockerContainerTerminalWebSocketServer = (
server: http.Server<typeof http.IncomingMessage, typeof http.ServerResponse>,
@@ -39,6 +39,26 @@ export const setupDockerContainerTerminalWebSocketServer = (
return;
}
if (!containerId) {
ws.close(4000, "containerId not provided");
return;
}
// Security: Validate containerId to prevent command injection
if (!isValidContainerId(containerId)) {
ws.close(4000, "Invalid container ID format");
return;
}
// Security: Validate shell to prevent command injection
if (activeWay && !isValidShell(activeWay)) {
ws.close(4000, "Invalid shell specified");
return;
}
// Default to 'sh' if no shell specified
const shell = activeWay || "sh";
if (!user || !session) {
ws.close();
return;
@@ -54,55 +74,61 @@ export const setupDockerContainerTerminalWebSocketServer = (
let _stderr = "";
conn
.once("ready", () => {
conn.exec(
`docker exec -it -w / ${containerId} ${activeWay}`,
{ pty: true },
(err, stream) => {
if (err) {
console.error("SSH exec error:", err);
ws.close();
// Use array-style arguments to prevent shell injection
const dockerCommand = [
"docker",
"exec",
"-it",
"-w",
"/",
containerId,
shell,
].join(" ");
conn.exec(dockerCommand, { pty: true }, (err, stream) => {
if (err) {
console.error("SSH exec error:", err);
ws.close();
conn.end();
return;
}
stream
.on("close", (code: number, _signal: string) => {
ws.send(`\nContainer closed with code: ${code}\n`);
conn.end();
return;
}
})
.on("data", (data: string) => {
_stdout += data.toString();
ws.send(data.toString());
})
.stderr.on("data", (data) => {
_stderr += data.toString();
ws.send(data.toString());
console.error("Error: ", data.toString());
});
stream
.on("close", (code: number, _signal: string) => {
ws.send(`\nContainer closed with code: ${code}\n`);
conn.end();
})
.on("data", (data: string) => {
_stdout += data.toString();
ws.send(data.toString());
})
.stderr.on("data", (data) => {
_stderr += data.toString();
ws.send(data.toString());
console.error("Error: ", data.toString());
});
ws.on("message", (message) => {
try {
let command: string | Buffer[] | Buffer | ArrayBuffer;
if (Buffer.isBuffer(message)) {
command = message.toString("utf8");
} else {
command = message;
}
stream.write(command.toString());
} catch (error) {
// @ts-ignore
const errorMessage = error?.message as unknown as string;
ws.send(errorMessage);
ws.on("message", (message) => {
try {
let command: string | Buffer[] | Buffer | ArrayBuffer;
if (Buffer.isBuffer(message)) {
command = message.toString("utf8");
} else {
command = message;
}
});
stream.write(command.toString());
} catch (error) {
// @ts-ignore
const errorMessage = error?.message as unknown as string;
ws.send(errorMessage);
}
});
ws.on("close", () => {
stream.end();
// Ensure SSH connection is closed when WebSocket closes
conn.end();
});
},
);
ws.on("close", () => {
stream.end();
// Ensure SSH connection is closed when WebSocket closes
conn.end();
});
});
})
.on("error", (err) => {
console.error("SSH connection error:", err);
@@ -119,10 +145,15 @@ export const setupDockerContainerTerminalWebSocketServer = (
privateKey: server.sshKey?.privateKey,
});
} else {
if (IS_CLOUD) {
ws.send("This feature is not available in the cloud version.");
ws.close();
return;
}
const shell = getShell();
const ptyProcess = spawn(
shell,
["-c", `docker exec -it -w / ${containerId} ${activeWay}`],
"docker",
["exec", "-it", "-w", "/", containerId, shell],
{},
);

7
apps/dokploy/server/wss/docker-stats.ts
View File

@@ -4,6 +4,7 @@ import {
execAsync,
getHostSystemStats,
getLastAdvancedStatsFile,
IS_CLOUD,
recordAdvancedStats,
validateRequest,
} from "@dokploy/server";
@@ -32,6 +33,12 @@ export const setupDockerStatsMonitoringSocketServer = (
wssTerm.on("connection", async (ws, req) => {
const url = new URL(req.url || "", `http://${req.headers.host}`);
if (IS_CLOUD) {
ws.send("This feature is not available in the cloud version.");
ws.close();
return;
}
const appName = url.searchParams.get("appName");
const appType = (url.searchParams.get("appType") || "application") as
| "application"

7
apps/dokploy/server/wss/listen-deployment.ts
View File

@@ -1,6 +1,6 @@
import { spawn } from "node:child_process";
import type http from "node:http";
import { findServerById, validateRequest } from "@dokploy/server";
import { findServerById, IS_CLOUD, validateRequest } from "@dokploy/server";
import { Client } from "ssh2";
import { WebSocketServer } from "ws";
@@ -108,6 +108,11 @@ export const setupDeploymentLogsWebSocketServer = (
}
});
} else {
if (IS_CLOUD) {
ws.send("This feature is not available in the cloud version.");
ws.close();
return;
}
tailProcess = spawn("tail", ["-n", "+1", "-f", logPath]);
const stdout = tailProcess.stdout;

34
apps/dokploy/server/wss/utils.ts
View File

@@ -1,9 +1,41 @@
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
import { execAsync, paths } from "@dokploy/server";
import { execAsync, IS_CLOUD, paths } from "@dokploy/server";
/**
* Validates that the container ID matches Docker's expected format.
* Docker container IDs are 64-character hex strings (or 12-char short form).
* Also allows container names: alphanumeric, underscores, hyphens, and dots.
*/
export const isValidContainerId = (id: string): boolean => {
// Match full ID (64 hex chars), short ID (12 hex chars), or container name
const hexPattern = /^[a-f0-9]{12,64}$/i;
const namePattern = /^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/;
return hexPattern.test(id) || (namePattern.test(id) && id.length <= 128);
};
/**
* Validates that the shell is one of the allowed shells.
*/
export const isValidShell = (shell: string): boolean => {
const allowedShells = [
"sh",
"bash",
"zsh",
"ash",
"/bin/sh",
"/bin/bash",
"/bin/zsh",
"/bin/ash",
];
return allowedShells.includes(shell);
};
export const getShell = () => {
if (IS_CLOUD) {
return "CLOUD_VERSION";
}
switch (os.platform()) {
case "win32":
return "powershell.exe";