From b9e97eb321358145d6aed0bad67d3ac789ae69c4 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sat, 9 May 2026 00:57:12 -0600 Subject: [PATCH] feat(validation): enhance destination path validation in file upload schema - Updated the `destinationPath` field in the upload file schema to include a regex validation, ensuring only alphanumeric characters, dots, dashes, underscores, and forward slashes are allowed. - Added a corresponding regex check in the `uploadFileToContainer` function to validate the destination path before processing, improving input integrity and preventing errors. --- apps/dokploy/utils/schema.ts | 8 +++++++- packages/server/src/services/docker.ts | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/apps/dokploy/utils/schema.ts b/apps/dokploy/utils/schema.ts index addbbc344..3d2c75188 100644 --- a/apps/dokploy/utils/schema.ts +++ b/apps/dokploy/utils/schema.ts @@ -28,7 +28,13 @@ export const uploadFileToContainerSchema = zfd.formData({ .min(1) .regex(/^[a-zA-Z0-9.\-_]+$/, "Invalid container ID"), file: zfd.file(), - destinationPath: z.string().min(1), + destinationPath: z + .string() + .min(1) + .regex( + /^[a-zA-Z0-9.\-_/]+$/, + "Invalid destination path: only alphanumeric characters, dots, dashes, underscores, and forward slashes are allowed", + ), serverId: z.string().optional(), }); diff --git a/packages/server/src/services/docker.ts b/packages/server/src/services/docker.ts index e49adbb94..902041c53 100644 --- a/packages/server/src/services/docker.ts +++ b/packages/server/src/services/docker.ts @@ -655,6 +655,8 @@ export const getAllContainerStats = async (serverId?: string) => { } }; +const destinationPathRegex = /^[a-zA-Z0-9.\-_/]+$/; + export const uploadFileToContainer = async ( containerId: string, fileBuffer: Buffer, @@ -667,7 +669,10 @@ export const uploadFileToContainer = async ( throw new Error("Invalid container ID"); } - // Ensure destination path starts with / + if (!destinationPathRegex.test(destinationPath)) { + throw new Error("Invalid destination path: shell metacharacters are not allowed"); + } + const normalizedPath = destinationPath.startsWith("/") ? destinationPath : `/${destinationPath}`;