feat(validation): enhance destination path validation in file upload schema

- Updated the `destinationPath` field in the upload file schema to include a regex validation, ensuring only alphanumeric characters, dots, dashes, underscores, and forward slashes are allowed.
- Added a corresponding regex check in the `uploadFileToContainer` function to validate the destination path before processing, improving input integrity and preventing errors.

apps/dokploy/utils/schema.ts

@@ -28,7 +28,13 @@ export const uploadFileToContainerSchema = zfd.formData({
 		.min(1)
 		.regex(/^[a-zA-Z0-9.\-_]+$/, "Invalid container ID"),
 	file: zfd.file(),
-	destinationPath: z.string().min(1),
+	destinationPath: z
+		.string()
+		.min(1)
+		.regex(
+			/^[a-zA-Z0-9.\-_/]+$/,
+			"Invalid destination path: only alphanumeric characters, dots, dashes, underscores, and forward slashes are allowed",
+		),
 	serverId: z.string().optional(),
 });
 

packages/server/src/services/docker.ts

@@ -655,6 +655,8 @@ export const getAllContainerStats = async (serverId?: string) => {
 	}
 };
 
+const destinationPathRegex = /^[a-zA-Z0-9.\-_/]+$/;
+
 export const uploadFileToContainer = async (
 	containerId: string,
 	fileBuffer: Buffer,
@@ -667,7 +669,10 @@ export const uploadFileToContainer = async (
 		throw new Error("Invalid container ID");
 	}
 
-	// Ensure destination path starts with /
+	if (!destinationPathRegex.test(destinationPath)) {
+		throw new Error("Invalid destination path: shell metacharacters are not allowed");
+	}
+
 	const normalizedPath = destinationPath.startsWith("/")
 		? destinationPath
 		: `/${destinationPath}`;