From 61cf426615a4aa095b150362526aa52f2d1ea115 Mon Sep 17 00:00:00 2001 From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Date: Sun, 22 Jun 2025 23:56:13 -0600 Subject: [PATCH 1/3] feat(user-access): implement access control for user information retrieval - Added checks to deny access if the user is not found in the organization. - Implemented authorization logic to allow access only for users requesting their own information or users with owner role in the same organization. --- apps/dokploy/server/api/routers/user.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/apps/dokploy/server/api/routers/user.ts b/apps/dokploy/server/api/routers/user.ts index b2277399b..3ac91dc03 100644 --- a/apps/dokploy/server/api/routers/user.ts +++ b/apps/dokploy/server/api/routers/user.ts @@ -75,6 +75,24 @@ export const userRouter = createTRPCRouter({ }, }); + // If user not found in the organization, deny access + if (!memberResult) { + throw new TRPCError({ + code: "NOT_FOUND", + message: "User not found in this organization", + }); + } + + // Allow access if: + // 1. User is requesting their own information + // 2. User has owner role (admin permissions) AND user is in the same organization + if (memberResult.userId !== ctx.user.id && ctx.user.role !== "owner") { + throw new TRPCError({ + code: "UNAUTHORIZED", + message: "You are not authorized to access this user", + }); + } + return memberResult; }), get: protectedProcedure.query(async ({ ctx }) => { From e42f6bc61050cd438726921fced64477cbf8f8e6 Mon Sep 17 00:00:00 2001 From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Date: Sun, 22 Jun 2025 23:57:02 -0600 Subject: [PATCH 2/3] feat(user-validation): enhance path validation in Traefik config - Added refined validation for the 'path' field to prevent directory traversal attacks and unauthorized access. - Implemented checks for null bytes and ensured paths start with the MAIN_TRAEFIK_PATH constant. --- apps/dokploy/server/api/routers/settings.ts | 9 +++++++ packages/server/src/db/schema/user.ts | 27 ++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts index 149af7046..6d091ec5b 100644 --- a/apps/dokploy/server/api/routers/settings.ts +++ b/apps/dokploy/server/api/routers/settings.ts @@ -459,6 +459,15 @@ export const settingsRouter = createTRPCRouter({ throw new TRPCError({ code: "UNAUTHORIZED" }); } } + + if (input.serverId) { + const server = await findServerById(input.serverId); + + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } + return readConfigInPath(input.path, input.serverId); }), getIp: protectedProcedure.query(async ({ ctx }) => { diff --git a/packages/server/src/db/schema/user.ts b/packages/server/src/db/schema/user.ts index 139daa3c8..8f4de12eb 100644 --- a/packages/server/src/db/schema/user.ts +++ b/packages/server/src/db/schema/user.ts @@ -15,6 +15,7 @@ import { backups } from "./backups"; import { projects } from "./project"; import { schedules } from "./schedule"; import { certificateType } from "./shared"; +import { paths } from "@dokploy/server/constants"; /** * This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same * database instance for multiple projects. @@ -236,7 +237,31 @@ export const apiModifyTraefikConfig = z.object({ serverId: z.string().optional(), }); export const apiReadTraefikConfig = z.object({ - path: z.string().min(1), + path: z + .string() + .min(1) + .refine( + (path) => { + // Prevent directory traversal attacks + if (path.includes("../") || path.includes("..\\")) { + return false; + } + + const { MAIN_TRAEFIK_PATH } = paths(); + if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) { + return false; + } + // Prevent null bytes and other dangerous characters + if (path.includes("\0") || path.includes("\x00")) { + return false; + } + return true; + }, + { + message: + "Invalid path: path traversal or unauthorized directory access detected", + }, + ), serverId: z.string().optional(), }); From fb5d2bd5b67322f1468e5e4d0d5abcf97517761c Mon Sep 17 00:00:00 2001 From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Date: Sun, 22 Jun 2025 23:57:12 -0600 Subject: [PATCH 3/3] feat(docker-swarm): implement server authorization checks and input validation - Added server authorization checks to ensure users can only access resources for their organization. - Enhanced input validation for container and app names using regex to prevent invalid entries. - Updated multiple query procedures in both docker and swarm routers to include these checks and validations. --- apps/dokploy/server/api/routers/docker.ts | 70 +++++++++++++++++++---- apps/dokploy/server/api/routers/swarm.ts | 37 ++++++++++-- 2 files changed, 90 insertions(+), 17 deletions(-) diff --git a/apps/dokploy/server/api/routers/docker.ts b/apps/dokploy/server/api/routers/docker.ts index 3de59058c..72dbb40a9 100644 --- a/apps/dokploy/server/api/routers/docker.ts +++ b/apps/dokploy/server/api/routers/docker.ts @@ -1,5 +1,6 @@ import { containerRestart, + findServerById, getConfig, getContainers, getContainersByAppLabel, @@ -9,6 +10,9 @@ import { } from "@dokploy/server"; import { z } from "zod"; import { createTRPCRouter, protectedProcedure } from "../trpc"; +import { TRPCError } from "@trpc/server"; + +export const containerIdRegex = /^[a-zA-Z0-9.\-_]+$/; export const dockerRouter = createTRPCRouter({ getContainers: protectedProcedure @@ -17,14 +21,23 @@ export const dockerRouter = createTRPCRouter({ serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getContainers(input.serverId); }), restartContainer: protectedProcedure .input( z.object({ - containerId: z.string().min(1), + containerId: z + .string() + .min(1) + .regex(containerIdRegex, "Invalid container id."), }), ) .mutation(async ({ input }) => { @@ -34,11 +47,20 @@ export const dockerRouter = createTRPCRouter({ getConfig: protectedProcedure .input( z.object({ - containerId: z.string().min(1), + containerId: z + .string() + .min(1) + .regex(containerIdRegex, "Invalid container id."), serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getConfig(input.containerId, input.serverId); }), @@ -48,11 +70,17 @@ export const dockerRouter = createTRPCRouter({ appType: z .union([z.literal("stack"), z.literal("docker-compose")]) .optional(), - appName: z.string().min(1), + appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."), serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getContainersByAppNameMatch( input.appName, input.appType, @@ -63,12 +91,18 @@ export const dockerRouter = createTRPCRouter({ getContainersByAppLabel: protectedProcedure .input( z.object({ - appName: z.string().min(1), + appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."), serverId: z.string().optional(), type: z.enum(["standalone", "swarm"]), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getContainersByAppLabel( input.appName, input.type, @@ -79,22 +113,34 @@ export const dockerRouter = createTRPCRouter({ getStackContainersByAppName: protectedProcedure .input( z.object({ - appName: z.string().min(1), + appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."), serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getStackContainersByAppName(input.appName, input.serverId); }), getServiceContainersByAppName: protectedProcedure .input( z.object({ - appName: z.string().min(1), + appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."), serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getServiceContainersByAppName(input.appName, input.serverId); }), }); diff --git a/apps/dokploy/server/api/routers/swarm.ts b/apps/dokploy/server/api/routers/swarm.ts index c5a2d4c82..735ddf96e 100644 --- a/apps/dokploy/server/api/routers/swarm.ts +++ b/apps/dokploy/server/api/routers/swarm.ts @@ -6,6 +6,9 @@ import { } from "@dokploy/server"; import { z } from "zod"; import { createTRPCRouter, protectedProcedure } from "../trpc"; +import { TRPCError } from "@trpc/server"; +import { findServerById } from "@dokploy/server"; +import { containerIdRegex } from "./docker"; export const swarmRouter = createTRPCRouter({ getNodes: protectedProcedure @@ -14,12 +17,24 @@ export const swarmRouter = createTRPCRouter({ serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getSwarmNodes(input.serverId); }), getNodeInfo: protectedProcedure .input(z.object({ nodeId: z.string(), serverId: z.string().optional() })) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getNodeInfo(input.nodeId, input.serverId); }), getNodeApps: protectedProcedure @@ -28,17 +43,29 @@ export const swarmRouter = createTRPCRouter({ serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return getNodeApplications(input.serverId); }), getAppInfos: protectedProcedure .input( z.object({ - appName: z.string(), + appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."), serverId: z.string().optional(), }), ) - .query(async ({ input }) => { + .query(async ({ input, ctx }) => { + if (input.serverId) { + const server = await findServerById(input.serverId); + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } return await getApplicationInfo(input.appName, input.serverId); }), });