mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-13 01:45:23 +02:00
fix: strip credentials from service-level API responses (#4564)
* fix: strip credentials from service-level API responses
Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.
- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This commit is contained in:
@@ -1,5 +1,8 @@
|
||||
import { findAllDeploymentsByApplicationId } from "@dokploy/server/services/deployment";
|
||||
import type { Registry } from "@dokploy/server/services/registry";
|
||||
import {
|
||||
findRegistryByIdWithCredentials,
|
||||
type Registry,
|
||||
} from "@dokploy/server/services/registry";
|
||||
import { createRollback } from "@dokploy/server/services/rollbacks";
|
||||
import type { ApplicationNested } from "../builders";
|
||||
|
||||
@@ -22,19 +25,19 @@ export const uploadImageRemoteCommand = async (
|
||||
|
||||
const commands: string[] = [];
|
||||
if (registry) {
|
||||
const registryTag = getRegistryTag(registry, imageName);
|
||||
const r = await findRegistryByIdWithCredentials(registry.registryId);
|
||||
const registryTag = getRegistryTag(r, imageName);
|
||||
if (registryTag) {
|
||||
commands.push(`echo "📦 [Enabled Registry Swarm]"`);
|
||||
commands.push(getRegistryCommands(registry, imageName, registryTag));
|
||||
commands.push(getRegistryCommands(r, imageName, registryTag));
|
||||
}
|
||||
}
|
||||
if (buildRegistry) {
|
||||
const buildRegistryTag = getRegistryTag(buildRegistry, imageName);
|
||||
const r = await findRegistryByIdWithCredentials(buildRegistry.registryId);
|
||||
const buildRegistryTag = getRegistryTag(r, imageName);
|
||||
if (buildRegistryTag) {
|
||||
commands.push(`echo "🔑 [Enabled Build Registry]"`);
|
||||
commands.push(
|
||||
getRegistryCommands(buildRegistry, imageName, buildRegistryTag),
|
||||
);
|
||||
commands.push(getRegistryCommands(r, imageName, buildRegistryTag));
|
||||
commands.push(
|
||||
`echo "⚠️ INFO: After the build is finished, you need to wait a few seconds for the server to download the image and run the container."`,
|
||||
);
|
||||
@@ -57,15 +60,13 @@ export const uploadImageRemoteCommand = async (
|
||||
deploymentId: deploymentId,
|
||||
});
|
||||
|
||||
const rollbackRegistryTag = getRegistryTag(
|
||||
rollbackRegistry,
|
||||
rollback?.image || "",
|
||||
const r = await findRegistryByIdWithCredentials(
|
||||
rollbackRegistry.registryId,
|
||||
);
|
||||
const rollbackRegistryTag = getRegistryTag(r, rollback?.image || "");
|
||||
if (rollbackRegistryTag) {
|
||||
commands.push(`echo "🔄 [Enabled Rollback Registry]"`);
|
||||
commands.push(
|
||||
getRegistryCommands(rollbackRegistry, imageName, rollbackRegistryTag),
|
||||
);
|
||||
commands.push(getRegistryCommands(r, imageName, rollbackRegistryTag));
|
||||
}
|
||||
}
|
||||
try {
|
||||
@@ -74,6 +75,7 @@ export const uploadImageRemoteCommand = async (
|
||||
throw error;
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Extract the repository name from imageName by taking the last part after '/'
|
||||
* Examples:
|
||||
@@ -117,17 +119,17 @@ const getRegistryCommands = (
|
||||
): string => {
|
||||
return `
|
||||
echo "📦 [Enabled Registry] Uploading image to '${registry.registryType}' | '${registryTag}'" ;
|
||||
echo "${registry.password}" | docker login ${registry.registryUrl} -u '${registry.username}' --password-stdin || {
|
||||
echo "${registry.password}" | docker login ${registry.registryUrl} -u '${registry.username}' --password-stdin || {
|
||||
echo "❌ DockerHub Failed" ;
|
||||
exit 1;
|
||||
}
|
||||
echo "✅ Registry Login Success" ;
|
||||
docker tag ${imageName} ${registryTag} || {
|
||||
docker tag ${imageName} ${registryTag} || {
|
||||
echo "❌ Error tagging image" ;
|
||||
exit 1;
|
||||
}
|
||||
echo "✅ Image Tagged" ;
|
||||
docker push ${registryTag} || {
|
||||
docker push ${registryTag} || {
|
||||
echo "❌ Error pushing image" ;
|
||||
exit 1;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user