diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts index 149af7046..6d091ec5b 100644 --- a/apps/dokploy/server/api/routers/settings.ts +++ b/apps/dokploy/server/api/routers/settings.ts @@ -459,6 +459,15 @@ export const settingsRouter = createTRPCRouter({ throw new TRPCError({ code: "UNAUTHORIZED" }); } } + + if (input.serverId) { + const server = await findServerById(input.serverId); + + if (server.organizationId !== ctx.session?.activeOrganizationId) { + throw new TRPCError({ code: "UNAUTHORIZED" }); + } + } + return readConfigInPath(input.path, input.serverId); }), getIp: protectedProcedure.query(async ({ ctx }) => { diff --git a/packages/server/src/db/schema/user.ts b/packages/server/src/db/schema/user.ts index 139daa3c8..8f4de12eb 100644 --- a/packages/server/src/db/schema/user.ts +++ b/packages/server/src/db/schema/user.ts @@ -15,6 +15,7 @@ import { backups } from "./backups"; import { projects } from "./project"; import { schedules } from "./schedule"; import { certificateType } from "./shared"; +import { paths } from "@dokploy/server/constants"; /** * This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same * database instance for multiple projects. @@ -236,7 +237,31 @@ export const apiModifyTraefikConfig = z.object({ serverId: z.string().optional(), }); export const apiReadTraefikConfig = z.object({ - path: z.string().min(1), + path: z + .string() + .min(1) + .refine( + (path) => { + // Prevent directory traversal attacks + if (path.includes("../") || path.includes("..\\")) { + return false; + } + + const { MAIN_TRAEFIK_PATH } = paths(); + if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) { + return false; + } + // Prevent null bytes and other dangerous characters + if (path.includes("\0") || path.includes("\x00")) { + return false; + } + return true; + }, + { + message: + "Invalid path: path traversal or unauthorized directory access detected", + }, + ), serverId: z.string().optional(), });