feat(validation): add branch name validation across provider schemas

- Introduced a regex validation for branch names in Bitbucket, Git, Gitea, GitHub, and GitLab provider schemas to ensure valid branch formats.
- Updated the corresponding schemas to include the new validation rule, enhancing input integrity and preventing potential errors.
- Added a utility for branch validation in the server utils.

packages/server/src/db/schema/application.ts

@@ -1,3 +1,4 @@
+import { VALID_BRANCH_REGEX } from "@dokploy/server/utils/git-branch-validation";
 import { relations } from "drizzle-orm";
 import {
 	bigint,
@@ -432,17 +433,22 @@ export const apiSaveBuildType = createSchema
 	.required()
 	.merge(createSchema.pick({ publishDirectory: true, isStaticSpa: true }));
 
+const branchField = z
+	.string()
+	.min(1)
+	.regex(VALID_BRANCH_REGEX, "Invalid branch name");
+
 export const apiSaveGithubProvider = createSchema
 	.pick({
 		applicationId: true,
 		repository: true,
-		branch: true,
 		owner: true,
 		buildPath: true,
 		githubId: true,
 	})
 	.required()
 	.extend({
+		branch: branchField,
 		triggerType: z.enum(["push", "tag"]).default("push"),
 	})
 	.required()
@@ -451,7 +457,6 @@ export const apiSaveGithubProvider = createSchema
 export const apiSaveGitlabProvider = createSchema
 	.pick({
 		applicationId: true,
-		gitlabBranch: true,
 		gitlabBuildPath: true,
 		gitlabOwner: true,
 		gitlabRepository: true,
@@ -460,11 +465,11 @@ export const apiSaveGitlabProvider = createSchema
 		gitlabPathNamespace: true,
 	})
 	.required()
+	.extend({ gitlabBranch: branchField })
 	.merge(createSchema.pick({ enableSubmodules: true, watchPaths: true }));
 
 export const apiSaveBitbucketProvider = createSchema
 	.pick({
-		bitbucketBranch: true,
 		bitbucketBuildPath: true,
 		bitbucketOwner: true,
 		bitbucketRepository: true,
@@ -473,18 +478,19 @@ export const apiSaveBitbucketProvider = createSchema
 		applicationId: true,
 	})
 	.required()
+	.extend({ bitbucketBranch: branchField })
 	.merge(createSchema.pick({ enableSubmodules: true, watchPaths: true }));
 
 export const apiSaveGiteaProvider = createSchema
 	.pick({
 		applicationId: true,
-		giteaBranch: true,
 		giteaBuildPath: true,
 		giteaOwner: true,
 		giteaRepository: true,
 		giteaId: true,
 	})
 	.required()
+	.extend({ giteaBranch: branchField })
 	.merge(createSchema.pick({ enableSubmodules: true, watchPaths: true }));
 
 export const apiSaveDockerProvider = createSchema
@@ -499,7 +505,6 @@ export const apiSaveDockerProvider = createSchema
 
 export const apiSaveGitProvider = createSchema
 	.pick({
-		customGitBranch: true,
 		applicationId: true,
 		customGitBuildPath: true,
 		customGitUrl: true,
@@ -507,6 +512,7 @@ export const apiSaveGitProvider = createSchema
 		enableSubmodules: true,
 	})
 	.required()
+	.extend({ customGitBranch: branchField })
 	.merge(
 		createSchema.pick({
 			customGitSSHKeyId: true,

packages/server/src/index.ts

@@ -108,6 +108,7 @@ export * from "./utils/notifications/docker-cleanup";
 export * from "./utils/notifications/dokploy-restart";
 export * from "./utils/notifications/server-threshold";
 export * from "./utils/notifications/utils";
+export * from "./utils/git-branch-validation";
 export * from "./utils/process/execAsync";
 export * from "./utils/process/spawnAsync";
 export * from "./utils/providers/bitbucket";

packages/server/src/utils/git-branch-validation.ts

@@ -0,0 +1,3 @@
+// Valid git branch names per git-check-ref-format rules.
+// Rejects shell metacharacters that would enable command injection.
+export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/]+$/;