Commit Graph

15 Commits

Author SHA1 Message Date
Mauricio Siu
c968a2755e fix: strip credentials from service-level API responses (#4564)
* fix: strip credentials from service-level API responses

Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.

- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-06-06 17:45:24 -06:00
Mauricio Siu
547ba2d04b feat(validation): enhance registry URL validation in schema
- Introduced a new validation schema for registry URLs, ensuring they conform to a specific format (hostname[:port]) and disallow shell metacharacters.
- Updated the `createSchema`, `apiCreateRegistry`, and `apiTestRegistry` functions to utilize the new registry URL validation.
- Improved security and input integrity for registry URL fields.
- Updated the `removeRegistry` function to escape the registry URL during logout to prevent command injection vulnerabilities.
2026-05-09 01:09:50 -06:00
lear
d2fabc998d refactor: reuse safeDockerLoginCommand from registry.ts instead of duplicating shEscape 2026-03-04 12:45:57 +03:00
Mauricio Siu
fca10c135a chore: update zod and react-hook-form integration to use standard-schema resolver; update dependencies in pnpm-lock.yaml 2026-02-23 11:10:28 -06:00
autofix-ci[bot]
68945c6888 [autofix.ci] apply automated fixes 2025-09-03 18:17:04 +00:00
Leonhard Breuer
146d82b6c4 feat: use printf instead of echo 2025-09-03 20:12:16 +02:00
Leonhard Breuer
02215d4e21 fix: use new command for registry updates 2025-09-03 19:59:17 +02:00
Leonhard Breuer
4ca05414af fix: use shellsafe docker command
- add `shEscape` function - add `safeDockerLoginCommand` - use the new
functions to contruct better registry login command
2025-09-03 19:52:01 +02:00
Mauricio Siu
1a415b96c9 refactor: remove unused auth service and clean up server-side code 2025-02-22 18:03:12 -06:00
Mauricio Siu
78c72b6337 refactor: update 2025-02-15 20:49:10 -06:00
Mauricio Siu
ca217affe6 feat: update references 2025-02-14 02:18:53 -06:00
Dom
2af8d6f565 Spelling and grammar corrections 2024-12-29 22:34:57 +10:00
Mauricio Siu
47aa223f87 refactor: remove save on build on next app and integrate turbopack 2024-10-24 23:13:24 -06:00
Mauricio Siu
017bdd2778 refactor(dokploy): add flag to prevent run commands when is cloud 2024-10-23 00:54:40 -06:00
Mauricio Siu
f3ce69b656 refactor: rename builders to server 2024-10-05 22:15:47 -06:00