Dokploy/dokploy
1
0
Fork 0
mirror of https://github.com/Dokploy/dokploy synced 2025-06-26 18:27:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor(cloud): add validation to prevent access to shared resources

Browse Source
This commit is contained in:
Mauricio Siu
2024-10-03 19:50:17 -06:00
parent ec1d6c7430
commit 767d3e1944
3 changed files with 66 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/dokploy/components/dashboard/settings/git/github/add-github-provider.tsx
View File

@@ -17,7 +17,6 @@ import { useEffect, useState } from "react";
export const AddGithubProvider = () => {
const [isOpen, setIsOpen] = useState(false);
const url = useUrl();
const { data } = api.auth.get.useQuery();
const [manifest, setManifest] = useState("");
const [isOrganization, setIsOrganization] = useState(false);

17
apps/dokploy/server/api/routers/git-provider.ts
View File

@@ -2,11 +2,11 @@ import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
import { db } from "@/server/db";
import { apiRemoveGitProvider, gitProvider } from "@/server/db/schema";
import { TRPCError } from "@trpc/server";
import { desc } from "drizzle-orm";
import { removeGitProvider } from "@dokploy/builders";
import { desc, eq } from "drizzle-orm";
import { findGitProviderById, removeGitProvider } from "@dokploy/builders";
export const gitProviderRouter = createTRPCRouter({
getAll: protectedProcedure.query(async () => {
getAll: protectedProcedure.query(async ({ ctx }) => {
return await db.query.gitProvider.findMany({
with: {
gitlab: true,
@@ -14,12 +14,21 @@ export const gitProviderRouter = createTRPCRouter({
github: true,
},
orderBy: desc(gitProvider.createdAt),
// where: eq(gitProvider.adminId, ctx.user.adminId), //TODO: Remove this line when the cloud version is ready
});
}),
remove: protectedProcedure
.input(apiRemoveGitProvider)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
try {
const gitProvider = await findGitProviderById(input.gitProviderId);
// if (gitProvider.adminId !== ctx.user.adminId) {
// throw new TRPCError({
// code: "UNAUTHORIZED",
// message: "You are not allowed to delete this git provider",
// });
// }
return await removeGitProvider(input.gitProviderId);
} catch (error) {
throw new TRPCError({

87
apps/dokploy/server/api/routers/registry.ts
View File

@@ -13,10 +13,11 @@ import {
execAsync,
manageRegistry,
createRegistry,
findAllRegistry,
findAllRegistryByAdminId,
findRegistryById,
removeRegistry,
updateRegistry,
IS_CLOUD,
} from "@dokploy/builders";
import { adminProcedure, createTRPCRouter, protectedProcedure } from "../trpc";
@@ -24,17 +25,31 @@ export const registryRouter = createTRPCRouter({
create: adminProcedure
.input(apiCreateRegistry)
.mutation(async ({ ctx, input }) => {
return await createRegistry(input);
return await createRegistry(input, ctx.user.adminId);
}),
remove: adminProcedure
.input(apiRemoveRegistry)
.mutation(async ({ ctx, input }) => {
const registry = await findRegistryById(input.registryId);
if (registry.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not allowed to delete this registry",
});
}
return await removeRegistry(input.registryId);
}),
update: protectedProcedure
.input(apiUpdateRegistry)
.mutation(async ({ input }) => {
.mutation(async ({ input, ctx }) => {
const { registryId, ...rest } = input;
const registry = await findRegistryById(registryId);
if (registry.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not allowed to update this registry",
});
}
const application = await updateRegistry(registryId, {
...rest,
});
@@ -48,12 +63,21 @@ export const registryRouter = createTRPCRouter({
return true;
}),
all: protectedProcedure.query(async () => {
return await findAllRegistry();
}),
one: adminProcedure.input(apiFindOneRegistry).query(async ({ input }) => {
return await findRegistryById(input.registryId);
all: protectedProcedure.query(async ({ ctx }) => {
return await findAllRegistryByAdminId(ctx.user.adminId);
}),
one: adminProcedure
.input(apiFindOneRegistry)
.query(async ({ input, ctx }) => {
const registry = await findRegistryById(input.registryId);
if (registry.adminId !== ctx.user.adminId) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "You are not allowed to access this registry",
});
}
return registry;
}),
testRegistry: protectedProcedure
.input(apiTestRegistry)
.mutation(async ({ input }) => {
@@ -75,18 +99,27 @@ export const registryRouter = createTRPCRouter({
enableSelfHostedRegistry: adminProcedure
.input(apiEnableSelfHostedRegistry)
.mutation(async ({ input }) => {
const selfHostedRegistry = await createRegistry({
...input,
registryName: "Self Hosted Registry",
registryType: "selfHosted",
registryUrl:
process.env.NODE_ENV === "production"
? input.registryUrl
: "dokploy-registry.docker.localhost",
imagePrefix: null,
serverId: undefined,
});
.mutation(async ({ input, ctx }) => {
if (IS_CLOUD) {
throw new TRPCError({
code: "UNAUTHORIZED",
message: "Self Hosted Registry is not available in the cloud version",
});
}
const selfHostedRegistry = await createRegistry(
{
...input,
registryName: "Self Hosted Registry",
registryType: "selfHosted",
registryUrl:
process.env.NODE_ENV === "production"
? input.registryUrl
: "dokploy-registry.docker.localhost",
imagePrefix: null,
serverId: undefined,
},
ctx.user.adminId,
);
await manageRegistry(selfHostedRegistry);
await initializeRegistry(input.username, input.password);
@@ -94,17 +127,3 @@ export const registryRouter = createTRPCRouter({
return selfHostedRegistry;
}),
});
const shellEscape = (str: string) => {
const ret = [];
let s = str;
if (/[^A-Za-z0-9_\/:=-]/.test(s)) {
s = `'${s.replace(/'/g, "'\\''")}'`;
s = s
.replace(/^(?:'')+/g, "") // unduplicate single-quote at the beginning
.replace(/\\'''/g, "\\'"); // remove non-escaped single-quote if there are enclosed between 2 escaped
}
ret.push(s);
return ret.join(" ");
};