Merge branch 'Dokploy:canary' into feat/cloud-storage-providers

SECURITY.md

@@ -0,0 +1,28 @@
+# Dokploy Security Policy
+
+At Dokploy, security is a top priority. We appreciate the help of security researchers and the community in identifying and reporting vulnerabilities.
+
+## How to Report a Vulnerability
+
+If you have discovered a security vulnerability in Dokploy, we ask that you report it responsibly by following these guidelines:
+
+1.  **Contact us:** Send an email to [contact@dokploy.com](mailto:contact@dokploy.com).
+2.  **Provide clear details:** Include as much information as possible to help us understand and reproduce the vulnerability. This should include:
+    *   A clear description of the vulnerability.
+    *   Steps to reproduce the vulnerability.
+    *   Any sample code, screenshots, or videos that might be helpful.
+    *   The potential impact of the vulnerability.
+3.  **Do not make the vulnerability public:** Please refrain from publicly disclosing the vulnerability until we have had the opportunity to investigate and address it. This is crucial for protecting our users.
+4.  **Allow us time:** We will endeavor to acknowledge receipt of your report as soon as possible and keep you informed of our progress. The time to resolve the vulnerability may vary depending on its complexity and severity.
+
+## What We Expect From You
+
+*   Do not access user data or systems beyond what is necessary to demonstrate the vulnerability.
+*   Do not perform denial-of-service (DoS) attacks, spamming, or social engineering.
+*   Do not modify or destroy data that does not belong to you.
+
+## Our Commitment
+
+We are committed to working with you quickly and responsibly to address any legitimate security vulnerability.
+
+Thank you for helping us keep Dokploy secure for everyone.

packages/server/src/setup/traefik-setup.ts

@@ -139,6 +139,8 @@ export const initializeTraefik = async ({
 				const newContainer = docker.getContainer(containerName);
 				await newContainer.start();
 				console.log("Traefik container started successfully after retry");
+			} else {
+				throw error;
 			}
 		}
 	} catch (error) {

packages/server/src/utils/builders/railpack.ts

@@ -2,7 +2,10 @@ import { createHash } from "node:crypto";
 import type { WriteStream } from "node:fs";
 import { nanoid } from "nanoid";
 import type { ApplicationNested } from ".";
-import { prepareEnvironmentVariables } from "../docker/utils";
+import {
+	parseEnvironmentKeyValuePair,
+	prepareEnvironmentVariables,
+} from "../docker/utils";
 import { getBuildAppDirectory } from "../filesystem/directory";
 import { execAsync } from "../process/execAsync";
 import { spawnAsync } from "../process/spawnAsync";
@@ -81,10 +84,10 @@ export const buildRailpack = async (
 
 		// Add secrets properly formatted
 		const env: { [key: string]: string } = {};
-		for (const envVar of envVariables) {
-			const [key, value] = envVar.split("=");
+		for (const pair of envVariables) {
+			const [key, value] = parseEnvironmentKeyValuePair(pair);
 			if (key && value) {
-				buildArgs.push("--secret", `id=${key},env='${key}'`);
+				buildArgs.push("--secret", `id=${key},env=${key}`);
 				env[key] = value;
 			}
 		}
@@ -161,11 +164,11 @@ export const getRailpackCommand = (
 
 	// Add secrets properly formatted
 	const exportEnvs = [];
-	for (const envVar of envVariables) {
-		const [key, value] = envVar.split("=");
+	for (const pair of envVariables) {
+		const [key, value] = parseEnvironmentKeyValuePair(pair);
 		if (key && value) {
-			buildArgs.push("--secret", `id=${key},env='${key}'`);
-			exportEnvs.push(`export ${key}=${value}`);
+			buildArgs.push("--secret", `id=${key},env=${key}`);
+			exportEnvs.push(`export ${key}='${value}'`);
 		}
 	}
 

packages/server/src/utils/docker/utils.ts

@@ -279,6 +279,17 @@ export const prepareEnvironmentVariables = (
 	return resolvedVars;
 };
 
+export const parseEnvironmentKeyValuePair = (
+	pair: string,
+): [string, string] => {
+	const [key, ...valueParts] = pair.split("=");
+	if (!key || !valueParts.length) {
+		throw new Error(`Invalid environment variable pair: ${pair}`);
+	}
+
+	return [key, valueParts.join("")];
+};
+
 export const getEnviromentVariablesObject = (
 	input: string | null,
 	projectEnv?: string | null,
@@ -288,7 +299,7 @@ export const getEnviromentVariablesObject = (
 	const jsonObject: Record<string, string> = {};
 
 	for (const pair of envs) {
-		const [key, value] = pair.split("=");
+		const [key, value] = parseEnvironmentKeyValuePair(pair);
 		if (key && value) {
 			jsonObject[key] = value;
 		}