mirror of
https://github.com/Dokploy/dokploy
synced 2025-06-26 18:27:59 +00:00
feat(user-validation): enhance path validation in Traefik config
- Added refined validation for the 'path' field to prevent directory traversal attacks and unauthorized access. - Implemented checks for null bytes and ensured paths start with the MAIN_TRAEFIK_PATH constant.
This commit is contained in:
@@ -459,6 +459,15 @@ export const settingsRouter = createTRPCRouter({
|
|||||||
throw new TRPCError({ code: "UNAUTHORIZED" });
|
throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (input.serverId) {
|
||||||
|
const server = await findServerById(input.serverId);
|
||||||
|
|
||||||
|
if (server.organizationId !== ctx.session?.activeOrganizationId) {
|
||||||
|
throw new TRPCError({ code: "UNAUTHORIZED" });
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return readConfigInPath(input.path, input.serverId);
|
return readConfigInPath(input.path, input.serverId);
|
||||||
}),
|
}),
|
||||||
getIp: protectedProcedure.query(async ({ ctx }) => {
|
getIp: protectedProcedure.query(async ({ ctx }) => {
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ import { backups } from "./backups";
|
|||||||
import { projects } from "./project";
|
import { projects } from "./project";
|
||||||
import { schedules } from "./schedule";
|
import { schedules } from "./schedule";
|
||||||
import { certificateType } from "./shared";
|
import { certificateType } from "./shared";
|
||||||
|
import { paths } from "@dokploy/server/constants";
|
||||||
/**
|
/**
|
||||||
* This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same
|
* This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same
|
||||||
* database instance for multiple projects.
|
* database instance for multiple projects.
|
||||||
@@ -236,7 +237,31 @@ export const apiModifyTraefikConfig = z.object({
|
|||||||
serverId: z.string().optional(),
|
serverId: z.string().optional(),
|
||||||
});
|
});
|
||||||
export const apiReadTraefikConfig = z.object({
|
export const apiReadTraefikConfig = z.object({
|
||||||
path: z.string().min(1),
|
path: z
|
||||||
|
.string()
|
||||||
|
.min(1)
|
||||||
|
.refine(
|
||||||
|
(path) => {
|
||||||
|
// Prevent directory traversal attacks
|
||||||
|
if (path.includes("../") || path.includes("..\\")) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
const { MAIN_TRAEFIK_PATH } = paths();
|
||||||
|
if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
// Prevent null bytes and other dangerous characters
|
||||||
|
if (path.includes("\0") || path.includes("\x00")) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
},
|
||||||
|
{
|
||||||
|
message:
|
||||||
|
"Invalid path: path traversal or unauthorized directory access detected",
|
||||||
|
},
|
||||||
|
),
|
||||||
serverId: z.string().optional(),
|
serverId: z.string().optional(),
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user