feat(docker-swarm): implement server authorization checks and input validation

- Added server authorization checks to ensure users can only access resources for their organization. - Enhanced input validation for container and app names using regex to prevent invalid entries. - Updated multiple query procedures in both docker and swarm routers to include these checks and validations.
feat(user-validation): enhance path validation in Traefik config
2025-06-26 18:27:59 +00:00 · 2025-06-22 23:57:12 -06:00 · 2025-06-22 23:57:02 -06:00 · 2025-06-22 23:56:13 -06:00 · 2025-06-22 18:01:21 +02:00 · 2025-06-22 16:00:36 +00:00
12 changed files with 195 additions and 23 deletions
--- a/apps/dokploy/components/dashboard/application/environment/show.tsx
+++ b/apps/dokploy/components/dashboard/application/environment/show.tsx
@@ -49,7 +49,7 @@ export const ShowEnvironment = ({ applicationId }: Props) => {
 		currentBuildArgs !== (data?.buildArgs || "");
 	useEffect(() => {
-		if (data && !hasChanges) {
+		if (data) {
 			form.reset({
 				env: data.env || "",
 				buildArgs: data.buildArgs || "",
--- a/apps/dokploy/components/dashboard/application/rollbacks/show-rollback-settings.tsx
+++ b/apps/dokploy/components/dashboard/application/rollbacks/show-rollback-settings.tsx
@@ -1,3 +1,4 @@
 import { AlertBlock } from "@/components/shared/alert-block";
 import { Button } from "@/components/ui/button";
 import {
 	Dialog,
@@ -79,6 +80,11 @@ export const ShowRollbackSettings = ({ applicationId, children }: Props) => {
 					<DialogDescription>
 						Configure how rollbacks work for this application
 					</DialogDescription>
 					<AlertBlock>
 						Having rollbacks enabled increases storage usage. Be careful with
 						this option. Note that manually cleaning the cache may delete
 						rollback images, making them unavailable for future rollbacks.
 					</AlertBlock>
 				</DialogHeader>
 				<Form {...form}>
--- a/apps/dokploy/esbuild.config.ts
+++ b/apps/dokploy/esbuild.config.ts
@@ -21,6 +21,7 @@ try {
 			entryPoints: {
 				server: "server/server.ts",
 				"reset-password": "reset-password.ts",
 				"reset-2fa": "reset-2fa.ts",
 			},
 			bundle: true,
 			platform: "node",
--- a/apps/dokploy/package.json
+++ b/apps/dokploy/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "dokploy",
-	"version": "v0.23.1",
+	"version": "v0.23.3",
 	"private": true,
 	"license": "Apache-2.0",
 	"type": "module",
@@ -11,6 +11,7 @@
 		"build-next": "next build",
 		"setup": "tsx -r dotenv/config setup.ts && sleep 5 && pnpm run migration:run",
 		"reset-password": "node -r dotenv/config dist/reset-password.mjs",
 		"reset-2fa": "node -r dotenv/config dist/reset-2fa.mjs",
 		"dev": "tsx -r dotenv/config ./server/server.ts  --project tsconfig.server.json ",
 		"dev-turbopack": "TURBOPACK=1 tsx -r dotenv/config ./server/server.ts  --project tsconfig.server.json",
 		"studio": "drizzle-kit studio --config ./server/db/drizzle.config.ts",
--- a/apps/dokploy/reset-2fa.ts
+++ b/apps/dokploy/reset-2fa.ts
@@ -0,0 +1,27 @@
 import { findAdmin } from "@dokploy/server";
 import { db } from "@dokploy/server/db";
 import { users_temp } from "@dokploy/server/db/schema";
 import { eq } from "drizzle-orm";
 (async () => {
 	try {
 		const result = await findAdmin();
 		const update = await db
 			.update(users_temp)
 			.set({
 				twoFactorEnabled: false,
 			})
 			.where(eq(users_temp.id, result.userId));
 		if (update) {
 			console.log("2FA reset successful");
 		} else {
 			console.log("Password reset failed");
 		}
 		process.exit(0);
 	} catch (error) {
 		console.log("Error resetting 2FA", error);
 	}
 })();
--- a/apps/dokploy/server/api/routers/docker.ts
+++ b/apps/dokploy/server/api/routers/docker.ts
@@ -1,5 +1,6 @@
 import {
 	containerRestart,
 	findServerById,
 	getConfig,
 	getContainers,
 	getContainersByAppLabel,
@@ -9,6 +10,9 @@ import {
 } from "@dokploy/server";
 import { z } from "zod";
 import { createTRPCRouter, protectedProcedure } from "../trpc";
 import { TRPCError } from "@trpc/server";
 export const containerIdRegex = /^[a-zA-Z0-9.\-_]+$/;
 export const dockerRouter = createTRPCRouter({
 	getContainers: protectedProcedure
@@ -17,14 +21,23 @@ export const dockerRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getContainers(input.serverId);
 		}),
 	restartContainer: protectedProcedure
 		.input(
 			z.object({
-				containerId: z.string().min(1),
+				containerId: z
 					.string()
 					.min(1)
 					.regex(containerIdRegex, "Invalid container id."),
 			}),
 		)
 		.mutation(async ({ input }) => {
@@ -34,11 +47,20 @@ export const dockerRouter = createTRPCRouter({
 	getConfig: protectedProcedure
 		.input(
 			z.object({
-				containerId: z.string().min(1),
+				containerId: z
 					.string()
 					.min(1)
 					.regex(containerIdRegex, "Invalid container id."),
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getConfig(input.containerId, input.serverId);
 		}),
@@ -48,11 +70,17 @@ export const dockerRouter = createTRPCRouter({
 				appType: z
 					.union([z.literal("stack"), z.literal("docker-compose")])
 					.optional(),
-				appName: z.string().min(1),
+				appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."),
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getContainersByAppNameMatch(
 				input.appName,
 				input.appType,
@@ -63,12 +91,18 @@ export const dockerRouter = createTRPCRouter({
 	getContainersByAppLabel: protectedProcedure
 		.input(
 			z.object({
-				appName: z.string().min(1),
+				appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."),
 				serverId: z.string().optional(),
 				type: z.enum(["standalone", "swarm"]),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getContainersByAppLabel(
 				input.appName,
 				input.type,
@@ -79,22 +113,34 @@ export const dockerRouter = createTRPCRouter({
 	getStackContainersByAppName: protectedProcedure
 		.input(
 			z.object({
-				appName: z.string().min(1),
+				appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."),
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getStackContainersByAppName(input.appName, input.serverId);
 		}),
 	getServiceContainersByAppName: protectedProcedure
 		.input(
 			z.object({
-				appName: z.string().min(1),
+				appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."),
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getServiceContainersByAppName(input.appName, input.serverId);
 		}),
 });
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -459,6 +459,15 @@ export const settingsRouter = createTRPCRouter({
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return readConfigInPath(input.path, input.serverId);
 		}),
 	getIp: protectedProcedure.query(async ({ ctx }) => {
--- a/apps/dokploy/server/api/routers/swarm.ts
+++ b/apps/dokploy/server/api/routers/swarm.ts
@@ -6,6 +6,9 @@ import {
 } from "@dokploy/server";
 import { z } from "zod";
 import { createTRPCRouter, protectedProcedure } from "../trpc";
 import { TRPCError } from "@trpc/server";
 import { findServerById } from "@dokploy/server";
 import { containerIdRegex } from "./docker";
 export const swarmRouter = createTRPCRouter({
 	getNodes: protectedProcedure
@@ -14,12 +17,24 @@ export const swarmRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getSwarmNodes(input.serverId);
 		}),
 	getNodeInfo: protectedProcedure
 		.input(z.object({ nodeId: z.string(), serverId: z.string().optional() }))
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getNodeInfo(input.nodeId, input.serverId);
 		}),
 	getNodeApps: protectedProcedure
@@ -28,17 +43,29 @@ export const swarmRouter = createTRPCRouter({
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return getNodeApplications(input.serverId);
 		}),
 	getAppInfos: protectedProcedure
 		.input(
 			z.object({
-				appName: z.string(),
+				appName: z.string().min(1).regex(containerIdRegex, "Invalid app name."),
 				serverId: z.string().optional(),
 			}),
 		)
-		.query(async ({ input }) => {
+		.query(async ({ input, ctx }) => {
 			if (input.serverId) {
 				const server = await findServerById(input.serverId);
 				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
 				}
 			}
 			return await getApplicationInfo(input.appName, input.serverId);
 		}),
 });
--- a/apps/dokploy/server/api/routers/user.ts
+++ b/apps/dokploy/server/api/routers/user.ts
@@ -75,6 +75,24 @@ export const userRouter = createTRPCRouter({
 				},
 			});
 			// If user not found in the organization, deny access
 			if (!memberResult) {
 				throw new TRPCError({
 					code: "NOT_FOUND",
 					message: "User not found in this organization",
 				});
 			}
 			// Allow access if:
 			// 1. User is requesting their own information
 			// 2. User has owner role (admin permissions) AND user is in the same organization
 			if (memberResult.userId !== ctx.user.id && ctx.user.role !== "owner") {
 				throw new TRPCError({
 					code: "UNAUTHORIZED",
 					message: "You are not authorized to access this user",
 				});
 			}
 			return memberResult;
 		}),
 	get: protectedProcedure.query(async ({ ctx }) => {
--- a/packages/server/src/db/schema/rollbacks.ts
+++ b/packages/server/src/db/schema/rollbacks.ts
@@ -4,6 +4,8 @@ import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
 import { deployments } from "./deployment";
 import type { Application } from "@dokploy/server/services/application";
 import type { Project } from "@dokploy/server/services/project";
 export const rollbacks = pgTable("rollback", {
 	rollbackId: text("rollbackId")
@@ -20,7 +22,7 @@ export const rollbacks = pgTable("rollback", {
 	createdAt: text("createdAt")
 		.notNull()
 		.$defaultFn(() => new Date().toISOString()),
-	fullContext: jsonb("fullContext"),
+	fullContext: jsonb("fullContext").$type<Application & { project: Project }>(),
 });
 export type Rollback = typeof rollbacks.$inferSelect;
--- a/packages/server/src/db/schema/user.ts
+++ b/packages/server/src/db/schema/user.ts
@@ -15,6 +15,7 @@ import { backups } from "./backups";
 import { projects } from "./project";
 import { schedules } from "./schedule";
 import { certificateType } from "./shared";
 import { paths } from "@dokploy/server/constants";
 /**
 * This is an example of how to use the multi-project schema feature of Drizzle ORM. Use the same
 * database instance for multiple projects.
@@ -236,7 +237,31 @@ export const apiModifyTraefikConfig = z.object({
 	serverId: z.string().optional(),
 });
 export const apiReadTraefikConfig = z.object({
-	path: z.string().min(1),
+	path: z
 		.string()
 		.min(1)
 		.refine(
 			(path) => {
 				// Prevent directory traversal attacks
 				if (path.includes("../") || path.includes("..\\")) {
 					return false;
 				}
 				const { MAIN_TRAEFIK_PATH } = paths();
 				if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
 					return false;
 				}
 				// Prevent null bytes and other dangerous characters
 				if (path.includes("\0") || path.includes("\x00")) {
 					return false;
 				}
 				return true;
 			},
 			{
 				message:
 					"Invalid path: path traversal or unauthorized directory access detected",
 			},
 		),
 	serverId: z.string().optional(),
 });
--- a/packages/server/src/services/rollbacks.ts
+++ b/packages/server/src/services/rollbacks.ts
@@ -12,14 +12,16 @@ import type { ApplicationNested } from "../utils/builders";
 import { execAsync, execAsyncRemote } from "../utils/process/execAsync";
 import type { CreateServiceOptions } from "dockerode";
 import { findDeploymentById } from "./deployment";
 import { prepareEnvironmentVariables } from "../utils/docker/utils";
 export const createRollback = async (
 	input: z.infer<typeof createRollbackSchema>,
 ) => {
 	await db.transaction(async (tx) => {
 		const { fullContext, ...other } = input;
 		const rollback = await tx
 			.insert(rollbacks)
-			.values(input)
+			.values(other)
 			.returning()
 			.then((res) => res[0]);
@@ -47,7 +49,7 @@ export const createRollback = async (
 			.update(rollbacks)
 			.set({
 				image: tagImage,
-				fullContext: JSON.stringify(rest),
+				fullContext: rest,
 			})
 			.where(eq(rollbacks.rollbackId, rollback.rollbackId));
@@ -150,10 +152,16 @@ export const rollback = async (rollbackId: string) => {
 	const application = await findApplicationById(deployment.applicationId);
 	const envVariables = prepareEnvironmentVariables(
 		result?.fullContext?.env || "",
 		result.fullContext?.project?.env || "",
 	);
 	await rollbackApplication(
 		application.appName,
 		result.image || "",
 		application.serverId,
 		envVariables,
 	);
 };
@@ -161,6 +169,7 @@ const rollbackApplication = async (
 	appName: string,
 	image: string,
 	serverId?: string | null,
 	env: string[] = [],
 ) => {
 	const docker = await getRemoteDocker(serverId);
@@ -169,6 +178,7 @@ const rollbackApplication = async (
 		TaskTemplate: {
 			ContainerSpec: {
 				Image: image,
 				Env: env,
 			},
 		},
 	};
Author	SHA1	Message	Date
Mauricio Siu	fb5d2bd5b6	feat(docker-swarm): implement server authorization checks and input validation - Added server authorization checks to ensure users can only access resources for their organization. - Enhanced input validation for container and app names using regex to prevent invalid entries. - Updated multiple query procedures in both docker and swarm routers to include these checks and validations.	2025-06-22 23:57:12 -06:00
Mauricio Siu	e42f6bc610	feat(user-validation): enhance path validation in Traefik config - Added refined validation for the 'path' field to prevent directory traversal attacks and unauthorized access. - Implemented checks for null bytes and ensured paths start with the MAIN_TRAEFIK_PATH constant.	2025-06-22 23:57:02 -06:00
Mauricio Siu	61cf426615	feat(user-access): implement access control for user information retrieval - Added checks to deny access if the user is not found in the organization. - Implemented authorization logic to allow access only for users requesting their own information or users with owner role in the same organization.	2025-06-22 23:56:13 -06:00
Mauricio Siu	2a89be6efc	Merge pull request #2069 from Dokploy/2065-rollback-feature-dns-issues Some checks failed Auto PR to main when version changes / create-pr (push) Has been cancelled Details Build Docker images / build-and-push-cloud-image (push) Has been cancelled Details Build Docker images / build-and-push-schedule-image (push) Has been cancelled Details Build Docker images / build-and-push-server-image (push) Has been cancelled Details Dokploy Docker Build / docker-amd (push) Has been cancelled Details Dokploy Docker Build / docker-arm (push) Has been cancelled Details autofix.ci / format (push) Has been cancelled Details Dokploy Monitoring Build / docker-amd (push) Has been cancelled Details Dokploy Monitoring Build / docker-arm (push) Has been cancelled Details Dokploy Docker Build / combine-manifests (push) Has been cancelled Details Dokploy Docker Build / generate-release (push) Has been cancelled Details Dokploy Monitoring Build / combine-manifests (push) Has been cancelled Details feat(rollbacks): enhance fullContext type and refactor createRollback…	2025-06-22 18:01:21 +02:00
autofix-ci[bot]	412bb9e874	[autofix.ci] apply automated fixes	2025-06-22 16:00:36 +00:00
Mauricio Siu	6290c217f1	feat(rollbacks): add alert for storage usage in rollback settings - Introduced an AlertBlock component to inform users about increased storage usage when rollbacks are enabled. - Added cautionary note regarding the potential deletion of rollback images during manual cache cleaning.	2025-06-22 10:00:14 -06:00
Mauricio Siu	4babdd45ea	chore: update version in package.json to v0.23.3	2025-06-22 09:58:35 -06:00
Mauricio Siu	24bff96898	feat(rollbacks): enhance fullContext type and refactor createRollback logic - Updated fullContext type in rollbacks schema to include Application and Project types. - Refactored createRollback function to separate fullContext from input and handle it more efficiently. - Integrated environment variable preparation into the rollback process.	2025-06-22 09:56:36 -06:00
Mauricio Siu	892f272108	Merge pull request #2066 from nikolajjsj/feat/reset-2fa-script Feat/reset 2fa script	2025-06-22 16:40:47 +02:00
Mauricio Siu	fca537ee40	feat(esbuild): add entry point for reset-2fa script	2025-06-22 08:40:13 -06:00
Mauricio Siu	ae24aa8be5	Merge pull request #2067 from Dokploy/fix/envs-not-reset fix: simplify useEffect condition in ShowEnvironment component	2025-06-22 16:32:54 +02:00
Mauricio Siu	b74d3995ee	chore: update version in package.json to v0.23.2	2025-06-22 08:32:20 -06:00
Mauricio Siu	f7fd77f7e9	fix: simplify useEffect condition in ShowEnvironment component	2025-06-22 08:31:46 -06:00
nikolajjsj	db8a4e6edf	feat(scripts): add command to run reset-2fa script	2025-06-22 15:11:12 +02:00
nikolajjsj	fa16cfec2a	feat(scripts): add script to reset 2fa for admin Similar style to existing reset-password script	2025-06-22 15:10:57 +02:00