references/dokploy
1
0
Fork 0
mirror of https://github.com/dokploy/dokploy.git synced 2026-06-13 19:09:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: improve path validation in Traefik configuration schema

Browse Source 
- Enhanced the `apiReadTraefikConfig` schema by reintroducing path validation logic to prevent directory traversal attacks and unauthorized access.
- The validation now includes checks for null bytes and ensures paths start with a defined main Traefik path, improving security and robustness.

These changes strengthen the integrity of the configuration handling by ensuring only valid paths are accepted.
This commit is contained in:
Mauricio Siu
2026-06-06 13:54:58 -06:00
parent aa545ec71c
commit 705ca54ccc
1 changed files with 25 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/src/db/schema/user.ts
+25 -22
View File
@@ -1,3 +1,4 @@
import { paths } from "@dokploy/server/constants";
import { relations, sql } from "drizzle-orm";
import {
boolean,
@@ -172,29 +173,31 @@ export const apiModifyTraefikConfig = z.object({
serverId: z.string().optional(),
});
export const apiReadTraefikConfig = z.object({
path: z.string().min(1),
// .refine(
// (path) => {
// // Prevent directory traversal attacks
// if (path.includes("../") || path.includes("..\\")) {
// return false;
// }
path: z
.string()
.min(1)
.refine(
(path) => {
// Prevent directory traversal attacks
if (path.includes("../") || path.includes("..\\")) {
return false;
}
// const { MAIN_TRAEFIK_PATH } = paths();
// if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
// return false;
// }
// // Prevent null bytes and other dangerous characters
// if (path.includes("\0") || path.includes("\x00")) {
// return false;
// }
// return true;
// },
// {
// message:
// "Invalid path: path traversal or unauthorized directory access detected",
// },
// ),
const { MAIN_TRAEFIK_PATH } = paths();
if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
return false;
}
// Prevent null bytes and other dangerous characters
if (path.includes("\0") || path.includes("\x00")) {
return false;
}
return true;
},
{
message:
"Invalid path: path traversal or unauthorized directory access detected",
},
),
serverId: z.string().optional(),
});