From 705ca54ccc7a81f8cb2122b107b28ca7575efb39 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sat, 6 Jun 2026 13:54:58 -0600
Subject: [PATCH] refactor: improve path validation in Traefik configuration
 schema

- Enhanced the `apiReadTraefikConfig` schema by reintroducing path validation logic to prevent directory traversal attacks and unauthorized access.
- The validation now includes checks for null bytes and ensures paths start with a defined main Traefik path, improving security and robustness.

These changes strengthen the integrity of the configuration handling by ensuring only valid paths are accepted.
---
 packages/server/src/db/schema/user.ts | 47 ++++++++++++++-------------
 1 file changed, 25 insertions(+), 22 deletions(-)

diff --git a/packages/server/src/db/schema/user.ts b/packages/server/src/db/schema/user.ts
index 75b0aab2e..9f6c3b613 100644
--- a/packages/server/src/db/schema/user.ts
+++ b/packages/server/src/db/schema/user.ts
@@ -1,3 +1,4 @@
+import { paths } from "@dokploy/server/constants";
 import { relations, sql } from "drizzle-orm";
 import {
 	boolean,
@@ -172,29 +173,31 @@ export const apiModifyTraefikConfig = z.object({
 	serverId: z.string().optional(),
 });
 export const apiReadTraefikConfig = z.object({
-	path: z.string().min(1),
-	// .refine(
-	// 	(path) => {
-	// 		// Prevent directory traversal attacks
-	// 		if (path.includes("../") || path.includes("..\\")) {
-	// 			return false;
-	// 		}
+	path: z
+		.string()
+		.min(1)
+		.refine(
+			(path) => {
+				// Prevent directory traversal attacks
+				if (path.includes("../") || path.includes("..\\")) {
+					return false;
+				}
 
-	// 		const { MAIN_TRAEFIK_PATH } = paths();
-	// 		if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
-	// 			return false;
-	// 		}
-	// 		// Prevent null bytes and other dangerous characters
-	// 		if (path.includes("\0") || path.includes("\x00")) {
-	// 			return false;
-	// 		}
-	// 		return true;
-	// 	},
-	// 	{
-	// 		message:
-	// 			"Invalid path: path traversal or unauthorized directory access detected",
-	// 	},
-	// ),
+				const { MAIN_TRAEFIK_PATH } = paths();
+				if (path.startsWith("/") && !path.startsWith(MAIN_TRAEFIK_PATH)) {
+					return false;
+				}
+				// Prevent null bytes and other dangerous characters
+				if (path.includes("\0") || path.includes("\x00")) {
+					return false;
+				}
+				return true;
+			},
+			{
+				message:
+					"Invalid path: path traversal or unauthorized directory access detected",
+			},
+		),
 	serverId: z.string().optional(),
 });