Sanitize openresty include filenames to prevent eval injection#8588
Merged
Conversation
Add defense-in-depth sanitization for OpenResty include files to prevent OS command injection via malicious filenames that break shell quoting in eval. - Add filename validation in core-post-extract using regex [^a-zA-Z0-9_.-] - Validate both http-includes and location-includes paths - Abort deploy via dokku_log_fail on unsafe filenames - Skip non-regular files (symlinks, directories) during extraction - Add security regression test with unsafe filename containing space - Keep existing guards in docker-args-process-deploy as belt-and-suspenders - Update documentation to clarify allowed filename characters Addresses CVSS 9.9 vulnerability where filenames like poc'$(cmd)'x.conf could escape shell quoting and execute arbitrary commands during deploy.
github-actions Bot
pushed a commit
that referenced
this pull request
May 10, 2026
# History ## 0.38.2 Install/update via the bootstrap script: ```shell wget -NP . https://dokku.com/install/v0.38.2/bootstrap.sh sudo DOKKU_TAG=v0.38.2 bash bootstrap.sh ``` ### Security - #8590: @josegonzalez Restrict app names to prevent command injection - #8591: @josegonzalez Harden archive extraction against symlink traversal - #8589: @josegonzalez Enforce 0600 permissions on .netrc credentials file - #8588: @josegonzalez Sanitize openresty include filenames to prevent eval injection ### Bug Fixes - #8593: @josegonzalez Gate ssl_reject_handshake behind nginx 1.19.4 - #8578: @josegonzalez Reference SOURCECODE_WORK_DIR in builder core-post-extract ### Documentation - #8592: @josegonzalez Add security section to release changelog - #8587: @vixalien Correct buildkit builder code block syntax - #8580: @othercorey Set issue type in bug report template ### Tests - #8586: @josegonzalez Count assert_output_contains matches as fixed strings - #8581: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-predeploy - #8582: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/gogrpc - #8584: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/go-fail-postdeploy - #8583: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-tini - #8585: @dependabot[bot] chore(deps): bump golang from 1.26.2 to 1.26.3 in /tests/apps/zombies-dockerfile-no-tini - #8574: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-noexpose - #8575: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile-bad - #8577: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-app-json-formations - #8576: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile - #8573: @dependabot[bot] chore(deps): bump node from 25-alpine to 26-alpine in /tests/apps/dockerfile-procfile ### Dependencies - #8579: @josegonzalez Use type prefix for dokku-bot dependency label
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add defense-in-depth sanitization for OpenResty include files to prevent OS command injection via malicious filenames that break shell quoting in eval.
Addresses vulnerability where filenames like poc'$(cmd)'x.conf could escape shell quoting and execute arbitrary commands during deploy.