fix(server): safely expand zip path regex for Next.js static exports#4815
Draft
aliyan-hammad wants to merge 1 commit into
Draft
fix(server): safely expand zip path regex for Next.js static exports#4815aliyan-hammad wants to merge 1 commit into
aliyan-hammad wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is this PR about?
This is a direct continuation of PR #4468. While #4468 successfully added
support for Next.js dynamic routing square brackets ( [] ) during source
code uploads, it did not account for compiled Next.js Static Exports.
When Next.js compiles a static export (especially using App Router Route
Groups), it generates highly complex chunk filenames containing characters
like ~ , $ , ! , and () . Dokploy's strict regex whitelist in
readValidDirectory currently rejects these valid files, throwing a 500
Internal Server Error (Path Traversal detected) on zip drops.
This PR safely expands the allowed regex character set ( ~ , $ , ! , ()
, = , % , + , , , . ) to fully support Next.js static builds.
Security Analysis:
In expanding this regex, I strictly followed the Principle of Least Privilege.
I explicitly removed shell chainers (like ; and & ) from the allowed characters.
While I verified that Dokploy is immune to shell injection here because it uses
pure-memory Node buffers via AdmZip rather than child_process.exec() ,
restricting shell operators in the regex maintains a hardened defense-in-depth
security posture.
Checklist
[✓] I created a dedicated branch based on the canary branch.
[✓] I have read the suggestions in the CONTRIBUTING.md file.
[✓] I have tested this PR in my local instance by successfully deploying a
compiled Next.js static export ( out/ folder).