To Reproduce
curl https://dokploy.com/install.sh | grep 'POSTGRES_PASSWORD'
Returns --env POSTGRES_PASSWORD=amukds4wi9001583845717ad2
Current vs. Expected behavior
Currently a password is hardcoded in many files like
| "postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy"; |
Provide environment information
Which area(s) are affected? (Select all that apply)
Databases
Are you deploying the applications where Dokploy is installed or on a remote server?
Same server where Dokploy is installed
Additional context
This security issue looks exactly as a recently found backdoor in rustfs GHSA-h956-rh7x-ppgj
I had mention this problem almost one year ago in #1952 (comment)
Will you send a PR to fix it?
Maybe, need help