Auto deploy Preview Deployments in public repos are a security risk

[timomeh]

The automatic preview deployments in pull requests are a great feature. But right now, in public repos, they seem to be a security risk.

In a public repository, anyone can open a pull request (unless you're on a paid GitHub plan I think, where you can configure who can open a Pull Request). This means that, when preview deployments are enabled, anyone can trigger a new preview deployment and deploy their code by opening a pull request. A malicious actor can access secret environment variables and execute all kinds of shady code. Depending on the domain setup, the domain will also look plausible, it has an SSL certificate, and can be used for social engineering attacks.

• I think this risk should be documented somewhere, at least in the coolify docs.
• It would be great to have a feature to restrict automatically triggered preview deployments to certain users, and (optionally) manually approve them for everyone else. Similar to how you have to approve GitHub Actions to run, or how you have to manually allow a preview deployment with Vercel.

Alternatively to the preview deployments feature, I guess you could use a webhook in a GitHub action, but it's not as good as the Preview Deployment feature.

Please correct me if I'm missing any obvious features that already exist.

[wdhdev]

I think it would be good to have some option like Enable Protected Previews or something similar which locks the preview deployments behind a login screen so only people that have access to the project can access it.

Currently what I do is I enable automatic preview deployments, but customise deployment hostname for preview deployments to something like randomid.preview.example.com and place it behind Cloudflare Access so no one can access those preview deployments except for me.

[timomeh]

placing it behind Cloudflare Access is definitely a neat idea! But Protecting who can access the Preview Deployment makes it still vulnerable to security issues, as long as anyone can create a Pull Request which triggers a Preview Deployment. The code can include things that run in the background or on application startup, like grabbing all environment variables and sending them via email or something else.

[wdhdev]

Ah yeah, that is true. I didn't think about that!

[CDE90]

I would love to see some kind of protection as mentioned here as well. It would be great to be able to use preview deployments in a public repository, but currently I cannot due to security concerns (at least not without setting up custom actions).