Security Enhancement: Safe Shell Escaping for Docker Registry Authentication

[sdkakcy]

This PR addresses a security vulnerability in Docker registry authentication by replacing unsafe string interpolation with proper shell escaping.

Changes Made

• ✅ Export safeDockerLoginCommand from packages/server/src/services/registry.ts
• ✅ Replace unsafe login commands in packages/server/src/utils/providers/docker.ts
• ✅ Replace unsafe login commands in packages/server/src/utils/cluster/upload.ts
• ✅ Improve error messages for better user experience

Security Impact

Before: Docker login commands were vulnerable to shell injection:

echo "${password}" | docker login --username "${username}" --password-stdin "${registryUrl}"

After: Using safe shell escaping:

const loginCommand = safeDockerLoginCommand(registryUrl, username, password);

Benefits

• 🔒 Prevents shell injection attacks through malicious registry credentials
• 🛡️ Ensures proper escaping of special characters in usernames/passwords
• 🔄 Maintains consistent security practices across the codebase
• ✨ No breaking changes to existing functionality

Testing

• Existing functionality preserved
• No API changes
• Improved security without affecting user experience
• All affected files updated consistently

Related Issue

Closes #3382

Type of Change

• Security enhancement
• Code refactoring
• Bug fix
• New feature
• Breaking change
• Documentation update

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• My changes generate no new warnings
• I have made corresponding changes to the documentation (if applicable)
• My changes follow security best practices

[sdkakcy]

Hey @Siumauricio 👋
Friendly reminder about this PR — it’s been waiting patiently for quite some time 🙂

No rush at all, just wanted to ask whether this is something you’re open to merging, or if there are any blockers / changes you’d like to see. I’m more than happy to iterate.

At the moment, due to this limitation, using GCP as a registry isn’t really possible, and I’ve had to manage the whole process manually via gcloud, which is a bit cumbersome and error-prone. That’s why this PR is quite important on my side.

Thanks a lot, and appreciate all the effort you put into maintaining Dokploy 🙏