Keep Domains on writeInitalConfig for CLI login

backend/src/ee/services/dynamic-secret/dynamic-secret-fns.ts

@@ -1,51 +1,31 @@
-import dns from "node:dns/promises";
-import net from "node:net";
+import crypto from "node:crypto";
 
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
-import { isPrivateIp } from "@app/lib/ip/ipRange";
 import { getDbConnectionHost } from "@app/lib/knex";
 
-export const verifyHostInputValidity = async (host: string, isGateway = false) => {
+export const verifyHostInputValidity = (host: string, isGateway = false) => {
   const appCfg = getConfig();
-  // if (appCfg.NODE_ENV === "development") return; // incase you want to remove this check in dev
+  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+  // no need for validation when it's dev
+  if (appCfg.NODE_ENV === "development") return;
 
-  const reservedHosts = [appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI)].concat(
-    (appCfg.DB_READ_REPLICAS || []).map((el) => getDbConnectionHost(el.DB_CONNECTION_URI)),
-    getDbConnectionHost(appCfg.REDIS_URL)
-  );
+  if (host === "host.docker.internal") throw new BadRequestError({ message: "Invalid db host" });
 
-  // get host db ip
-  const exclusiveIps: string[] = [];
-  for await (const el of reservedHosts) {
-    if (el) {
-      if (net.isIPv4(el)) {
-        exclusiveIps.push(el);
-      } else {
-        const resolvedIps = await dns.resolve4(el);
-        exclusiveIps.push(...resolvedIps);
-      }
-    }
+  if (
+    appCfg.isCloud &&
+    !isGateway &&
+    // localhost
+    // internal ips
+    (host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
+  )
+    throw new BadRequestError({ message: "Invalid db host" });
+
+  if (
+    host === "localhost" ||
+    host === "127.0.0.1" ||
+    (dbHost?.length === host.length && crypto.timingSafeEqual(Buffer.from(dbHost || ""), Buffer.from(host)))
+  ) {
+    throw new BadRequestError({ message: "Invalid db host" });
   }
-
-  const normalizedHost = host.split(":")[0];
-  const inputHostIps: string[] = [];
-  if (net.isIPv4(host)) {
-    inputHostIps.push(host);
-  } else {
-    if (normalizedHost === "localhost" || normalizedHost === "host.docker.internal") {
-      throw new BadRequestError({ message: "Invalid db host" });
-    }
-    const resolvedIps = await dns.resolve4(host);
-    inputHostIps.push(...resolvedIps);
-  }
-
-  if (!isGateway) {
-    const isInternalIp = inputHostIps.some((el) => isPrivateIp(el));
-    if (isInternalIp) throw new BadRequestError({ message: "Invalid db host" });
-  }
-
-  const isAppUsedIps = inputHostIps.some((el) => exclusiveIps.includes(el));
-  if (isAppUsedIps) throw new BadRequestError({ message: "Invalid db host" });
-  return inputHostIps;
 };

backend/src/ee/services/dynamic-secret/providers/aws-elasticache.ts

@@ -13,7 +13,6 @@ import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretAwsElastiCacheSchema, TDynamicProviderFns } from "./models";
 
@@ -145,14 +144,6 @@ export const AwsElastiCacheDatabaseProvider = (): TDynamicProviderFns => {
     // We can't return the parsed statements here because we need to use the handlebars template to generate the username and password, before we can use the parsed statements.
     CreateElastiCacheUserSchema.parse(JSON.parse(providerInputs.creationStatement));
     DeleteElasticCacheUserSchema.parse(JSON.parse(providerInputs.revocationStatement));
-    validateHandlebarTemplate("AWS ElastiCache creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
-    });
-    if (providerInputs.revocationStatement) {
-      validateHandlebarTemplate("AWS ElastiCache revoke", providerInputs.revocationStatement, {
-        allowedExpressions: (val) => ["username"].includes(val)
-      });
-    }
 
     return providerInputs;
   };

backend/src/ee/services/dynamic-secret/providers/cassandra.ts

@@ -3,10 +3,9 @@ import handlebars from "handlebars";
 import { customAlphabet } from "nanoid";
 import { z } from "zod";
 
+import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
-import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretCassandraSchema, TDynamicProviderFns } from "./models";
 
 const generatePassword = (size = 48) => {
@@ -21,20 +20,11 @@ const generateUsername = () => {
 export const CassandraProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretCassandraSchema.parseAsync(inputs);
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    validateHandlebarTemplate("Cassandra creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration", "keyspace"].includes(val)
-    });
-    if (providerInputs.renewStatement) {
-      validateHandlebarTemplate("Cassandra renew", providerInputs.renewStatement, {
-        allowedExpressions: (val) => ["username", "expiration", "keyspace"].includes(val)
-      });
+    if (providerInputs.host === "localhost" || providerInputs.host === "127.0.0.1") {
+      throw new BadRequestError({ message: "Invalid db host" });
     }
-    validateHandlebarTemplate("Cassandra revoke", providerInputs.revocationStatement, {
-      allowedExpressions: (val) => ["username"].includes(val)
-    });
 
-    return { ...providerInputs, host: hostIp };
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretCassandraSchema>) => {

backend/src/ee/services/dynamic-secret/providers/elastic-search.ts

@@ -19,8 +19,9 @@ const generateUsername = () => {
 export const ElasticSearchProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretElasticSearchSchema.parseAsync(inputs);
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretElasticSearchSchema>) => {

backend/src/ee/services/dynamic-secret/providers/mongo-db.ts

@@ -19,8 +19,8 @@ const generateUsername = () => {
 export const MongoDBProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretMongoDBSchema.parseAsync(inputs);
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretMongoDBSchema>) => {

backend/src/ee/services/dynamic-secret/providers/rabbit-mq.ts

@@ -79,8 +79,9 @@ async function deleteRabbitMqUser({ axiosInstance, usernameToDelete }: TDeleteRa
 export const RabbitMqProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretRabbitMqSchema.parseAsync(inputs);
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRabbitMqSchema>) => {

backend/src/ee/services/dynamic-secret/providers/redis.ts

@@ -5,7 +5,6 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretRedisDBSchema, TDynamicProviderFns } from "./models";
@@ -52,20 +51,8 @@ const executeTransactions = async (connection: Redis, commands: string[]): Promi
 export const RedisDatabaseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretRedisDBSchema.parseAsync(inputs);
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    validateHandlebarTemplate("Redis creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
-    });
-    if (providerInputs.renewStatement) {
-      validateHandlebarTemplate("Redis renew", providerInputs.renewStatement, {
-        allowedExpressions: (val) => ["username", "expiration"].includes(val)
-      });
-    }
-    validateHandlebarTemplate("Redis revoke", providerInputs.revocationStatement, {
-      allowedExpressions: (val) => ["username"].includes(val)
-    });
-
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretRedisDBSchema>) => {

backend/src/ee/services/dynamic-secret/providers/sap-ase.ts

@@ -5,7 +5,6 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapAseSchema, TDynamicProviderFns } from "./models";
@@ -28,16 +27,8 @@ export const SapAseProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSapAseSchema.parseAsync(inputs);
 
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    validateHandlebarTemplate("SAP ASE creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password"].includes(val)
-    });
-    if (providerInputs.revocationStatement) {
-      validateHandlebarTemplate("SAP ASE revoke", providerInputs.revocationStatement, {
-        allowedExpressions: (val) => ["username"].includes(val)
-      });
-    }
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapAseSchema>, useMaster?: boolean) => {

backend/src/ee/services/dynamic-secret/providers/sap-hana.ts

@@ -11,7 +11,6 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
 import { DynamicSecretSapHanaSchema, TDynamicProviderFns } from "./models";
@@ -29,19 +28,8 @@ export const SapHanaProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSapHanaSchema.parseAsync(inputs);
 
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host);
-    validateHandlebarTemplate("SAP Hana creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
-    });
-    if (providerInputs.renewStatement) {
-      validateHandlebarTemplate("SAP Hana renew", providerInputs.renewStatement, {
-        allowedExpressions: (val) => ["username", "expiration"].includes(val)
-      });
-    }
-    validateHandlebarTemplate("SAP Hana revoke", providerInputs.revocationStatement, {
-      allowedExpressions: (val) => ["username"].includes(val)
-    });
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host);
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSapHanaSchema>) => {

backend/src/ee/services/dynamic-secret/providers/snowflake.ts

@@ -5,7 +5,6 @@ import { z } from "zod";
 
 import { BadRequestError } from "@app/lib/errors";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { DynamicSecretSnowflakeSchema, TDynamicProviderFns } from "./models";
 
@@ -32,18 +31,6 @@ const getDaysToExpiry = (expiryDate: Date) => {
 export const SnowflakeProvider = (): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSnowflakeSchema.parseAsync(inputs);
-    validateHandlebarTemplate("Snowflake creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration"].includes(val)
-    });
-    if (providerInputs.renewStatement) {
-      validateHandlebarTemplate("Snowflake renew", providerInputs.renewStatement, {
-        allowedExpressions: (val) => ["username", "expiration"].includes(val)
-      });
-    }
-    validateHandlebarTemplate("Snowflake revoke", providerInputs.revocationStatement, {
-      allowedExpressions: (val) => ["username"].includes(val)
-    });
-
     return providerInputs;
   };
 

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -5,7 +5,6 @@ import { z } from "zod";
 
 import { withGatewayProxy } from "@app/lib/gateway";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 
 import { TGatewayServiceFactory } from "../../gateway/gateway-service";
 import { verifyHostInputValidity } from "../dynamic-secret-fns";
@@ -118,21 +117,8 @@ type TSqlDatabaseProviderDTO = {
 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
   const validateProviderInputs = async (inputs: unknown) => {
     const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);
-
-    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
-    validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
-      allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
-    });
-    if (providerInputs.renewStatement) {
-      validateHandlebarTemplate("SQL renew", providerInputs.renewStatement, {
-        allowedExpressions: (val) => ["username", "expiration", "database"].includes(val)
-      });
-    }
-    validateHandlebarTemplate("SQL revoke", providerInputs.revocationStatement, {
-      allowedExpressions: (val) => ["username", "database"].includes(val)
-    });
-
-    return { ...providerInputs, host: hostIp };
+    verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    return providerInputs;
   };
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
@@ -158,8 +144,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
             }
           : undefined
       },
-      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT,
-      pool: { min: 0, max: 7 }
+      acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });
     return db;
   };

backend/src/ee/services/identity-project-additional-privilege-v2/identity-project-additional-privilege-v2-service.ts

@@ -5,7 +5,6 @@ import { ActionProjectType, TableName } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { unpackPermissions } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -87,9 +86,6 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         message: "Failed to update more privileged identity",
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
-    validateHandlebarTemplate("Identity Additional Privilege Create", JSON.stringify(customPermission || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
 
     const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
       slug,
@@ -177,10 +173,6 @@ export const identityProjectAdditionalPrivilegeV2ServiceFactory = ({
         details: { missingPermissions: permissionBoundary.missingPermissions }
       });
 
-    validateHandlebarTemplate("Identity Additional Privilege Update", JSON.stringify(data.permissions || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
-
     if (data?.slug) {
       const existingSlug = await identityProjectAdditionalPrivilegeDAL.findOne({
         slug: data.slug,

backend/src/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service.ts

@@ -5,7 +5,6 @@ import { ActionProjectType } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -103,10 +102,6 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     });
     if (existingSlug) throw new BadRequestError({ message: "Additional privilege of provided slug exist" });
 
-    validateHandlebarTemplate("Identity Additional Privilege Create", JSON.stringify(customPermission || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
-
     const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await identityProjectAdditionalPrivilegeDAL.create({
@@ -208,9 +203,6 @@ export const identityProjectAdditionalPrivilegeServiceFactory = ({
     }
 
     const isTemporary = typeof data?.isTemporary !== "undefined" ? data.isTemporary : identityPrivilege.isTemporary;
-    validateHandlebarTemplate("Identity Additional Privilege Update", JSON.stringify(data.permissions || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
 
     const packedPermission = data.permissions ? JSON.stringify(packRules(data.permissions)) : undefined;
     if (isTemporary) {

backend/src/ee/services/project-user-additional-privilege/project-user-additional-privilege-service.ts

@@ -5,7 +5,6 @@ import { ActionProjectType, TableName } from "@app/db/schemas";
 import { validatePermissionBoundary } from "@app/lib/casl/boundary";
 import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
 import { ms } from "@app/lib/ms";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectMembershipDALFactory } from "@app/services/project-membership/project-membership-dal";
@@ -93,10 +92,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
     if (existingSlug)
       throw new BadRequestError({ message: `Additional privilege with provided slug ${slug} already exists` });
 
-    validateHandlebarTemplate("User Additional Privilege Create", JSON.stringify(customPermission || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
-
     const packedPermission = JSON.stringify(packRules(customPermission));
     if (!dto.isTemporary) {
       const additionalPrivilege = await projectUserAdditionalPrivilegeDAL.create({
@@ -190,10 +185,6 @@ export const projectUserAdditionalPrivilegeServiceFactory = ({
         throw new BadRequestError({ message: `Additional privilege with provided slug ${dto.slug} already exists` });
     }
 
-    validateHandlebarTemplate("User Additional Privilege Update", JSON.stringify(dto.permissions || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
-
     const isTemporary = typeof dto?.isTemporary !== "undefined" ? dto.isTemporary : userPrivilege.isTemporary;
 
     const packedPermission = dto.permissions && JSON.stringify(packRules(dto.permissions));

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue-fn.ts

@@ -8,9 +8,10 @@ import axios from "axios";
 import jmespath from "jmespath";
 import knex from "knex";
 
+import { getConfig } from "@app/lib/config/env";
+import { getDbConnectionHost } from "@app/lib/knex";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { verifyHostInputValidity } from "../../dynamic-secret/dynamic-secret-fns";
 import { TAssignOp, TDbProviderClients, TDirectAssignOp, THttpProviderFunction } from "../templates/types";
 import { TSecretRotationData, TSecretRotationDbFn } from "./secret-rotation-queue-types";
 
@@ -87,14 +88,32 @@ export const secretRotationDbFn = async ({
   variables,
   options
 }: TSecretRotationDbFn) => {
+  const appCfg = getConfig();
+
   const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
-  const [hostIp] = await verifyHostInputValidity(host);
+  const isCloud = Boolean(appCfg.LICENSE_SERVER_KEY); // quick and dirty way to check if its cloud or not
+  const dbHost = appCfg.DB_HOST || getDbConnectionHost(appCfg.DB_CONNECTION_URI);
+
+  if (
+    isCloud &&
+    // internal ips
+    (host === "host.docker.internal" || host.match(/^10\.\d+\.\d+\.\d+/) || host.match(/^192\.168\.\d+\.\d+/))
+  )
+    throw new Error("Invalid db host");
+  if (
+    host === "localhost" ||
+    host === "127.0.0.1" ||
+    // database infisical uses
+    dbHost === host
+  )
+    throw new Error("Invalid db host");
+
   const db = knex({
     client,
     connection: {
       database,
       port,
-      host: hostIp,
+      host,
       user: username,
       password,
       connectionTimeoutMillis: EXTERNAL_REQUEST_TIMEOUT,

backend/src/lib/ip/ipRange.ts

@@ -1,61 +0,0 @@
-import { BlockList } from "node:net";
-
-import { BadRequestError } from "../errors";
-// Define BlockList instances for each range type
-const ipv4RangeLists: Record<string, BlockList> = {
-  unspecified: new BlockList(),
-  broadcast: new BlockList(),
-  multicast: new BlockList(),
-  linkLocal: new BlockList(),
-  loopback: new BlockList(),
-  carrierGradeNat: new BlockList(),
-  private: new BlockList(),
-  reserved: new BlockList()
-};
-
-// Add IPv4 CIDR ranges to each BlockList
-ipv4RangeLists.unspecified.addSubnet("0.0.0.0", 8);
-ipv4RangeLists.broadcast.addAddress("255.255.255.255");
-ipv4RangeLists.multicast.addSubnet("224.0.0.0", 4);
-ipv4RangeLists.linkLocal.addSubnet("169.254.0.0", 16);
-ipv4RangeLists.loopback.addSubnet("127.0.0.0", 8);
-ipv4RangeLists.carrierGradeNat.addSubnet("100.64.0.0", 10);
-
-// IPv4 Private ranges
-ipv4RangeLists.private.addSubnet("10.0.0.0", 8);
-ipv4RangeLists.private.addSubnet("172.16.0.0", 12);
-ipv4RangeLists.private.addSubnet("192.168.0.0", 16);
-
-// IPv4 Reserved ranges
-ipv4RangeLists.reserved.addSubnet("192.0.0.0", 24);
-ipv4RangeLists.reserved.addSubnet("192.0.2.0", 24);
-ipv4RangeLists.reserved.addSubnet("192.88.99.0", 24);
-ipv4RangeLists.reserved.addSubnet("198.18.0.0", 15);
-ipv4RangeLists.reserved.addSubnet("198.51.100.0", 24);
-ipv4RangeLists.reserved.addSubnet("203.0.113.0", 24);
-ipv4RangeLists.reserved.addSubnet("240.0.0.0", 4);
-
-/**
- * Checks if an IP address (IPv4) is private or public
- * inspired by: https://github.com/whitequark/ipaddr.js/blob/main/lib/ipaddr.js
- */
-export const getIpRange = (ip: string): string => {
-  try {
-    const rangeLists = ipv4RangeLists;
-    // Check each range type
-    for (const rangeName in rangeLists) {
-      if (Object.hasOwn(rangeLists, rangeName)) {
-        if (rangeLists[rangeName].check(ip)) {
-          return rangeName;
-        }
-      }
-    }
-
-    // If no range matched, it's a public address
-    return "unicast";
-  } catch (error) {
-    throw new BadRequestError({ message: "Invalid IP address", error });
-  }
-};
-
-export const isPrivateIp = (ip: string) => getIpRange(ip) !== "unicast";

backend/src/lib/template/validate-handlebars.ts

@@ -1,21 +0,0 @@
-import handlebars from "handlebars";
-
-import { BadRequestError } from "../errors";
-import { logger } from "../logger";
-
-type SanitizationArg = {
-  allowedExpressions?: (arg: string) => boolean;
-};
-
-export const validateHandlebarTemplate = (templateName: string, template: string, dto: SanitizationArg) => {
-  const parsedAst = handlebars.parse(template);
-  parsedAst.body.forEach((el) => {
-    if (el.type === "ContentStatement") return;
-    if (el.type === "MustacheStatement" && "path" in el) {
-      const { path } = el as { type: "MustacheStatement"; path: { type: "PathExpression"; original: string } };
-      if (path.type === "PathExpression" && dto?.allowedExpressions?.(path.original)) return;
-    }
-    logger.error(el, "Template sanitization failed");
-    throw new BadRequestError({ message: `Template sanitization failed: ${templateName}` });
-  });
-};

backend/src/services/project-role/project-role-service.ts

@@ -9,7 +9,6 @@ import {
   ProjectPermissionSub
 } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
-import { validateHandlebarTemplate } from "@app/lib/template/validate-handlebars";
 import { UnpackedPermissionSchema } from "@app/server/routes/sanitizedSchema/permission";
 
 import { ActorAuthMethod } from "../auth/auth-type";
@@ -73,9 +72,6 @@ export const projectRoleServiceFactory = ({
       throw new BadRequestError({ name: "Create Role", message: "Project role with same slug already exists" });
     }
 
-    validateHandlebarTemplate("Project Role Create", JSON.stringify(data.permissions || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
     const role = await projectRoleDAL.create({
       ...data,
       projectId
@@ -138,9 +134,7 @@ export const projectRoleServiceFactory = ({
       if (existingRole && existingRole.id !== roleId)
         throw new BadRequestError({ name: "Update Role", message: "Project role with the same slug already exists" });
     }
-    validateHandlebarTemplate("Project Role Update", JSON.stringify(data.permissions || []), {
-      allowedExpressions: (val) => val.includes("identity.")
-    });
+
     const updatedRole = await projectRoleDAL.updateById(projectRole.id, {
       ...data,
       permissions: data.permissions ? data.permissions : undefined

cli/packages/util/config.go

@@ -56,6 +56,7 @@ func WriteInitalConfig(userCredentials *models.UserCredentials) error {
 		LoggedInUsers:          existingConfigFile.LoggedInUsers,
 		VaultBackendType:       existingConfigFile.VaultBackendType,
 		VaultBackendPassphrase: existingConfigFile.VaultBackendPassphrase,
+		Domains:                existingConfigFile.Domains,
 	}
 
 	configFileMarshalled, err := json.Marshal(configFile)

frontend/src/hooks/api/secretImports/queries.tsx

@@ -182,8 +182,7 @@ export const useGetImportedSecretsAllEnvs = ({
                 comment: encSecret.secretComment,
                 createdAt: encSecret.createdAt,
                 updatedAt: encSecret.updatedAt,
-                version: encSecret.version,
-                sourceEnv: env
+                version: encSecret.version
               };
             })
           })),

frontend/src/hooks/utils/secrets-overview.tsx

@@ -86,5 +86,13 @@ export const useSecretOverview = (secrets: DashboardProjectSecretsOverview["secr
     [secrets]
   );
 
-  return { secKeys, getEnvSecretKeyCount };
+  const getSecretByKey = useCallback(
+    (env: string, key: string) => {
+      const sec = secrets?.find((s) => s.env === env && s.key === key);
+      return sec;
+    },
+    [secrets]
+  );
+
+  return { secKeys, getSecretByKey, getEnvSecretKeyCount };
 };

frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx

@@ -81,6 +81,7 @@ import { CreateSecretForm } from "./components/CreateSecretForm";
 import { FolderBreadCrumbs } from "./components/FolderBreadCrumbs";
 import { SecretOverviewDynamicSecretRow } from "./components/SecretOverviewDynamicSecretRow";
 import { SecretOverviewFolderRow } from "./components/SecretOverviewFolderRow";
+import { SecretOverviewImportListView } from "./components/SecretOverviewImportListView";
 import {
   SecretNoAccessOverviewTableRow,
   SecretOverviewTableRow
@@ -202,16 +203,12 @@ export const OverviewPage = () => {
     setVisibleEnvs(userAvailableEnvs);
   }, [userAvailableEnvs]);
 
-  const {
-    secretImports,
-    isImportedSecretPresentInEnv,
-    getImportedSecretByKey,
-    getEnvImportedSecretKeyCount
-  } = useGetImportedSecretsAllEnvs({
-    projectId: workspaceId,
-    path: secretPath,
-    environments: (userAvailableEnvs || []).map(({ slug }) => slug)
-  });
+  const { isImportedSecretPresentInEnv, getImportedSecretByKey, getEnvImportedSecretKeyCount } =
+    useGetImportedSecretsAllEnvs({
+      projectId: workspaceId,
+      path: secretPath,
+      environments: (userAvailableEnvs || []).map(({ slug }) => slug)
+    });
 
   const { isPending: isOverviewLoading, data: overview } = useGetProjectSecretsOverview(
     {
@@ -235,6 +232,7 @@ export const OverviewPage = () => {
     secrets,
     folders,
     dynamicSecrets,
+    imports,
     totalFolderCount,
     totalSecretCount,
     totalDynamicSecretCount,
@@ -246,20 +244,16 @@ export const OverviewPage = () => {
     totalUniqueDynamicSecretsInPage
   } = overview ?? {};
 
-  const secretImportsShaped = secretImports
-    ?.flatMap(({ data }) => data)
-    .filter(Boolean)
-    .flatMap((item) => item?.secrets || []);
-
-  const handleIsImportedSecretPresentInEnv = (envSlug: string, secretName: string) => {
-    if (secrets?.some((s) => s.key === secretName && s.env === envSlug)) {
-      return false;
-    }
-    if (secretImportsShaped.some((s) => s.key === secretName && s.sourceEnv === envSlug)) {
-      return true;
-    }
-    return isImportedSecretPresentInEnv(envSlug, secretName);
-  };
+  const importsShaped = imports
+    ?.filter((el) => !el.isReserved)
+    ?.map(({ importPath, importEnv }) => ({ importPath, importEnv }))
+    .filter(
+      (el, index, self) =>
+        index ===
+        self.findIndex(
+          (item) => item.importPath === el.importPath && item.importEnv.slug === el.importEnv.slug
+        )
+    );
 
   useResetPageHelper({
     totalCount,
@@ -273,18 +267,7 @@ export const OverviewPage = () => {
   const { dynamicSecretNames, isDynamicSecretPresentInEnv } =
     useDynamicSecretOverview(dynamicSecrets);
 
-  const { secKeys, getEnvSecretKeyCount } = useSecretOverview(
-    secrets?.concat(secretImportsShaped) || []
-  );
-
-  const getSecretByKey = useCallback(
-    (env: string, key: string) => {
-      const sec = secrets?.find((s) => s.env === env && s.key === key);
-      return sec;
-    },
-    [secrets]
-  );
-
+  const { secKeys, getSecretByKey, getEnvSecretKeyCount } = useSecretOverview(secrets);
   const { data: tags } = useGetWsTags(
     permission.can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags) ? workspaceId : ""
   );
@@ -1141,13 +1124,24 @@ export const OverviewPage = () => {
                         key={`overview-${dynamicSecretName}-${index + 1}`}
                       />
                     ))}
+                    {filter.import &&
+                      importsShaped &&
+                      importsShaped?.length > 0 &&
+                      importsShaped?.map((item, index) => (
+                        <SecretOverviewImportListView
+                          secretImport={item}
+                          environments={visibleEnvs}
+                          key={`overview-secret-input-${index + 1}`}
+                          allSecretImports={imports}
+                        />
+                      ))}
                     {secKeys.map((key, index) => (
                       <SecretOverviewTableRow
                         isSelected={Boolean(selectedEntries.secret[key])}
                         onToggleSecretSelect={() => toggleSelectedEntry(EntryType.SECRET, key)}
                         secretPath={secretPath}
                         getImportedSecretByKey={getImportedSecretByKey}
-                        isImportedSecretPresentInEnv={handleIsImportedSecretPresentInEnv}
+                        isImportedSecretPresentInEnv={isImportedSecretPresentInEnv}
                         onSecretCreate={handleSecretCreate}
                         onSecretDelete={handleSecretDelete}
                         onSecretUpdate={handleSecretUpdate}

frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewImportListView/SecretOverviewImportListView.tsx

@@ -0,0 +1,85 @@
+import { faCheck, faFileImport, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+import { Td, Tr } from "@app/components/v2";
+import { TSecretImport, WorkspaceEnv } from "@app/hooks/api/types";
+import { EnvFolderIcon } from "@app/pages/secret-manager/SecretDashboardPage/components/SecretImportListView/SecretImportItem";
+
+type Props = {
+  secretImport: { importPath: string; importEnv: WorkspaceEnv };
+  environments: { name: string; slug: string }[];
+  allSecretImports?: TSecretImport[];
+};
+
+export const SecretOverviewImportListView = ({
+  secretImport,
+  environments = [],
+  allSecretImports = []
+}: Props) => {
+  const isSecretPresentInEnv = (envSlug: string) => {
+    return allSecretImports.some((item) => {
+      if (item.isReplication) {
+        if (
+          item.importPath === secretImport.importPath &&
+          item.importEnv.slug === secretImport.importEnv.slug
+        ) {
+          const reservedItem = allSecretImports.find((element) =>
+            element.importPath.includes(`__reserve_replication_${item.id}`)
+          );
+          // If the reserved item exists, check if the envSlug matches
+          if (reservedItem) {
+            return reservedItem.environment === envSlug;
+          }
+        }
+      } else {
+        // If the item is not replication, check if the envSlug matches directly
+        return (
+          item.environment === envSlug &&
+          item.importPath === secretImport.importPath &&
+          item.importEnv.slug === secretImport.importEnv.slug
+        );
+      }
+      return false;
+    });
+  };
+
+  return (
+    <Tr className="group">
+      <Td className="sticky left-0 z-10 border-r border-mineshaft-600 bg-mineshaft-800 bg-clip-padding px-0 py-0 group-hover:bg-mineshaft-700">
+        <div className="group flex cursor-pointer">
+          <div className="flex w-11 items-center py-2 pl-5 text-green-700">
+            <FontAwesomeIcon icon={faFileImport} />
+          </div>
+          <div className="flex flex-grow items-center py-2 pl-4 pr-2">
+            <EnvFolderIcon
+              env={secretImport.importEnv.slug || ""}
+              secretPath={secretImport.importPath || ""}
+            />
+          </div>
+        </div>
+      </Td>
+      {environments.map(({ slug }, i) => {
+        const isPresent = isSecretPresentInEnv(slug);
+        return (
+          <Td
+            key={`sec-overview-${slug}-${i + 1}-value`}
+            className={twMerge(
+              "px-0 py-0 group-hover:bg-mineshaft-700",
+              isPresent ? "text-green-600" : "text-red-600"
+            )}
+          >
+            <div className="h-full w-full border-r border-mineshaft-600 px-5 py-[0.85rem]">
+              <div className="flex justify-center">
+                <FontAwesomeIcon
+                  // eslint-disable-next-line no-nested-ternary
+                  icon={isSecretPresentInEnv(slug) ? faCheck : faXmark}
+                />
+              </div>
+            </div>
+          </Td>
+        );
+      })}
+    </Tr>
+  );
+};

frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewImportListView/index.tsx

@@ -0,0 +1 @@
+export { SecretOverviewImportListView } from "./SecretOverviewImportListView";

frontend/src/pages/secret-manager/OverviewPage/components/SecretOverviewTableRow/SecretRenameRow.tsx

@@ -162,7 +162,7 @@ function SecretRenameRow({ environments, getSecretByKey, secretKey, secretPath }
           render={({ field, fieldState: { error } }) => (
             <Input
               autoComplete="off"
-              isReadOnly={isReadOnly || secrets.filter(Boolean).length === 0}
+              isReadOnly={isReadOnly}
               autoCapitalization={currentWorkspace?.autoCapitalization}
               variant="plain"
               isDisabled={isOverriden}