Don't return variables to users that they should not be able to see; closes #2388

This commit is contained in:
Dane Everitt 2020-09-22 21:12:00 -07:00
parent 7968258004
commit 2182a15494
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 15 additions and 5 deletions

View file

@ -2,15 +2,12 @@
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Carbon\CarbonImmutable;
use Pterodactyl\Models\Server;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Services\Servers\StartupCommandService;
use Pterodactyl\Services\Servers\VariableValidatorService;
use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest;
@ -59,7 +56,9 @@ class StartupController extends ClientApiController
{
$startup = $this->startupCommandService->handle($server, false);
return $this->fractal->collection($server->variables)
return $this->fractal->collection(
$server->variables()->where('user_viewable', true)->get()
)
->transformWith($this->getTransformer(EggVariableTransformer::class))
->addMeta([
'startup_command' => $startup,

View file

@ -2,6 +2,8 @@
namespace Pterodactyl\Transformers\Api\Client;
use BadMethodCallException;
use InvalidArgumentException;
use Pterodactyl\Models\EggVariable;
class EggVariableTransformer extends BaseClientTransformer
@ -20,6 +22,15 @@ class EggVariableTransformer extends BaseClientTransformer
*/
public function transform(EggVariable $variable)
{
// This guards against someone incorrectly retrieving variables (haha, me) and then passing
// them into the transformer and along to the user. Just throw an exception and break the entire
// pathway since you should never be exposing these types of variables to a client.
if (!$variable->user_viewable) {
throw new BadMethodCallException(
'Cannot transform a hidden egg variable in a client transformer.'
);
}
return [
'name' => $variable->name,
'description' => $variable->description,