Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Address security vulnerability when listing servers as a client

Browse source
This commit is contained in:
Dane Everitt 2020-07-26 11:40:48 -07:00
parent 78514f9eb4
commit 6d69f6ef47
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
1 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
app/Repositories/Eloquent/ServerRepository.php
View file

@ -225,18 +225,23 @@ class ServerRepository extends EloquentRepository implements ServerRepositoryInt
$instance->where('owner_id', $user->id);
}
// If set to all, display all servers they can access, including
// those they access as an admin. If set to subuser, only return
// the servers they can access because they are owner, or marked
// as a subuser of the server.
elseif (($level === User::FILTER_LEVEL_ALL && ! $user->root_admin) || $level === User::FILTER_LEVEL_SUBUSER) {
$instance->whereIn('id', $this->getUserAccessServers($user->id));
// Only allow these two filters if the user is an administrator.
elseif ($user->root_admin && in_array($level, [ User::FILTER_LEVEL_ALL, User::FILTER_LEVEL_ADMIN ])) {
// We specifically only match admin in here. If they request all servers and are a root admin
// we just won't append any filters to the builder and thus they'll be able to see everything
// since this will skip over that final else block.
if ($level === User::FILTER_LEVEL_ADMIN) {
$instance->whereNotIn('id', $this->getUserAccessServers($user->id));
}
}
// If set to admin, only display the servers a user can access
// as an administrator (leaves out owned and subuser of).
elseif ($level === User::FILTER_LEVEL_ADMIN && $user->root_admin) {
$instance->whereNotIn('id', $this->getUserAccessServers($user->id));
// If we did not match on the user being an administrator and requesting all/admin only or the user
// is not an admin and requested those locked endpoints, just return all of the servers the user actually
// has access to.
//
// @see https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx
else {
$instance->whereIn('id', $this->getUserAccessServers($user->id));
}
$instance->search($this->getSearchTerm());