Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Address security vulnerability when listing servers as a client

Browse source
This commit is contained in:
Dane Everitt 2020-07-26 11:40:48 -07:00
parent 78514f9eb4
commit 6d69f6ef47
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
1 changed files with 15 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
app/Repositories/Eloquent/ServerRepository.php
View file

@ -225,18 +225,23 @@ class ServerRepository extends EloquentRepository implements ServerRepositoryInt
$instance->where('owner_id', $user->id); $instance->where('owner_id', $user->id);
} }
// If set to all, display all servers they can access, including // Only allow these two filters if the user is an administrator.
// those they access as an admin. If set to subuser, only return elseif ($user->root_admin && in_array($level, [ User::FILTER_LEVEL_ALL, User::FILTER_LEVEL_ADMIN ])) {
// the servers they can access because they are owner, or marked // We specifically only match admin in here. If they request all servers and are a root admin
// as a subuser of the server. // we just won't append any filters to the builder and thus they'll be able to see everything
elseif (($level === User::FILTER_LEVEL_ALL && ! $user->root_admin) || $level === User::FILTER_LEVEL_SUBUSER) { // since this will skip over that final else block.
$instance->whereIn('id', $this->getUserAccessServers($user->id)); if ($level === User::FILTER_LEVEL_ADMIN) {
$instance->whereNotIn('id', $this->getUserAccessServers($user->id));
}
} }
// If set to admin, only display the servers a user can access // If we did not match on the user being an administrator and requesting all/admin only or the user
// as an administrator (leaves out owned and subuser of). // is not an admin and requested those locked endpoints, just return all of the servers the user actually
elseif ($level === User::FILTER_LEVEL_ADMIN && $user->root_admin) { // has access to.
$instance->whereNotIn('id', $this->getUserAccessServers($user->id)); //
// @see https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx
else {
$instance->whereIn('id', $this->getUserAccessServers($user->id));
} }
$instance->search($this->getSearchTerm()); $instance->search($this->getSearchTerm());