From 78514f9eb494b43d6aa7ddf0248dedd55784bcaa Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sun, 26 Jul 2020 11:26:20 -0700
Subject: [PATCH] Disallow creating more than 5 account API keys; closes #2123

Additional fixes for https://github.com/pterodactyl/panel/security/advisories/GHSA-pjmh-7xfm-r4x9
---
 app/Http/Controllers/Base/AccountKeyController.php | 11 +++++++----
 app/Http/Controllers/Base/ClientApiController.php  | 11 +++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/Base/AccountKeyController.php b/app/Http/Controllers/Base/AccountKeyController.php
index 7161b4abf..ee1a56832 100644
--- a/app/Http/Controllers/Base/AccountKeyController.php
+++ b/app/Http/Controllers/Base/AccountKeyController.php
@@ -82,10 +82,13 @@ class AccountKeyController extends Controller
      */
     public function store(StoreAccountKeyRequest $request)
     {
-        if ($this->repository->findCountWhere(['user_id' => $request->user()->id]) >= 5) {
-            throw new DisplayException(
-                'Cannot assign more than 5 API keys to an account.'
-            );
+        $count = $this->repository->findCountWhere([
+            ['user_id', '=', $request->user()->id],
+            ['key_type', '=', ApiKey::TYPE_ACCOUNT],
+        ]);
+
+        if ($count >= 5) {
+            throw new DisplayException('Cannot assign more than 5 API keys to an account.');
         }
 
         $this->keyService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([
diff --git a/app/Http/Controllers/Base/ClientApiController.php b/app/Http/Controllers/Base/ClientApiController.php
index a74c28db8..94872ff0c 100644
--- a/app/Http/Controllers/Base/ClientApiController.php
+++ b/app/Http/Controllers/Base/ClientApiController.php
@@ -8,6 +8,7 @@ use Illuminate\Http\Response;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Http\RedirectResponse;
 use Prologue\Alerts\AlertsMessageBag;
+use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Api\KeyCreationService;
 use Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest;
@@ -73,10 +74,20 @@ class ClientApiController extends Controller
      * @param \Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest $request
      * @return \Illuminate\Http\RedirectResponse
      *
+     * @throws \Pterodactyl\Exceptions\DisplayException
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      */
     public function store(CreateClientApiKeyRequest $request): RedirectResponse
     {
+        $count = $this->repository->findCountWhere([
+            ['user_id', '=', $request->user()->id],
+            ['key_type', '=', ApiKey::TYPE_ACCOUNT],
+        ]);
+
+        if ($count >= 5) {
+            throw new DisplayException('Cannot assign more than 5 API keys to an account.');
+        }
+
         $allowedIps = null;
         if (! is_null($request->input('allowed_ips'))) {
             $allowedIps = json_encode(explode(PHP_EOL, $request->input('allowed_ips')));