Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disallow creating more than 5 account API keys; closes #2123

Browse source 
Additional fixes for https://github.com/pterodactyl/panel/security/advisories/GHSA-pjmh-7xfm-r4x9
This commit is contained in:
Dane Everitt 2020-07-26 11:26:20 -07:00
parent 7deed07cd1
commit 78514f9eb4
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 18 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/Http/Controllers/Base/AccountKeyController.php
View file

@ -82,10 +82,13 @@ class AccountKeyController extends Controller
*/ */
public function store(StoreAccountKeyRequest $request) public function store(StoreAccountKeyRequest $request)
{ {
if ($this->repository->findCountWhere(['user_id' => $request->user()->id]) >= 5) { $count = $this->repository->findCountWhere([
throw new DisplayException( ['user_id', '=', $request->user()->id],
'Cannot assign more than 5 API keys to an account.' ['key_type', '=', ApiKey::TYPE_ACCOUNT],
); ]);
if ($count >= 5) {
throw new DisplayException('Cannot assign more than 5 API keys to an account.');
} }
$this->keyService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([ $this->keyService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([

11
app/Http/Controllers/Base/ClientApiController.php
View file

@ -8,6 +8,7 @@ use Illuminate\Http\Response;
use Pterodactyl\Models\ApiKey; use Pterodactyl\Models\ApiKey;
use Illuminate\Http\RedirectResponse; use Illuminate\Http\RedirectResponse;
use Prologue\Alerts\AlertsMessageBag; use Prologue\Alerts\AlertsMessageBag;
use Pterodactyl\Exceptions\DisplayException;
use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Services\Api\KeyCreationService; use Pterodactyl\Services\Api\KeyCreationService;
use Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest; use Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest;
@ -73,10 +74,20 @@ class ClientApiController extends Controller
* @param \Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest $request * @param \Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest $request
* @return \Illuminate\Http\RedirectResponse * @return \Illuminate\Http\RedirectResponse
* *
* @throws \Pterodactyl\Exceptions\DisplayException
* @throws \Pterodactyl\Exceptions\Model\DataValidationException * @throws \Pterodactyl\Exceptions\Model\DataValidationException
*/ */
public function store(CreateClientApiKeyRequest $request): RedirectResponse public function store(CreateClientApiKeyRequest $request): RedirectResponse
{ {
$count = $this->repository->findCountWhere([
['user_id', '=', $request->user()->id],
['key_type', '=', ApiKey::TYPE_ACCOUNT],
]);
if ($count >= 5) {
throw new DisplayException('Cannot assign more than 5 API keys to an account.');
}
$allowedIps = null; $allowedIps = null;
if (! is_null($request->input('allowed_ips'))) { if (! is_null($request->input('allowed_ips'))) {
$allowedIps = json_encode(explode(PHP_EOL, $request->input('allowed_ips'))); $allowedIps = json_encode(explode(PHP_EOL, $request->input('allowed_ips')));