From f7520b721be068b574f2d6dd3c8733e655ac0504 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Sat, 17 Oct 2020 14:29:29 -0600
Subject: [PATCH] Deny /etc/pterodactyl as a source path for mounts

---
 app/Http/Controllers/Admin/MountController.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/Http/Controllers/Admin/MountController.php b/app/Http/Controllers/Admin/MountController.php
index d718c7371..1985f9396 100644
--- a/app/Http/Controllers/Admin/MountController.php
+++ b/app/Http/Controllers/Admin/MountController.php
@@ -105,6 +105,11 @@ class MountController extends Controller
         $model = (new Mount())->fill($request->validated());
         $model->forceFill(['uuid' => Uuid::uuid4()->toString()]);
 
+        if (str_starts_with($model->source, '/etc/pterodactyl')) {
+            $this->alert->danger('Invalid source path: "/etc/pterodactyl" cannot be used as a source path.')->flash();
+            return redirect()->route('admin.mounts');
+        }
+
         if (str_starts_with($model->source, '/var/lib/pterodactyl/volumes')) {
             $this->alert->danger('Invalid source path: "/var/lib/pterodactyl/volumes" cannot be used as a source path.')->flash();
             return redirect()->route('admin.mounts');
@@ -145,6 +150,11 @@ class MountController extends Controller
 
         $mount->forceFill($request->validated());
 
+        if (str_starts_with($mount->source, '/etc/pterodactyl')) {
+            $this->alert->danger('Invalid source path: "/etc/pterodactyl" cannot be used as a source path.')->flash();
+            return redirect()->route('admin.mounts.view', $mount->id);
+        }
+
         if (str_starts_with($mount->source, '/var/lib/pterodactyl/volumes')) {
             $this->alert->danger('Invalid source path: "/var/lib/pterodactyl/volumes" cannot be used as a source path.')->flash();
             return redirect()->route('admin.mounts.view', $mount->id);