From 2182a15494e3fd600f1b46f236dbb734a18e5b9d Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Tue, 22 Sep 2020 21:12:00 -0700 Subject: [PATCH] Don't return variables to users that they should not be able to see; closes #2388 --- .../Api/Client/Servers/StartupController.php | 9 ++++----- .../Api/Client/EggVariableTransformer.php | 11 +++++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/app/Http/Controllers/Api/Client/Servers/StartupController.php b/app/Http/Controllers/Api/Client/Servers/StartupController.php index 16975a1be..8ab62a02c 100644 --- a/app/Http/Controllers/Api/Client/Servers/StartupController.php +++ b/app/Http/Controllers/Api/Client/Servers/StartupController.php @@ -2,15 +2,12 @@ namespace Pterodactyl\Http\Controllers\Api\Client\Servers; -use Carbon\CarbonImmutable; use Pterodactyl\Models\Server; -use Illuminate\Http\JsonResponse; use Pterodactyl\Services\Servers\StartupCommandService; use Pterodactyl\Services\Servers\VariableValidatorService; use Pterodactyl\Repositories\Eloquent\ServerVariableRepository; use Pterodactyl\Transformers\Api\Client\EggVariableTransformer; use Pterodactyl\Http\Controllers\Api\Client\ClientApiController; -use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest; @@ -59,7 +56,9 @@ class StartupController extends ClientApiController { $startup = $this->startupCommandService->handle($server, false); - return $this->fractal->collection($server->variables) + return $this->fractal->collection( + $server->variables()->where('user_viewable', true)->get() + ) ->transformWith($this->getTransformer(EggVariableTransformer::class)) ->addMeta([ 'startup_command' => $startup, @@ -84,7 +83,7 @@ class StartupController extends ClientApiController /** @var \Pterodactyl\Models\EggVariable $variable */ $variable = $server->variables()->where('env_variable', $request->input('key'))->first(); - if (is_null($variable) || !$variable->user_viewable) { + if (is_null($variable) || ! $variable->user_viewable) { throw new BadRequestHttpException( "The environment variable you are trying to edit does not exist." ); diff --git a/app/Transformers/Api/Client/EggVariableTransformer.php b/app/Transformers/Api/Client/EggVariableTransformer.php index 62be843f2..4f7e39658 100644 --- a/app/Transformers/Api/Client/EggVariableTransformer.php +++ b/app/Transformers/Api/Client/EggVariableTransformer.php @@ -2,6 +2,8 @@ namespace Pterodactyl\Transformers\Api\Client; +use BadMethodCallException; +use InvalidArgumentException; use Pterodactyl\Models\EggVariable; class EggVariableTransformer extends BaseClientTransformer @@ -20,6 +22,15 @@ class EggVariableTransformer extends BaseClientTransformer */ public function transform(EggVariable $variable) { + // This guards against someone incorrectly retrieving variables (haha, me) and then passing + // them into the transformer and along to the user. Just throw an exception and break the entire + // pathway since you should never be exposing these types of variables to a client. + if (!$variable->user_viewable) { + throw new BadMethodCallException( + 'Cannot transform a hidden egg variable in a client transformer.' + ); + } + return [ 'name' => $variable->name, 'description' => $variable->description,