sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't return variables to users that they should not be able to see; closes #2388

This commit is contained in:
Dane Everitt 2020-09-22 21:12:00 -07:00
parent 7968258004
commit 2182a15494
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
2 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Http/Controllers/Api/Client/Servers/StartupController.php
View File

@ -2,15 +2,12 @@
namespace Pterodactyl\Http\Controllers\Api\Client\Servers; namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Carbon\CarbonImmutable;
use Pterodactyl\Models\Server; use Pterodactyl\Models\Server;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Services\Servers\StartupCommandService; use Pterodactyl\Services\Servers\StartupCommandService;
use Pterodactyl\Services\Servers\VariableValidatorService; use Pterodactyl\Services\Servers\VariableValidatorService;
use Pterodactyl\Repositories\Eloquent\ServerVariableRepository; use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
use Pterodactyl\Transformers\Api\Client\EggVariableTransformer; use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController; use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest;
@ -59,7 +56,9 @@ class StartupController extends ClientApiController
{ {
$startup = $this->startupCommandService->handle($server, false); $startup = $this->startupCommandService->handle($server, false);
return $this->fractal->collection($server->variables) return $this->fractal->collection(
$server->variables()->where('user_viewable', true)->get()
)
->transformWith($this->getTransformer(EggVariableTransformer::class)) ->transformWith($this->getTransformer(EggVariableTransformer::class))
->addMeta([ ->addMeta([
'startup_command' => $startup, 'startup_command' => $startup,
@ -84,7 +83,7 @@ class StartupController extends ClientApiController
/** @var \Pterodactyl\Models\EggVariable $variable */ /** @var \Pterodactyl\Models\EggVariable $variable */
$variable = $server->variables()->where('env_variable', $request->input('key'))->first(); $variable = $server->variables()->where('env_variable', $request->input('key'))->first();
if (is_null($variable) || !$variable->user_viewable) { if (is_null($variable) || ! $variable->user_viewable) {
throw new BadRequestHttpException( throw new BadRequestHttpException(
"The environment variable you are trying to edit does not exist." "The environment variable you are trying to edit does not exist."
); );

11
app/Transformers/Api/Client/EggVariableTransformer.php
View File

@ -2,6 +2,8 @@
namespace Pterodactyl\Transformers\Api\Client; namespace Pterodactyl\Transformers\Api\Client;
use BadMethodCallException;
use InvalidArgumentException;
use Pterodactyl\Models\EggVariable; use Pterodactyl\Models\EggVariable;
class EggVariableTransformer extends BaseClientTransformer class EggVariableTransformer extends BaseClientTransformer
@ -20,6 +22,15 @@ class EggVariableTransformer extends BaseClientTransformer
*/ */
public function transform(EggVariable $variable) public function transform(EggVariable $variable)
{ {
// This guards against someone incorrectly retrieving variables (haha, me) and then passing
// them into the transformer and along to the user. Just throw an exception and break the entire
// pathway since you should never be exposing these types of variables to a client.
if (!$variable->user_viewable) {
throw new BadMethodCallException(
'Cannot transform a hidden egg variable in a client transformer.'
);
}
return [ return [
'name' => $variable->name, 'name' => $variable->name,
'description' => $variable->description, 'description' => $variable->description,