From 4b919cabd2cddd73662e2304f0c3ac7b95539e5c Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Thu, 27 Aug 2020 19:35:22 -0700
Subject: [PATCH] Correctly validation API calls to mark a backup as completed

Also block modifying a backup that is already marked as completed via the endpoint
---
 .../Api/Remote/Backups/BackupStatusController.php | 15 ++++++++++++++-
 .../Api/Remote/ReportBackupCompleteRequest.php    |  4 ++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
index e658a8012..57d1f3b4b 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -7,6 +7,8 @@ use Carbon\CarbonImmutable;
 use Illuminate\Http\JsonResponse;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Repositories\Eloquent\BackupRepository;
+use Pterodactyl\Exceptions\Http\HttpForbiddenException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Remote\ReportBackupCompleteRequest;
 
 class BackupStatusController extends Controller
@@ -32,10 +34,21 @@ class BackupStatusController extends Controller
      * @param \Pterodactyl\Http\Requests\Api\Remote\ReportBackupCompleteRequest $request
      * @param string $backup
      * @return \Illuminate\Http\JsonResponse
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
     public function __invoke(ReportBackupCompleteRequest $request, string $backup)
     {
-        $this->repository->updateWhere([['uuid', '=', $backup]], [
+        /** @var \Pterodactyl\Models\Backup $model */
+        $model = $this->repository->findFirstWhere([[ 'uuid', '=', $backup ]]);
+
+        if (!is_null($model->completed_at)) {
+            throw new BadRequestHttpException(
+                'Cannot update the status of a backup that is already marked as completed.'
+            );
+        }
+
+        $model->update([
             'is_successful' => $request->input('successful') ? true : false,
             'checksum' => $request->input('checksum_type') . ':' . $request->input('checksum'),
             'bytes' => $request->input('size'),
diff --git a/app/Http/Requests/Api/Remote/ReportBackupCompleteRequest.php b/app/Http/Requests/Api/Remote/ReportBackupCompleteRequest.php
index 709961b71..a90a2b2b9 100644
--- a/app/Http/Requests/Api/Remote/ReportBackupCompleteRequest.php
+++ b/app/Http/Requests/Api/Remote/ReportBackupCompleteRequest.php
@@ -12,9 +12,9 @@ class ReportBackupCompleteRequest extends FormRequest
     public function rules()
     {
         return [
-            'successful' => 'boolean',
+            'successful' => 'present|boolean',
             'checksum' => 'nullable|string|required_if:successful,true',
-            'checksum_type' => 'string|required_if:successful,true',
+            'checksum_type' => 'nullable|string|required_if:successful,true',
             'size' => 'nullable|numeric|required_if:successful,true',
         ];
     }