MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce the egg's file denylist more thoroughly

Browse Source 
Closes pterodactyl/panel#5042
This commit is contained in:
Victor B.
2024-03-25 15:49:34 +01:00
parent 1f77d2256b
commit e7139a9dc9
4 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
router/router_download.go
View File

@@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
return
}
if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(token.FilePath)
if err != nil {
middleware.CaptureAndAbort(c, err)

12
router/router_server_files.go
View File

@@ -31,6 +31,10 @@ import (
func getServerFileContents(c *gin.Context) {
s := middleware.ExtractServer(c)
p := strings.TrimLeft(c.Query("file"), "/")
if err := s.Filesystem().IsIgnored(p); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(p)
if err != nil {
middleware.CaptureAndAbort(c, err)
@@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
case <-ctx.Done():
return ctx.Err()
default:
if err := s.Filesystem().IsIgnored(pi); err != nil {
return err
}
return s.Filesystem().Delete(pi)
}
})
@@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
UseHeader: data.UseHeader,
})
if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
download := func() error {
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
if err := dl.Execute(); err != nil {