Enforce the egg's file denylist more thoroughly

Closes pterodactyl/panel#5042
This commit is contained in:
Victor B. 2024-03-25 15:49:34 +01:00
parent 1f77d2256b
commit e7139a9dc9
No known key found for this signature in database
GPG Key ID: E93DDAC17E5D6CA1
4 changed files with 33 additions and 0 deletions

View File

@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
return return
} }
if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(token.FilePath) f, st, err := s.Filesystem().File(token.FilePath)
if err != nil { if err != nil {
middleware.CaptureAndAbort(c, err) middleware.CaptureAndAbort(c, err)

View File

@ -31,6 +31,10 @@ import (
func getServerFileContents(c *gin.Context) { func getServerFileContents(c *gin.Context) {
s := middleware.ExtractServer(c) s := middleware.ExtractServer(c)
p := strings.TrimLeft(c.Query("file"), "/") p := strings.TrimLeft(c.Query("file"), "/")
if err := s.Filesystem().IsIgnored(p); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(p) f, st, err := s.Filesystem().File(p)
if err != nil { if err != nil {
middleware.CaptureAndAbort(c, err) middleware.CaptureAndAbort(c, err)
@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
case <-ctx.Done(): case <-ctx.Done():
return ctx.Err() return ctx.Err()
default: default:
if err := s.Filesystem().IsIgnored(pi); err != nil {
return err
}
return s.Filesystem().Delete(pi) return s.Filesystem().Delete(pi)
} }
}) })
@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
UseHeader: data.UseHeader, UseHeader: data.UseHeader,
}) })
if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
download := func() error { download := func() error {
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk") s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
if err := dl.Execute(); err != nil { if err := dl.Execute(); err != nil {

View File

@ -28,6 +28,11 @@ import (
// and the compressed file will be placed at that location named // and the compressed file will be placed at that location named
// `archive-{date}.tar.gz`. // `archive-{date}.tar.gz`.
func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) { func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
for _, file := range paths {
if err := fs.IsIgnored(path.Join(dir, file)); err != nil {
return nil, err
}
}
a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths} a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
d := path.Join( d := path.Join(
dir, dir,

View File

@ -79,6 +79,9 @@ func (h *Handler) Fileread(request *sftp.Request) (io.ReaderAt, error) {
} }
h.mu.Lock() h.mu.Lock()
defer h.mu.Unlock() defer h.mu.Unlock()
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return nil, err
}
f, _, err := h.fs.File(request.Filepath) f, _, err := h.fs.File(request.Filepath)
if err != nil { if err != nil {
if !errors.Is(err, os.ErrNotExist) { if !errors.Is(err, os.ErrNotExist) {
@ -104,6 +107,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
h.mu.Lock() h.mu.Lock()
defer h.mu.Unlock() defer h.mu.Unlock()
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return nil, err
}
// The specific permission required to perform this action. If the file exists on the // The specific permission required to perform this action. If the file exists on the
// system already it only needs to be an update, otherwise we'll check for a create. // system already it only needs to be an update, otherwise we'll check for a create.
permission := PermissionFileUpdate permission := PermissionFileUpdate
@ -148,6 +155,10 @@ func (h *Handler) Filecmd(request *sftp.Request) error {
l = l.WithField("target", request.Target) l = l.WithField("target", request.Target)
} }
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return err
}
switch request.Method { switch request.Method {
// Allows a user to make changes to the permissions of a given file or directory // Allows a user to make changes to the permissions of a given file or directory
// on their server using their SFTP client. // on their server using their SFTP client.