Enforce the egg's file denylist more thoroughly
Closes pterodactyl/panel#5042
This commit is contained in:
parent
1f77d2256b
commit
e7139a9dc9
|
@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
|
||||||
|
middleware.CaptureAndAbort(c, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
f, st, err := s.Filesystem().File(token.FilePath)
|
f, st, err := s.Filesystem().File(token.FilePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
middleware.CaptureAndAbort(c, err)
|
middleware.CaptureAndAbort(c, err)
|
||||||
|
|
|
@ -31,6 +31,10 @@ import (
|
||||||
func getServerFileContents(c *gin.Context) {
|
func getServerFileContents(c *gin.Context) {
|
||||||
s := middleware.ExtractServer(c)
|
s := middleware.ExtractServer(c)
|
||||||
p := strings.TrimLeft(c.Query("file"), "/")
|
p := strings.TrimLeft(c.Query("file"), "/")
|
||||||
|
if err := s.Filesystem().IsIgnored(p); err != nil {
|
||||||
|
middleware.CaptureAndAbort(c, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
f, st, err := s.Filesystem().File(p)
|
f, st, err := s.Filesystem().File(p)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
middleware.CaptureAndAbort(c, err)
|
middleware.CaptureAndAbort(c, err)
|
||||||
|
@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
|
||||||
case <-ctx.Done():
|
case <-ctx.Done():
|
||||||
return ctx.Err()
|
return ctx.Err()
|
||||||
default:
|
default:
|
||||||
|
if err := s.Filesystem().IsIgnored(pi); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return s.Filesystem().Delete(pi)
|
return s.Filesystem().Delete(pi)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
|
||||||
UseHeader: data.UseHeader,
|
UseHeader: data.UseHeader,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
|
||||||
|
middleware.CaptureAndAbort(c, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
download := func() error {
|
download := func() error {
|
||||||
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
|
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
|
||||||
if err := dl.Execute(); err != nil {
|
if err := dl.Execute(); err != nil {
|
||||||
|
|
|
@ -28,6 +28,11 @@ import (
|
||||||
// and the compressed file will be placed at that location named
|
// and the compressed file will be placed at that location named
|
||||||
// `archive-{date}.tar.gz`.
|
// `archive-{date}.tar.gz`.
|
||||||
func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
|
func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
|
||||||
|
for _, file := range paths {
|
||||||
|
if err := fs.IsIgnored(path.Join(dir, file)); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
|
a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
|
||||||
d := path.Join(
|
d := path.Join(
|
||||||
dir,
|
dir,
|
||||||
|
|
|
@ -79,6 +79,9 @@ func (h *Handler) Fileread(request *sftp.Request) (io.ReaderAt, error) {
|
||||||
}
|
}
|
||||||
h.mu.Lock()
|
h.mu.Lock()
|
||||||
defer h.mu.Unlock()
|
defer h.mu.Unlock()
|
||||||
|
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
f, _, err := h.fs.File(request.Filepath)
|
f, _, err := h.fs.File(request.Filepath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if !errors.Is(err, os.ErrNotExist) {
|
if !errors.Is(err, os.ErrNotExist) {
|
||||||
|
@ -104,6 +107,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
|
||||||
|
|
||||||
h.mu.Lock()
|
h.mu.Lock()
|
||||||
defer h.mu.Unlock()
|
defer h.mu.Unlock()
|
||||||
|
|
||||||
|
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
// The specific permission required to perform this action. If the file exists on the
|
// The specific permission required to perform this action. If the file exists on the
|
||||||
// system already it only needs to be an update, otherwise we'll check for a create.
|
// system already it only needs to be an update, otherwise we'll check for a create.
|
||||||
permission := PermissionFileUpdate
|
permission := PermissionFileUpdate
|
||||||
|
@ -148,6 +155,10 @@ func (h *Handler) Filecmd(request *sftp.Request) error {
|
||||||
l = l.WithField("target", request.Target)
|
l = l.WithField("target", request.Target)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
switch request.Method {
|
switch request.Method {
|
||||||
// Allows a user to make changes to the permissions of a given file or directory
|
// Allows a user to make changes to the permissions of a given file or directory
|
||||||
// on their server using their SFTP client.
|
// on their server using their SFTP client.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user