Enforce the egg's file denylist more thoroughly

Closes pterodactyl/panel#5042
This commit is contained in:
Victor B. 2024-03-25 15:49:34 +01:00
parent 1f77d2256b
commit e7139a9dc9
No known key found for this signature in database
GPG Key ID: E93DDAC17E5D6CA1
4 changed files with 33 additions and 0 deletions

View File

@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
return
}
if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(token.FilePath)
if err != nil {
middleware.CaptureAndAbort(c, err)

View File

@ -31,6 +31,10 @@ import (
func getServerFileContents(c *gin.Context) {
s := middleware.ExtractServer(c)
p := strings.TrimLeft(c.Query("file"), "/")
if err := s.Filesystem().IsIgnored(p); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
f, st, err := s.Filesystem().File(p)
if err != nil {
middleware.CaptureAndAbort(c, err)
@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
case <-ctx.Done():
return ctx.Err()
default:
if err := s.Filesystem().IsIgnored(pi); err != nil {
return err
}
return s.Filesystem().Delete(pi)
}
})
@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
UseHeader: data.UseHeader,
})
if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
middleware.CaptureAndAbort(c, err)
return
}
download := func() error {
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
if err := dl.Execute(); err != nil {

View File

@ -28,6 +28,11 @@ import (
// and the compressed file will be placed at that location named
// `archive-{date}.tar.gz`.
func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
for _, file := range paths {
if err := fs.IsIgnored(path.Join(dir, file)); err != nil {
return nil, err
}
}
a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
d := path.Join(
dir,

View File

@ -79,6 +79,9 @@ func (h *Handler) Fileread(request *sftp.Request) (io.ReaderAt, error) {
}
h.mu.Lock()
defer h.mu.Unlock()
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return nil, err
}
f, _, err := h.fs.File(request.Filepath)
if err != nil {
if !errors.Is(err, os.ErrNotExist) {
@ -104,6 +107,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
h.mu.Lock()
defer h.mu.Unlock()
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return nil, err
}
// The specific permission required to perform this action. If the file exists on the
// system already it only needs to be an update, otherwise we'll check for a create.
permission := PermissionFileUpdate
@ -148,6 +155,10 @@ func (h *Handler) Filecmd(request *sftp.Request) error {
l = l.WithField("target", request.Target)
}
if err := h.fs.IsIgnored(request.Filepath); err != nil {
return err
}
switch request.Method {
// Allows a user to make changes to the permissions of a given file or directory
// on their server using their SFTP client.