Enforce the egg's file denylist more thoroughly
Closes pterodactyl/panel#5042
This commit is contained in:
parent
1f77d2256b
commit
e7139a9dc9
|
@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
|
||||
middleware.CaptureAndAbort(c, err)
|
||||
return
|
||||
}
|
||||
|
||||
f, st, err := s.Filesystem().File(token.FilePath)
|
||||
if err != nil {
|
||||
middleware.CaptureAndAbort(c, err)
|
||||
|
|
|
@ -31,6 +31,10 @@ import (
|
|||
func getServerFileContents(c *gin.Context) {
|
||||
s := middleware.ExtractServer(c)
|
||||
p := strings.TrimLeft(c.Query("file"), "/")
|
||||
if err := s.Filesystem().IsIgnored(p); err != nil {
|
||||
middleware.CaptureAndAbort(c, err)
|
||||
return
|
||||
}
|
||||
f, st, err := s.Filesystem().File(p)
|
||||
if err != nil {
|
||||
middleware.CaptureAndAbort(c, err)
|
||||
|
@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
|
|||
case <-ctx.Done():
|
||||
return ctx.Err()
|
||||
default:
|
||||
if err := s.Filesystem().IsIgnored(pi); err != nil {
|
||||
return err
|
||||
}
|
||||
return s.Filesystem().Delete(pi)
|
||||
}
|
||||
})
|
||||
|
@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
|
|||
UseHeader: data.UseHeader,
|
||||
})
|
||||
|
||||
if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
|
||||
middleware.CaptureAndAbort(c, err)
|
||||
return
|
||||
}
|
||||
|
||||
download := func() error {
|
||||
s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
|
||||
if err := dl.Execute(); err != nil {
|
||||
|
|
|
@ -28,6 +28,11 @@ import (
|
|||
// and the compressed file will be placed at that location named
|
||||
// `archive-{date}.tar.gz`.
|
||||
func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
|
||||
for _, file := range paths {
|
||||
if err := fs.IsIgnored(path.Join(dir, file)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
|
||||
d := path.Join(
|
||||
dir,
|
||||
|
|
|
@ -79,6 +79,9 @@ func (h *Handler) Fileread(request *sftp.Request) (io.ReaderAt, error) {
|
|||
}
|
||||
h.mu.Lock()
|
||||
defer h.mu.Unlock()
|
||||
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
f, _, err := h.fs.File(request.Filepath)
|
||||
if err != nil {
|
||||
if !errors.Is(err, os.ErrNotExist) {
|
||||
|
@ -104,6 +107,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
|
|||
|
||||
h.mu.Lock()
|
||||
defer h.mu.Unlock()
|
||||
|
||||
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// The specific permission required to perform this action. If the file exists on the
|
||||
// system already it only needs to be an update, otherwise we'll check for a create.
|
||||
permission := PermissionFileUpdate
|
||||
|
@ -148,6 +155,10 @@ func (h *Handler) Filecmd(request *sftp.Request) error {
|
|||
l = l.WithField("target", request.Target)
|
||||
}
|
||||
|
||||
if err := h.fs.IsIgnored(request.Filepath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
switch request.Method {
|
||||
// Allows a user to make changes to the permissions of a given file or directory
|
||||
// on their server using their SFTP client.
|
||||
|
|
Loading…
Reference in New Issue
Block a user