Enforce the egg's file denylist more thoroughly

Closes pterodactyl/panel#5042
pterodactyl · Mar 25, 2024 · e7139a9 · e7139a9
1 parent 1f77d22
commit e7139a9
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 0 deletions.
diff --git a/router/router_download.go b/router/router_download.go
@@ -78,6 +78,11 @@ func getDownloadFile(c *gin.Context) {
 		return
 	}
 
+	if err := s.Filesystem().IsIgnored(token.FilePath); err != nil {
+		middleware.CaptureAndAbort(c, err)
+		return
+	}
+
 	f, st, err := s.Filesystem().File(token.FilePath)
 	if err != nil {
 		middleware.CaptureAndAbort(c, err)

diff --git a/router/router_server_files.go b/router/router_server_files.go
@@ -31,6 +31,10 @@ import (
 func getServerFileContents(c *gin.Context) {
 	s := middleware.ExtractServer(c)
 	p := strings.TrimLeft(c.Query("file"), "/")
+	if err := s.Filesystem().IsIgnored(p); err != nil {
+		middleware.CaptureAndAbort(c, err)
+		return
+	}
 	f, st, err := s.Filesystem().File(p)
 	if err != nil {
 		middleware.CaptureAndAbort(c, err)
@@ -214,6 +218,9 @@ func postServerDeleteFiles(c *gin.Context) {
 			case <-ctx.Done():
 				return ctx.Err()
 			default:
+				if err := s.Filesystem().IsIgnored(pi); err != nil {
+					return err
+				}
 				return s.Filesystem().Delete(pi)
 			}
 		})
@@ -324,6 +331,11 @@ func postServerPullRemoteFile(c *gin.Context) {
 		UseHeader: data.UseHeader,
 	})
 
+	if err := s.Filesystem().IsIgnored(dl.Path()); err != nil {
+		middleware.CaptureAndAbort(c, err)
+		return
+	}
+
 	download := func() error {
 		s.Log().WithField("download_id", dl.Identifier).WithField("url", u.String()).Info("starting pull of remote file to disk")
 		if err := dl.Execute(); err != nil {

diff --git a/server/filesystem/compress.go b/server/filesystem/compress.go
@@ -28,6 +28,11 @@ import (
 // and the compressed file will be placed at that location named
 // `archive-{date}.tar.gz`.
 func (fs *Filesystem) CompressFiles(dir string, paths []string) (ufs.FileInfo, error) {
+	for _, file := range paths {
+		if err := fs.IsIgnored(path.Join(dir, file)); err != nil {
+			return nil, err
+		}
+	}
 	a := &Archive{Filesystem: fs, BaseDirectory: dir, Files: paths}
 	d := path.Join(
 		dir,

diff --git a/sftp/handler.go b/sftp/handler.go
@@ -79,6 +79,9 @@ func (h *Handler) Fileread(request *sftp.Request) (io.ReaderAt, error) {
 	}
 	h.mu.Lock()
 	defer h.mu.Unlock()
+	if err := h.fs.IsIgnored(request.Filepath); err != nil {
+		return nil, err
+	}
 	f, _, err := h.fs.File(request.Filepath)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {
@@ -104,6 +107,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 
 	h.mu.Lock()
 	defer h.mu.Unlock()
+
+	if err := h.fs.IsIgnored(request.Filepath); err != nil {
+		return nil, err
+	}
 	// The specific permission required to perform this action. If the file exists on the
 	// system already it only needs to be an update, otherwise we'll check for a create.
 	permission := PermissionFileUpdate
@@ -148,6 +155,10 @@ func (h *Handler) Filecmd(request *sftp.Request) error {
 		l = l.WithField("target", request.Target)
 	}
 
+	if err := h.fs.IsIgnored(request.Filepath); err != nil {
+		return err
+	}
+
 	switch request.Method {
 	// Allows a user to make changes to the permissions of a given file or directory
 	// on their server using their SFTP client.