dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: root + read:sensive could read senstive data with a middlewarew

Browse Source
This commit is contained in:
Andras Bacsai
2024-12-09 11:10:35 +01:00
parent ff74fb7385
commit 3fa7d03db7
10 changed files with 74 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
app/Http/Controllers/Api/ApplicationsController.php
View File

@@ -25,26 +25,24 @@ class ApplicationsController extends Controller
{
private function removeSensitiveData($application)
{
$token = auth()->user()->currentAccessToken();
$application->makeHidden([
'id',
]);
if ($token->can('read:sensitive')) {
return serializeApiResponse($application);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$application->makeHidden([
'custom_labels',
'dockerfile',
'docker_compose',
'docker_compose_raw',
'manual_webhook_secret_bitbucket',
'manual_webhook_secret_gitea',
'manual_webhook_secret_github',
'manual_webhook_secret_gitlab',
'private_key_id',
'value',
'real_value',
]);
}
$application->makeHidden([
'custom_labels',
'dockerfile',
'docker_compose',
'docker_compose_raw',
'manual_webhook_secret_bitbucket',
'manual_webhook_secret_gitea',
'manual_webhook_secret_github',
'manual_webhook_secret_gitlab',
'private_key_id',
'value',
'real_value',
]);
return serializeApiResponse($application);
}

25
app/Http/Controllers/Api/DatabasesController.php
View File

@@ -19,26 +19,23 @@ class DatabasesController extends Controller
{
private function removeSensitiveData($database)
{
$token = auth()->user()->currentAccessToken();
$database->makeHidden([
'id',
'laravel_through_key',
]);
if ($token->can('read:sensitive')) {
return serializeApiResponse($database);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$database->makeHidden([
'internal_db_url',
'external_db_url',
'postgres_password',
'dragonfly_password',
'redis_password',
'mongo_initdb_root_password',
'keydb_password',
'clickhouse_admin_password',
]);
}
$database->makeHidden([
'internal_db_url',
'external_db_url',
'postgres_password',
'dragonfly_password',
'redis_password',
'mongo_initdb_root_password',
'keydb_password',
'clickhouse_admin_password',
]);
return serializeApiResponse($database);
}

11
app/Http/Controllers/Api/DeployController.php
View File

@@ -16,15 +16,12 @@ class DeployController extends Controller
{
private function removeSensitiveData($deployment)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('read:sensitive')) {
return serializeApiResponse($deployment);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$deployment->makeHidden([
'logs',
]);
}
$deployment->makeHidden([
'logs',
]);
return serializeApiResponse($deployment);
}

10
app/Http/Controllers/Api/SecurityController.php
View File

@@ -11,13 +11,11 @@ class SecurityController extends Controller
{
private function removeSensitiveData($team)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('read:sensitive')) {
return serializeApiResponse($team);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$team->makeHidden([
'private_key',
]);
}
$team->makeHidden([
'private_key',
]);
return serializeApiResponse($team);
}

15
app/Http/Controllers/Api/ServersController.php
View File

@@ -19,25 +19,22 @@ class ServersController extends Controller
{
private function removeSensitiveDataFromSettings($settings)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('read:sensitive')) {
return serializeApiResponse($settings);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$settings = $settings->makeHidden([
'sentinel_token',
]);
}
$settings = $settings->makeHidden([
'sentinel_token',
]);
return serializeApiResponse($settings);
}
private function removeSensitiveData($server)
{
$token = auth()->user()->currentAccessToken();
$server->makeHidden([
'id',
]);
if ($token->can('read:sensitive')) {
return serializeApiResponse($server);
if (request()->attributes->get('can_read_sensitive', false) === false) {
// Do nothing
}
return serializeApiResponse($server);

13
app/Http/Controllers/Api/ServicesController.php
View File

@@ -18,19 +18,16 @@ class ServicesController extends Controller
{
private function removeSensitiveData($service)
{
$token = auth()->user()->currentAccessToken();
$service->makeHidden([
'id',
]);
if ($token->can('read:sensitive')) {
return serializeApiResponse($service);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$service->makeHidden([
'docker_compose_raw',
'docker_compose',
]);
}
$service->makeHidden([
'docker_compose_raw',
'docker_compose',
]);
return serializeApiResponse($service);
}

16
app/Http/Controllers/Api/TeamController.php
View File

@@ -10,20 +10,18 @@ class TeamController extends Controller
{
private function removeSensitiveData($team)
{
$token = auth()->user()->currentAccessToken();
$team->makeHidden([
'custom_server_limit',
'pivot',
]);
if ($token->can('read:sensitive')) {
return serializeApiResponse($team);
if (request()->attributes->get('can_read_sensitive', false) === false) {
$team->makeHidden([
'smtp_username',
'smtp_password',
'resend_api_key',
'telegram_token',
]);
}
$team->makeHidden([
'smtp_username',
'smtp_password',
'resend_api_key',
'telegram_token',
]);
return serializeApiResponse($team);
}