dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix: root + read:sensive could read senstive data with a middlewarew

Browse Source
This commit is contained in:
Andras Bacsai
2024-12-09 11:10:35 +01:00
parent ff74fb7385
commit 3fa7d03db7
10 changed files with 74 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Controllers/Api/ApplicationsController.php
View File

@@ -25,13 +25,10 @@ class ApplicationsController extends Controller
{ {
private function removeSensitiveData($application) private function removeSensitiveData($application)
{ {
$token = auth()->user()->currentAccessToken();
$application->makeHidden([ $application->makeHidden([
'id', 'id',
]); ]);
if ($token->can('read:sensitive')) { if (request()->attributes->get('can_read_sensitive', false) === false) {
return serializeApiResponse($application);
}
$application->makeHidden([ $application->makeHidden([
'custom_labels', 'custom_labels',
'dockerfile', 'dockerfile',
@@ -45,6 +42,7 @@ class ApplicationsController extends Controller
'value', 'value',
'real_value', 'real_value',
]); ]);
}
return serializeApiResponse($application); return serializeApiResponse($application);
} }

7
app/Http/Controllers/Api/DatabasesController.php
View File

@@ -19,15 +19,11 @@ class DatabasesController extends Controller
{ {
private function removeSensitiveData($database) private function removeSensitiveData($database)
{ {
$token = auth()->user()->currentAccessToken();
$database->makeHidden([ $database->makeHidden([
'id', 'id',
'laravel_through_key', 'laravel_through_key',
]); ]);
if ($token->can('read:sensitive')) { if (request()->attributes->get('can_read_sensitive', false) === false) {
return serializeApiResponse($database);
}
$database->makeHidden([ $database->makeHidden([
'internal_db_url', 'internal_db_url',
'external_db_url', 'external_db_url',
@@ -38,6 +34,7 @@ class DatabasesController extends Controller
'keydb_password', 'keydb_password',
'clickhouse_admin_password', 'clickhouse_admin_password',
]); ]);
}
return serializeApiResponse($database); return serializeApiResponse($database);
} }

7
app/Http/Controllers/Api/DeployController.php
View File

@@ -16,14 +16,11 @@ class DeployController extends Controller
{ {
private function removeSensitiveData($deployment) private function removeSensitiveData($deployment)
{ {
$token = auth()->user()->currentAccessToken(); if (request()->attributes->get('can_read_sensitive', false) === false) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($deployment);
}
$deployment->makeHidden([ $deployment->makeHidden([
'logs', 'logs',
]); ]);
}
return serializeApiResponse($deployment); return serializeApiResponse($deployment);
} }

6
app/Http/Controllers/Api/SecurityController.php
View File

@@ -11,13 +11,11 @@ class SecurityController extends Controller
{ {
private function removeSensitiveData($team) private function removeSensitiveData($team)
{ {
$token = auth()->user()->currentAccessToken(); if (request()->attributes->get('can_read_sensitive', false) === false) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($team);
}
$team->makeHidden([ $team->makeHidden([
'private_key', 'private_key',
]); ]);
}
return serializeApiResponse($team); return serializeApiResponse($team);
} }

11
app/Http/Controllers/Api/ServersController.php
View File

@@ -19,25 +19,22 @@ class ServersController extends Controller
{ {
private function removeSensitiveDataFromSettings($settings) private function removeSensitiveDataFromSettings($settings)
{ {
$token = auth()->user()->currentAccessToken(); if (request()->attributes->get('can_read_sensitive', false) === false) {
if ($token->can('read:sensitive')) {
return serializeApiResponse($settings);
}
$settings = $settings->makeHidden([ $settings = $settings->makeHidden([
'sentinel_token', 'sentinel_token',
]); ]);
}
return serializeApiResponse($settings); return serializeApiResponse($settings);
} }
private function removeSensitiveData($server) private function removeSensitiveData($server)
{ {
$token = auth()->user()->currentAccessToken();
$server->makeHidden([ $server->makeHidden([
'id', 'id',
]); ]);
if ($token->can('read:sensitive')) { if (request()->attributes->get('can_read_sensitive', false) === false) {
return serializeApiResponse($server); // Do nothing
} }
return serializeApiResponse($server); return serializeApiResponse($server);

7
app/Http/Controllers/Api/ServicesController.php
View File

@@ -18,18 +18,15 @@ class ServicesController extends Controller
{ {
private function removeSensitiveData($service) private function removeSensitiveData($service)
{ {
$token = auth()->user()->currentAccessToken();
$service->makeHidden([ $service->makeHidden([
'id', 'id',
]); ]);
if ($token->can('read:sensitive')) { if (request()->attributes->get('can_read_sensitive', false) === false) {
return serializeApiResponse($service);
}
$service->makeHidden([ $service->makeHidden([
'docker_compose_raw', 'docker_compose_raw',
'docker_compose', 'docker_compose',
]); ]);
}
return serializeApiResponse($service); return serializeApiResponse($service);
} }

6
app/Http/Controllers/Api/TeamController.php
View File

@@ -10,20 +10,18 @@ class TeamController extends Controller
{ {
private function removeSensitiveData($team) private function removeSensitiveData($team)
{ {
$token = auth()->user()->currentAccessToken();
$team->makeHidden([ $team->makeHidden([
'custom_server_limit', 'custom_server_limit',
'pivot', 'pivot',
]); ]);
if ($token->can('read:sensitive')) { if (request()->attributes->get('can_read_sensitive', false) === false) {
return serializeApiResponse($team);
}
$team->makeHidden([ $team->makeHidden([
'smtp_username', 'smtp_username',
'smtp_password', 'smtp_password',
'resend_api_key', 'resend_api_key',
'telegram_token', 'telegram_token',
]); ]);
}
return serializeApiResponse($team); return serializeApiResponse($team);
} }

1
app/Http/Kernel.php
View File

@@ -70,5 +70,6 @@ class Kernel extends HttpKernel
'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class, 'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class, 'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
'api.ability' => \App\Http\Middleware\ApiAbility::class, 'api.ability' => \App\Http\Middleware\ApiAbility::class,
'api.sensitive' => \App\Http\Middleware\ApiSensitiveData::class,
]; ];
} }

21
app/Http/Middleware/ApiSensitiveData.php Normal file
View File

@@ -0,0 +1,21 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
class ApiSensitiveData
{
public function handle(Request $request, Closure $next)
{
$token = $request->user()->currentAccessToken();
// Allow access to sensitive data if token has root or read:sensitive permission
$request->attributes->add([
'can_read_sensitive' => $token->can('root') || $token->can('read:sensitive'),
]);
return $next($request);
}
}

2
routes/api.php
View File

@@ -26,7 +26,7 @@ Route::group([
Route::get('/disable', [OtherController::class, 'disable_api']); Route::get('/disable', [OtherController::class, 'disable_api']);
}); });
Route::group([ Route::group([
'middleware' => ['auth:sanctum', ApiAllowed::class], 'middleware' => ['auth:sanctum', ApiAllowed::class, 'api.sensitive'],
'prefix' => 'v1', 'prefix' => 'v1',
], function () { ], function () {
Route::get('/version', [OtherController::class, 'version'])->middleware(['api.ability:read']); Route::get('/version', [OtherController::class, 'version'])->middleware(['api.ability:read']);