fix: root + read:sensive could read senstive data with a middlewarew
This commit is contained in:
Andras Bacsai
@@ -25,26 +25,24 @@ class ApplicationsController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($application)
|
private function removeSensitiveData($application)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
|
||||||
$application->makeHidden([
|
$application->makeHidden([
|
||||||
'id',
|
'id',
|
||||||
]);
|
]);
|
||||||
if ($token->can('read:sensitive')) {
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
return serializeApiResponse($application);
|
$application->makeHidden([
|
||||||
|
'custom_labels',
|
||||||
|
'dockerfile',
|
||||||
|
'docker_compose',
|
||||||
|
'docker_compose_raw',
|
||||||
|
'manual_webhook_secret_bitbucket',
|
||||||
|
'manual_webhook_secret_gitea',
|
||||||
|
'manual_webhook_secret_github',
|
||||||
|
'manual_webhook_secret_gitlab',
|
||||||
|
'private_key_id',
|
||||||
|
'value',
|
||||||
|
'real_value',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
$application->makeHidden([
|
|
||||||
'custom_labels',
|
|
||||||
'dockerfile',
|
|
||||||
'docker_compose',
|
|
||||||
'docker_compose_raw',
|
|
||||||
'manual_webhook_secret_bitbucket',
|
|
||||||
'manual_webhook_secret_gitea',
|
|
||||||
'manual_webhook_secret_github',
|
|
||||||
'manual_webhook_secret_gitlab',
|
|
||||||
'private_key_id',
|
|
||||||
'value',
|
|
||||||
'real_value',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($application);
|
return serializeApiResponse($application);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,26 +19,23 @@ class DatabasesController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($database)
|
private function removeSensitiveData($database)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
|
||||||
$database->makeHidden([
|
$database->makeHidden([
|
||||||
'id',
|
'id',
|
||||||
'laravel_through_key',
|
'laravel_through_key',
|
||||||
]);
|
]);
|
||||||
if ($token->can('read:sensitive')) {
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
return serializeApiResponse($database);
|
$database->makeHidden([
|
||||||
|
'internal_db_url',
|
||||||
|
'external_db_url',
|
||||||
|
'postgres_password',
|
||||||
|
'dragonfly_password',
|
||||||
|
'redis_password',
|
||||||
|
'mongo_initdb_root_password',
|
||||||
|
'keydb_password',
|
||||||
|
'clickhouse_admin_password',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
$database->makeHidden([
|
|
||||||
'internal_db_url',
|
|
||||||
'external_db_url',
|
|
||||||
'postgres_password',
|
|
||||||
'dragonfly_password',
|
|
||||||
'redis_password',
|
|
||||||
'mongo_initdb_root_password',
|
|
||||||
'keydb_password',
|
|
||||||
'clickhouse_admin_password',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($database);
|
return serializeApiResponse($database);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -16,15 +16,12 @@ class DeployController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($deployment)
|
private function removeSensitiveData($deployment)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
if ($token->can('read:sensitive')) {
|
$deployment->makeHidden([
|
||||||
return serializeApiResponse($deployment);
|
'logs',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
$deployment->makeHidden([
|
|
||||||
'logs',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($deployment);
|
return serializeApiResponse($deployment);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -11,13 +11,11 @@ class SecurityController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($team)
|
private function removeSensitiveData($team)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
if ($token->can('read:sensitive')) {
|
$team->makeHidden([
|
||||||
return serializeApiResponse($team);
|
'private_key',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
$team->makeHidden([
|
|
||||||
'private_key',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($team);
|
return serializeApiResponse($team);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,25 +19,22 @@ class ServersController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveDataFromSettings($settings)
|
private function removeSensitiveDataFromSettings($settings)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
if ($token->can('read:sensitive')) {
|
$settings = $settings->makeHidden([
|
||||||
return serializeApiResponse($settings);
|
'sentinel_token',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
$settings = $settings->makeHidden([
|
|
||||||
'sentinel_token',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($settings);
|
return serializeApiResponse($settings);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function removeSensitiveData($server)
|
private function removeSensitiveData($server)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
|
||||||
$server->makeHidden([
|
$server->makeHidden([
|
||||||
'id',
|
'id',
|
||||||
]);
|
]);
|
||||||
if ($token->can('read:sensitive')) {
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
return serializeApiResponse($server);
|
// Do nothing
|
||||||
}
|
}
|
||||||
|
|
||||||
return serializeApiResponse($server);
|
return serializeApiResponse($server);
|
||||||
|
|||||||
@@ -18,19 +18,16 @@ class ServicesController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($service)
|
private function removeSensitiveData($service)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
|
||||||
$service->makeHidden([
|
$service->makeHidden([
|
||||||
'id',
|
'id',
|
||||||
]);
|
]);
|
||||||
if ($token->can('read:sensitive')) {
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
return serializeApiResponse($service);
|
$service->makeHidden([
|
||||||
|
'docker_compose_raw',
|
||||||
|
'docker_compose',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
$service->makeHidden([
|
|
||||||
'docker_compose_raw',
|
|
||||||
'docker_compose',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($service);
|
return serializeApiResponse($service);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -10,20 +10,18 @@ class TeamController extends Controller
|
|||||||
{
|
{
|
||||||
private function removeSensitiveData($team)
|
private function removeSensitiveData($team)
|
||||||
{
|
{
|
||||||
$token = auth()->user()->currentAccessToken();
|
|
||||||
$team->makeHidden([
|
$team->makeHidden([
|
||||||
'custom_server_limit',
|
'custom_server_limit',
|
||||||
'pivot',
|
'pivot',
|
||||||
]);
|
]);
|
||||||
if ($token->can('read:sensitive')) {
|
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||||
return serializeApiResponse($team);
|
$team->makeHidden([
|
||||||
|
'smtp_username',
|
||||||
|
'smtp_password',
|
||||||
|
'resend_api_key',
|
||||||
|
'telegram_token',
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
$team->makeHidden([
|
|
||||||
'smtp_username',
|
|
||||||
'smtp_password',
|
|
||||||
'resend_api_key',
|
|
||||||
'telegram_token',
|
|
||||||
]);
|
|
||||||
|
|
||||||
return serializeApiResponse($team);
|
return serializeApiResponse($team);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -70,5 +70,6 @@ class Kernel extends HttpKernel
|
|||||||
'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
|
'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
|
||||||
'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
|
'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
|
||||||
'api.ability' => \App\Http\Middleware\ApiAbility::class,
|
'api.ability' => \App\Http\Middleware\ApiAbility::class,
|
||||||
|
'api.sensitive' => \App\Http\Middleware\ApiSensitiveData::class,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|||||||
21
app/Http/Middleware/ApiSensitiveData.php
Normal file
21
app/Http/Middleware/ApiSensitiveData.php
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Middleware;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
|
||||||
|
class ApiSensitiveData
|
||||||
|
{
|
||||||
|
public function handle(Request $request, Closure $next)
|
||||||
|
{
|
||||||
|
$token = $request->user()->currentAccessToken();
|
||||||
|
|
||||||
|
// Allow access to sensitive data if token has root or read:sensitive permission
|
||||||
|
$request->attributes->add([
|
||||||
|
'can_read_sensitive' => $token->can('root') || $token->can('read:sensitive'),
|
||||||
|
]);
|
||||||
|
|
||||||
|
return $next($request);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -26,7 +26,7 @@ Route::group([
|
|||||||
Route::get('/disable', [OtherController::class, 'disable_api']);
|
Route::get('/disable', [OtherController::class, 'disable_api']);
|
||||||
});
|
});
|
||||||
Route::group([
|
Route::group([
|
||||||
'middleware' => ['auth:sanctum', ApiAllowed::class],
|
'middleware' => ['auth:sanctum', ApiAllowed::class, 'api.sensitive'],
|
||||||
'prefix' => 'v1',
|
'prefix' => 'v1',
|
||||||
], function () {
|
], function () {
|
||||||
Route::get('/version', [OtherController::class, 'version'])->middleware(['api.ability:read']);
|
Route::get('/version', [OtherController::class, 'version'])->middleware(['api.ability:read']);
|
||||||
|
|||||||
Reference in New Issue
Block a user