banquise/pelican-panel-banquise
13
0
Fork 0
forked from banquise/pelican-panel-mirror
Code Issues 1 Pull Requests Actions Activity

Fix parameter bindings for client API routes; closes pterodactyl/panel#2359

Browse Source
This commit is contained in:
Dane Everitt 2020-09-27 10:39:18 -07:00
parent 1db7e4db66
commit f31a6d3967
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
3 changed files with 62 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php
View File

@ -49,11 +49,11 @@ class SubstituteClientApiBindings extends ApiSubstituteBindings
return Database::query()->where('id', $id)->firstOrFail();
});
$this->router->model('backup', Backup::class, function ($value) {
$this->router->bind('backup', function ($value) {
return Backup::query()->where('uuid', $value)->firstOrFail();
});
$this->router->model('user', User::class, function ($value) {
$this->router->bind('user', function ($value) {
return User::query()->where('uuid', $value)->firstOrFail();
});

2
tests/Integration/Api/Client/Server/Subuser/CreateServerSubuserTest.php
View File

@ -1,6 +1,6 @@
<?php
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
use Illuminate\Support\Str;
use Pterodactyl\Models\User;

59
tests/Integration/Api/Client/Server/Subuser/DeleteSubuserTest.php Normal file
View File

@ -0,0 +1,59 @@
<?php
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
use Ramsey\Uuid\Uuid;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Subuser;
use Pterodactyl\Models\Permission;
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
class DeleteSubuserTest extends ClientApiIntegrationTestCase
{
/**
* Guards against PHP's exciting behavior where a string can be cast to an int and only
* the first numeric digits are returned. This causes UUIDs to be returned as an int when
* looking up users, thus returning the wrong subusers (or no subuser at all).
*
* For example, 12aaaaaa-bbbb-cccc-ddddeeeeffff would be cast to "12" if you tried to cast
* it to an integer. Then, in the deep API middlewares you would end up trying to load a user
* with an ID of 12, which may or may not exist and be wrongly assigned to the model object.
*
* @see https://github.com/pterodactyl/panel/issues/2359
*/
public function testCorrectSubuserIsDeletedFromServer()
{
[$user, $server] = $this->generateTestAccount();
/** @var \Pterodactyl\Models\User $differentUser */
$differentUser = factory(User::class)->create();
// Generate a UUID that lines up with a user in the database if it were to be cast to an int.
$uuid = $differentUser->id . str_repeat('a', strlen((string)$differentUser->id)) . substr(Uuid::uuid4()->toString(), 8);
/** @var \Pterodactyl\Models\User $subuser */
$subuser = factory(User::class)->create(['uuid' => $uuid]);
Subuser::query()->forceCreate([
'user_id' => $subuser->id,
'server_id' => $server->id,
'permissions' => [ Permission::ACTION_WEBSOCKET_CONNECT ],
]);
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
// Try the same test, but this time with a UUID that if cast to an int (shouldn't) line up with
// anything in the database.
$uuid = '18180000' . substr(Uuid::uuid4()->toString(), 8);
/** @var \Pterodactyl\Models\User $subuser */
$subuser = factory(User::class)->create(['uuid' => $uuid]);
Subuser::query()->forceCreate([
'user_id' => $subuser->id,
'server_id' => $server->id,
'permissions' => [ Permission::ACTION_WEBSOCKET_CONNECT ],
]);
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
}
}