pterodactyl/panel
1
0
Fork 0
mirror of https://github.com/pterodactyl/panel.git synced 2026-06-12 23:31:53 -05:00
Code Issues Packages Projects Releases 128 Wiki Activity
4,717 Commits 12 Branches 135 Tags
a94b8bdb4e912468af23e70bc137145bc6123ec2
Commit Graph

13 Commits

Author SHA1 Message Date
Noah Ross
a94b8bdb4e Fix API Key Limit Race Condition Bypass (#5620) 
The API key creation endpoint checks that a user has fewer than 25 keys
before creating a new one. The problem is that the count was read from
an eager-loaded collection (`$user->apiKeys->count()`) with no lock
held, so concurrent requests could both pass the check and each create a
key, pushing the user past the 25-key cap.

The fix wraps the count check and key creation in a single database
transaction with `lockForUpdate()` on the query. Only one request at a
time can evaluate and modify the count, closing the race window.

### Proof of Concept

Run this in the browser console while authenticated with a user that has
24 API keys:

```js
(async () => {
    const makeKey = (desc) => fetch('/api/client/account/api-keys', {
      method: 'POST',
      headers: {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'X-XSRF-TOKEN':
  decodeURIComponent(document.cookie.match(/XSRF-TOKEN=([^;]+)/)[1]),
      },
      body: JSON.stringify({ description: desc, allowed_ips: [] }),
    });

    const [r1, r2] = await Promise.all([makeKey('0024'), makeKey('0025')]);
    console.log('0024:', r1.status, (await r1.text()).slice(0, 200));
    console.log('0025:', r2.status, (await r2.text()).slice(0, 200));
})();
```

On the old code, both requests can return 200 (you may need to run this
a few times to hit the race window). After the fix, the second request
correctly returns a 400 error.
 2026-05-23 11:16:18 -07:00
Matthew Penner
8ca098940a chore: update composer dependencies (#5198) 
Signed-off-by: Matthew Penner <me@matthewp.io>
 2024-10-21 19:18:20 -06:00
Matthew Penner
cbcf62086f Upgrade to Laravel 9 (#4413) 
Co-authored-by: DaneEveritt <dane@daneeveritt.com>
 2022-10-14 10:59:20 -06:00
Dane Everitt
e0e0689846 feat: bump account key limit to 25 (#4417) 
Closes #4394
 2022-10-08 15:14:03 -06:00
DaneEveritt
4f3651b578 Fix typo with identifier 2022-06-18 12:16:54 -04:00
DaneEveritt
9300e1116d Fix failing tests 2022-05-29 20:39:51 -04:00
DaneEveritt
287fd60891 Log activity when modifying account details 2022-05-29 18:48:35 -04:00
DaneEveritt
b051718afe Fix up API handling logic for keys and set a prefix on all keys 2022-05-22 19:03:51 -04:00
DaneEveritt
530558b0f8 Update deprecated JSON response creation and unnecessary middleware 2022-05-04 19:23:01 -04:00
Dane Everitt
c449ca5155 Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Dane Everitt
a81f6882f7 Add test coverage for API key generation and deletion 2020-06-25 22:36:58 -07:00
Dane Everitt
8d52e2e1a7 Finalize API key management for accounts 2020-03-22 19:10:49 -07:00
Dane Everitt
933a4733e8 Add base support for creating a new API key for an account 2020-03-22 18:15:38 -07:00