charleslemaux/servii-backend
1
0
Fork 0
mirror of https://github.com/hubHarmony/servii-backend.git synced 2024-11-17 21:40:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[+] Fixed server creation vulnerability

Browse Source 
When a user wanted to create a server, it was created on firebase before the preliminary checks were made, reordering the function has fixed that.
This commit is contained in:
Charles Le Maux 2024-09-16 01:52:16 +02:00
parent c057e33713
commit 20047990b5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
generic_executor.py
View File

@ -199,7 +199,6 @@ def server_create(user: UserRecord, name: str, version: str, framework: str = "p
return HTTPStatus.NOT_FOUND, f"You haven't associated a subdomain yet." return HTTPStatus.NOT_FOUND, f"You haven't associated a subdomain yet."
if firebase_manager.server_name_taken(user_id, name): if firebase_manager.server_name_taken(user_id, name):
return HTTPStatus.CONFLICT, f"Server name '{name}' already in use." return HTTPStatus.CONFLICT, f"Server name '{name}' already in use."
firebase_manager.create_server(user_id, name, version, port, framework)
file_manager.create_folder(server_path) file_manager.create_folder(server_path)
file_manager.copy_folder_contents(server_template_path, server_path) file_manager.copy_folder_contents(server_template_path, server_path)
file_manager.copy_folder_contents("servers/shared", server_path) file_manager.copy_folder_contents("servers/shared", server_path)
@ -208,6 +207,7 @@ def server_create(user: UserRecord, name: str, version: str, framework: str = "p
file_manager.update_server_property(prop_path, "query.port", port) file_manager.update_server_property(prop_path, "query.port", port)
file_manager.update_server_property(prop_path, "enable-query", "true") file_manager.update_server_property(prop_path, "enable-query", "true")
file_manager.log_action(user_id, name, "ServerCreate") file_manager.log_action(user_id, name, "ServerCreate")
firebase_manager.create_server(user_id, name, version, port, framework)
return HTTPStatus.CREATED, f"Successfully created server '{name}'." return HTTPStatus.CREATED, f"Successfully created server '{name}'."
except Exception as e: except Exception as e:
file_manager.log_error(type(e).__name__, str(e)) file_manager.log_error(type(e).__name__, str(e))
@ -304,7 +304,7 @@ def update_property(uid: str, name: str, prop: str, value: str) -> tuple[HTTPSta
def update_properties(user: UserRecord, name: str, props: list[tuple[str, str]]) -> tuple[HTTPStatus, Union[str, None]]: def update_properties(user: UserRecord, name: str, props: list[tuple[str, str]]) -> tuple[HTTPStatus, Union[str, None]]:
errors: list[str] = [] errors: list[str] = []
for prop, value in props: for prop, value in props:
if prop not in MinecraftServerManager.allowed_properties: if prop not in mc_manager.allowed_properties:
return HTTPStatus.FORBIDDEN, f"Property '{prop}' not allowed." return HTTPStatus.FORBIDDEN, f"Property '{prop}' not allowed."
status, message = update_property(uid=user.uid, name=name, prop=prop, value=value) status, message = update_property(uid=user.uid, name=name, prop=prop, value=value)
if status != HTTPStatus.OK: if status != HTTPStatus.OK: