api(remote): fix use of missing node_id field

Fixes #5088
2024-11-21 16:42:29 +01:00 · 2024-05-04 16:06:13 -06:00 · 2024-05-04 16:06:13 -06:00 · 7bfc265a7e
commit 7bfc265a7e
parent b7b2413f3d
2 changed files with 21 additions and 7 deletions
--- a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
@ -42,15 +42,22 @@ class BackupRemoteUploadController extends Controller
            throw new BadRequestHttpException('A non-empty "size" query parameter must be provided.');
        }

-        /** @var \Pterodactyl\Models\Backup $backup */
-        $backup = Backup::query()
-            ->where('node_id', $node->id)
+        /** @var \Pterodactyl\Models\Backup $model */
+        $model = Backup::query()
            ->where('uuid', $backup)
            ->firstOrFail();

+        // Check that the backup is "owned" by the node making the request. This avoids other nodes
+        // from messing with backups that they don't own.
+        /** @var \Pterodactyl\Models\Server $server */
+        $server = $model->server;
+        if ($server->node_id !== $node->id) {
+            throw new HttpForbiddenException('You do not have permission to access that backup.');
+        }
+
        // Prevent backups that have already been completed from trying to
        // be uploaded again.
-        if (!is_null($backup->completed_at)) {
+        if (!is_null($model->completed_at)) {
            throw new ConflictHttpException('This backup is already in a completed state.');
        }

@ -61,7 +68,7 @@ class BackupRemoteUploadController extends Controller
        }

        // The path where backup will be uploaded to
-        $path = sprintf('%s/%s.tar.gz', $backup->server->uuid, $backup->uuid);
+        $path = sprintf('%s/%s.tar.gz', $model->server->uuid, $model->uuid);

        // Get the S3 client
        $client = $adapter->getClient();
@ -99,7 +106,7 @@ class BackupRemoteUploadController extends Controller
        }

        // Set the upload_id on the backup in the database.
-        $backup->update(['upload_id' => $params['UploadId']]);
+        $model->update(['upload_id' => $params['UploadId']]);

        return new JsonResponse([
            'parts' => $parts,
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@ -36,10 +36,17 @@ class BackupStatusController extends Controller

        /** @var \Pterodactyl\Models\Backup $model */
        $model = Backup::query()
-            ->where('node_id', $node->id)
            ->where('uuid', $backup)
            ->firstOrFail();

+        // Check that the backup is "owned" by the node making the request. This avoids other nodes
+        // from messing with backups that they don't own.
+        /** @var \Pterodactyl\Models\Server $server */
+        $server = $model->server;
+        if ($server->node_id !== $node->id) {
+            throw new HttpForbiddenException('You do not have permission to access that backup.');
+        }
+
        if ($model->is_successful) {
            throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.');
        }