Don't return variables to users that they should not be able to see; closes pterodactyl#2388

DaneEveritt · DaneEveritt · commit 2182a15494e3 · 2020-09-22T21:12:00.000-07:00
diff --git a/app/Http/Controllers/Api/Client/Servers/StartupController.php b/app/Http/Controllers/Api/Client/Servers/StartupController.php
@@ -2,15 +2,12 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
-use Carbon\CarbonImmutable;
 use Pterodactyl\Models\Server;
-use Illuminate\Http\JsonResponse;
 use Pterodactyl\Services\Servers\StartupCommandService;
 use Pterodactyl\Services\Servers\VariableValidatorService;
 use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
 use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest;
@@ -59,7 +56,9 @@ public function index(GetStartupRequest $request, Server $server)
     {
         $startup = $this->startupCommandService->handle($server, false);
 
-        return $this->fractal->collection($server->variables)
+        return $this->fractal->collection(
+            $server->variables()->where('user_viewable', true)->get()
+        )
             ->transformWith($this->getTransformer(EggVariableTransformer::class))
             ->addMeta([
                 'startup_command' => $startup,
@@ -84,7 +83,7 @@ public function update(UpdateStartupVariableRequest $request, Server $server)
         /** @var \Pterodactyl\Models\EggVariable $variable */
         $variable = $server->variables()->where('env_variable', $request->input('key'))->first();
 
-        if (is_null($variable) || !$variable->user_viewable) {
+        if (is_null($variable) || ! $variable->user_viewable) {
             throw new BadRequestHttpException(
                 "The environment variable you are trying to edit does not exist."
             );
diff --git a/app/Transformers/Api/Client/EggVariableTransformer.php b/app/Transformers/Api/Client/EggVariableTransformer.php
@@ -2,6 +2,8 @@
 
 namespace Pterodactyl\Transformers\Api\Client;
 
+use BadMethodCallException;
+use InvalidArgumentException;
 use Pterodactyl\Models\EggVariable;
 
 class EggVariableTransformer extends BaseClientTransformer
@@ -20,6 +22,15 @@ public function getResourceName(): string
      */
     public function transform(EggVariable $variable)
     {
+        // This guards against someone incorrectly retrieving variables (haha, me) and then passing
+        // them into the transformer and along to the user. Just throw an exception and break the entire
+        // pathway since you should never be exposing these types of variables to a client.
+        if (!$variable->user_viewable) {
+            throw new BadMethodCallException(
+                'Cannot transform a hidden egg variable in a client transformer.'
+            );
+        }
+
         return [
             'name' => $variable->name,
             'description' => $variable->description,
