Add validation to prevent invalid ports, closes pterodactyl#1034

Author: DaneEveritt

CHANGELOG.md

@@ -9,6 +9,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Correct permissions check in UI to allow subusers with permission to `view-allocations` the ability to actually see the sidebar link.
 * Fixes improper behavior when marking an egg as copying the configuration from another.
 * Debug bar is only checked when the app is set to debug mode in the API session handler, rather than when it is in local mode to match the plugin settings.
+* Added validation to port allocations to prevent allocation of restricted or invalid ports.
 
 ### Changed
 * Panel now throws proper 504: Gateway Timeout errors on server listing when daemon is offline.

app/Exceptions/Service/Allocation/CidrOutOfRangeException.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Service\Allocation;
+
+use Pterodactyl\Exceptions\DisplayException;
+
+class CidrOutOfRangeException extends DisplayException
+{
+    /**
+     * CidrOutOfRangeException constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct(trans('exceptions.allocations.cidr_out_of_range'));
+    }
+}

app/Exceptions/Service/Allocation/InvalidPortMappingException.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Service\Allocation;
+
+use Pterodactyl\Exceptions\DisplayException;
+
+class InvalidPortMappingException extends DisplayException
+{
+    /**
+     * InvalidPortMappingException constructor.
+     *
+     * @param mixed $port
+     */
+    public function __construct($port)
+    {
+        parent::__construct(trans('exceptions.allocations.invalid_mapping', ['port' => $port]));
+    }
+}

app/Exceptions/Service/Allocation/PortOutOfRangeException.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Service\Allocation;
+
+use Pterodactyl\Exceptions\DisplayException;
+
+class PortOutOfRangeException extends DisplayException
+{
+    /**
+     * PortOutOfRangeException constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct(trans('exceptions.allocations.port_out_of_range'));
+    }
+}

app/Exceptions/Service/Allocation/TooManyPortsInRangeException.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Service\Allocation;
+
+use Pterodactyl\Exceptions\DisplayException;
+
+class TooManyPortsInRangeException extends DisplayException
+{
+    /**
+     * TooManyPortsInRangeException constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct(trans('exceptions.allocations.too_many_ports'));
+    }
+}

app/Http/Controllers/Admin/NodesController.php

@@ -331,7 +331,10 @@ public function allocationSetAlias(AllocationAliasFormRequest $request)
      * @param int|\Pterodactyl\Models\Node                                $node
      * @return \Illuminate\Http\RedirectResponse
      *
-     * @throws \Pterodactyl\Exceptions\DisplayException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\CidrOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\InvalidPortMappingException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\PortOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\TooManyPortsInRangeException
      */
     public function createAllocation(AllocationFormRequest $request, Node $node)
     {

app/Http/Controllers/Api/Application/Nodes/AllocationController.php

@@ -73,7 +73,10 @@ public function index(GetAllocationsRequest $request): array
      * @param \Pterodactyl\Http\Requests\Api\Application\Allocations\StoreAllocationRequest $request
      * @return array
      *
-     * @throws \Pterodactyl\Exceptions\DisplayException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\CidrOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\InvalidPortMappingException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\PortOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\TooManyPortsInRangeException
      */
     public function store(StoreAllocationRequest $request): array
     {

app/Services/Allocations/AssignmentService.php

@@ -1,26 +1,24 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Services\Allocations;
 
 use IPTools\Network;
 use Pterodactyl\Models\Node;
 use Illuminate\Database\ConnectionInterface;
-use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Contracts\Repository\AllocationRepositoryInterface;
+use Pterodactyl\Exceptions\Service\Allocation\CidrOutOfRangeException;
+use Pterodactyl\Exceptions\Service\Allocation\PortOutOfRangeException;
+use Pterodactyl\Exceptions\Service\Allocation\InvalidPortMappingException;
+use Pterodactyl\Exceptions\Service\Allocation\TooManyPortsInRangeException;
 
 class AssignmentService
 {
     const CIDR_MAX_BITS = 27;
     const CIDR_MIN_BITS = 32;
+    const PORT_FLOOR = 1024;
+    const PORT_CEIL = 65535;
     const PORT_RANGE_LIMIT = 1000;
-    const PORT_RANGE_REGEX = '/^(\d{1,5})-(\d{1,5})$/';
+    const PORT_RANGE_REGEX = '/^(\d{4,5})-(\d{4,5})$/';
 
     /**
      * @var \Illuminate\Database\ConnectionInterface
@@ -38,62 +36,67 @@ class AssignmentService
      * @param \Pterodactyl\Contracts\Repository\AllocationRepositoryInterface $repository
      * @param \Illuminate\Database\ConnectionInterface                        $connection
      */
-    public function __construct(
-        AllocationRepositoryInterface $repository,
-        ConnectionInterface $connection
-    ) {
+    public function __construct(AllocationRepositoryInterface $repository, ConnectionInterface $connection)
+    {
         $this->connection = $connection;
         $this->repository = $repository;
     }
 
     /**
      * Insert allocations into the database and link them to a specific node.
      *
-     * @param int|\Pterodactyl\Models\Node $node
-     * @param array                        $data
+     * @param \Pterodactyl\Models\Node $node
+     * @param array                    $data
      *
-     * @throws \Pterodactyl\Exceptions\DisplayException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\CidrOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\PortOutOfRangeException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\InvalidPortMappingException
+     * @throws \Pterodactyl\Exceptions\Service\Allocation\TooManyPortsInRangeException
      */
-    public function handle($node, array $data)
+    public function handle(Node $node, array $data)
     {
-        if ($node instanceof Node) {
-            $node = $node->id;
-        }
-
         $explode = explode('/', $data['allocation_ip']);
         if (count($explode) !== 1) {
             if (! ctype_digit($explode[1]) || ($explode[1] > self::CIDR_MIN_BITS || $explode[1] < self::CIDR_MAX_BITS)) {
-                throw new DisplayException(trans('exceptions.allocations.cidr_out_of_range'));
+                throw new CidrOutOfRangeException;
             }
         }
 
         $this->connection->beginTransaction();
         foreach (Network::parse(gethostbyname($data['allocation_ip'])) as $ip) {
             foreach ($data['allocation_ports'] as $port) {
                 if (! is_digit($port) && ! preg_match(self::PORT_RANGE_REGEX, $port)) {
-                    throw new DisplayException(trans('exceptions.allocations.invalid_mapping', ['port' => $port]));
+                    throw new InvalidPortMappingException($port);
                 }
 
                 $insertData = [];
                 if (preg_match(self::PORT_RANGE_REGEX, $port, $matches)) {
                     $block = range($matches[1], $matches[2]);
 
                     if (count($block) > self::PORT_RANGE_LIMIT) {
-                        throw new DisplayException(trans('exceptions.allocations.too_many_ports'));
+                        throw new TooManyPortsInRangeException;
+                    }
+
+                    if ((int) $matches[1] <= self::PORT_FLOOR || (int) $matches[2] > self::PORT_CEIL) {
+                        throw new PortOutOfRangeException;
                     }
 
                     foreach ($block as $unit) {
                         $insertData[] = [
-                            'node_id' => $node,
+                            'node_id' => $node->id,
                             'ip' => $ip->__toString(),
                             'port' => (int) $unit,
                             'ip_alias' => array_get($data, 'allocation_alias'),
                             'server_id' => null,
                         ];
                     }
                 } else {
+                    if ((int) $port <= self::PORT_FLOOR || (int) $port > self::PORT_CEIL) {
+                        throw new PortOutOfRangeException;
+                    }
+
                     $insertData[] = [
-                        'node_id' => $node,
+                        'node_id' => $node->id,
                         'ip' => $ip->__toString(),
                         'port' => (int) $port,
                         'ip_alias' => array_get($data, 'allocation_alias'),

resources/lang/en/exceptions.php

@@ -8,9 +8,10 @@
     ],
     'allocations' => [
         'server_using' => 'A server is currently assigned to this allocation. An allocation can only be deleted if no server is currently assigned.',
-        'too_many_ports' => 'Adding more than 1000 ports at a single time is not supported. Please use a smaller range.',
+        'too_many_ports' => 'Adding more than 1000 ports in a single range at once is not supported.',
         'invalid_mapping' => 'The mapping provided for :port was invalid and could not be processed.',
         'cidr_out_of_range' => 'CIDR notation only allows masks between /25 and /32.',
+        'port_out_of_range' => 'Ports in an allocation must be greater than 1024 and less than or equal to 65535.',
     ],
     'nest' => [
         'delete_has_servers' => 'A Nest with active servers attached to it cannot be deleted from the Panel.',