Deny /etc/pterodactyl as a source path for mounts

matthewpi · matthewpi · commit f7520b721be0 · 2020-10-17T14:29:29.000-06:00
diff --git a/app/Http/Controllers/Admin/MountController.php b/app/Http/Controllers/Admin/MountController.php
@@ -105,6 +105,11 @@ public function create(MountFormRequest $request)
         $model = (new Mount())->fill($request->validated());
         $model->forceFill(['uuid' => Uuid::uuid4()->toString()]);
 
+        if (str_starts_with($model->source, '/etc/pterodactyl')) {
+            $this->alert->danger('Invalid source path: "/etc/pterodactyl" cannot be used as a source path.')->flash();
+            return redirect()->route('admin.mounts');
+        }
+
         if (str_starts_with($model->source, '/var/lib/pterodactyl/volumes')) {
             $this->alert->danger('Invalid source path: "/var/lib/pterodactyl/volumes" cannot be used as a source path.')->flash();
             return redirect()->route('admin.mounts');
@@ -145,6 +150,11 @@ public function update(MountFormRequest $request, Mount $mount)
 
         $mount->forceFill($request->validated());
 
+        if (str_starts_with($mount->source, '/etc/pterodactyl')) {
+            $this->alert->danger('Invalid source path: "/etc/pterodactyl" cannot be used as a source path.')->flash();
+            return redirect()->route('admin.mounts.view', $mount->id);
+        }
+
         if (str_starts_with($mount->source, '/var/lib/pterodactyl/volumes')) {
             $this->alert->danger('Invalid source path: "/var/lib/pterodactyl/volumes" cannot be used as a source path.')->flash();
             return redirect()->route('admin.mounts.view', $mount->id);
