calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-06 07:38:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3214 from marcschaeferger/dev

Browse Source 
Prevent cross-org site binding in target create/update
This commit is contained in:
Owen Schwartz
2026-06-04 10:11:53 -07:00
committed by GitHub
parent 4a3c201741 f617f93a94
commit aac25f0a53
3 changed files with 336 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/routers/external.ts
View File

@@ -561,6 +561,7 @@ authenticated.delete(
authenticated.put(
"/resource/:resourceId/target",
verifyResourceAccess,
verifySiteAccess,
verifyLimits,
verifyUserHasAction(ActionsEnum.createTarget),
logActionAudit(ActionsEnum.createTarget),
@@ -612,6 +613,7 @@ authenticated.get(
authenticated.post(
"/target/:targetId",
verifyTargetAccess,
verifySiteAccess,
verifyLimits,
verifyUserHasAction(ActionsEnum.updateTarget),
logActionAudit(ActionsEnum.updateTarget),
@@ -1234,7 +1236,8 @@ export const authRouter = Router();
unauthenticated.use("/auth", authRouter);
authRouter.use(
rateLimit({
windowMs: config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000,
windowMs:
config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000,
max: config.getRawConfig().rate_limits.auth.max_requests,
keyGenerator: (req) =>
`authRouterGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,