calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-05 23:28:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,015 Commits 28 Branches 76 Tags
01361884eb86a98eae9a61797113620710fcbffc
Commit Graph

1699 Commits

Author SHA1 Message Date
Owen Schwartz
aac25f0a53 Merge pull request #3214 from marcschaeferger/dev 
Prevent cross-org site binding in target create/update
 2026-06-04 10:11:53 -07:00
Owen
e408e735be Make alias cross compatable 2026-06-03 17:58:59 -07:00
Owen
bc6fd0b399 Get user resources from the right table 2026-06-03 16:53:39 -07:00
Owen
d00b737412 Pull the sso from the policies as well 2026-06-03 16:16:42 -07:00
Owen
cc5bec1d83 Pull the rules and the policy information 2026-06-03 15:33:15 -07:00
Owen
40125c717c Pull things in proper order 2026-06-03 14:52:36 -07:00
Owen
8e9071a336 Converting to use both inline and shared policy 2026-06-03 14:41:43 -07:00
Fred KISSIE
a21569bd00 🏷️ fix types imports from a client component 2026-06-03 20:14:43 +02:00
Owen
f2f56dc6c2 Properly paywall the new resource types 2026-06-02 18:06:42 -07:00
Owen
12cbd40596 Fix types 2026-06-02 16:56:58 -07:00
Owen
33fad57bf7 Restrict the number of sites in the api 2026-06-02 16:38:04 -07:00
Owen
8bcc130947 Make sure the right type of select shows 2026-06-02 16:33:05 -07:00
Owen
88ea4391e0 Show new types of resources right 2026-06-02 15:31:33 -07:00
Owen
b6d688f15e Support pin,pass,whitelist correctly on login 2026-06-01 21:34:39 -07:00
Owen
4d6ed7eec5 Pull from the policies to show to users 2026-06-01 17:49:09 -07:00
Owen
1625dd1add Include the new policy tables in the data 2026-06-01 17:04:33 -07:00
Owen
5dd19edb56 Hold the hp error message until after 18 tries 2026-06-01 14:05:19 -07:00
Owen
09b2671759 Send hp error to olm 2026-06-01 13:57:54 -07:00
Owen
d11a244caa Push mode and sign key adjustments for native mode 2026-06-01 11:41:55 -07:00
Owen
b99e9a6468 Working on ui 2026-05-31 17:25:03 -07:00
Owen
cb2ee9c489 Fixing visual issues 2026-05-31 16:36:13 -07:00
Owen
c1d933259a Fix some ui form issues 2026-05-31 11:57:01 -07:00
Owen
0f2132e565 Merge branch 'main' into dev 2026-05-31 11:12:30 -07:00
Owen Schwartz
ebe1c7a297 Improve OpenAPI response payload typing for Swagger data schemas (#3102) 
* Fix custom parser OpenAPI types and add structured default response schema

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/73990123-9c27-444b-bc6e-77e890a0d57c

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Document all registerPath responses and normalize OpenAPI parser schemas

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/73990123-9c27-444b-bc6e-77e890a0d57c

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Add concrete OpenAPI data schemas for selected routes

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Reformat generated OpenAPI response schemas for readability

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Remove obsolete stoi import from blueprint OpenAPI route

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>
 2026-05-31 11:10:38 -07:00
Owen
0943cf5d4c Dont strip session 2026-05-30 12:10:06 -07:00
Marc Schäfer
51629247a5 fix(middleware): prevent cross-org site binding in target create/update 
Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
 2026-05-29 22:44:16 +00:00
Owen
0ab1854125 Fix import 2026-05-29 15:38:37 -07:00
Owen
8e2a79a0f5 Move to private 2026-05-29 15:23:40 -07:00
Owen
76cd716caa Add user id 2026-05-29 10:57:16 -07:00
Owen
94408aad21 Add path onto redirectUrl 2026-05-28 20:19:19 -07:00
NHClaessens
b84a7996a9 Adjust validation to allow creation with (optional) path 2026-05-28 20:15:22 -07:00
Owen
2f124bffc4 Merge branch 'main' into dev 2026-05-28 17:46:42 -07:00
Owen Schwartz
c74b423bae Merge pull request #3119 from Adityakk9031/#3086 
Sort resource filter options in audit logs
 2026-05-28 15:50:27 -07:00
Owen
f8a757c55f Merge branch 'resource-policies' into dev 2026-05-28 15:30:16 -07:00
Owen
6aea3f1643 Merge branch 'auto-update' into dev 2026-05-28 13:59:34 -07:00
Owen
073dc34522 Merge branch 'rdp-ssh' into dev 2026-05-28 13:59:14 -07:00
Owen
e2f2608358 Merge branch 'main' into dev 2026-05-28 13:56:08 -07:00
Owen Schwartz
957e7ba127 Merge pull request #3175 from shleeable/patch-4 
Fix:  OLM token rate limit uses wrong field name
 2026-05-28 12:13:04 -07:00
Owen Schwartz
def710cba8 Merge pull request #3176 from shleeable/patch-5 
Fix: Update external.ts windowMs rate limit for milliseconds
 2026-05-28 12:12:39 -07:00
Owen Schwartz
2946df3b8e Merge pull request #3085 from marcschaeferger-org/security-updates 
Normalize request parameters and update dependencies for Security
 2026-05-28 11:54:23 -07:00
Shlee
a79d0f1677 Update external.ts 2026-05-28 15:45:06 +09:30
Shlee
bfd7a7f561 Update external.ts 2026-05-28 15:31:45 +09:30
Owen Schwartz
ddb132f9fa Merge pull request #3085 from marcschaeferger-org/security-updates 
Normalize request parameters and update dependencies for Security
 2026-05-27 21:37:50 -07:00
Owen
64c901d91f Properly lock the ip selection through writes to db 2026-05-27 21:08:45 -07:00
Owen
0ff0e83c9f Complete removal of http and protocol from public 2026-05-27 17:19:04 -07:00
Owen
06cc13c637 Moving to mode replacing http and protocol fields 2026-05-27 12:04:00 -07:00
Owen
464d4990df Fix cascading errors 2026-05-27 11:34:34 -07:00
Owen
cb90672573 Trying to get these forms to work 2026-05-26 21:20:34 -07:00
Owen
aa7004b2ff Add new ssh config for private resources 2026-05-26 17:50:46 -07:00
Owen
eca87b66f0 Use the create api 2026-05-26 17:11:45 -07:00