calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-05 15:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,022 Commits 28 Branches 76 Tags
85200dcd6d045c0bb9c628c5176696a7e6c1691e
Commit Graph

2659 Commits

Author SHA1 Message Date
Owen
769d36e289 Fix http resources not being pulled 2026-06-04 15:36:25 -07:00
Owen Schwartz
01361884eb Potential fix for pull request finding 'CodeQL / Insecure randomness' 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2026-06-04 10:33:15 -07:00
Owen
6c4cbcab5d Fix eslint errors 2026-06-04 10:22:29 -07:00
Owen Schwartz
aac25f0a53 Merge pull request #3214 from marcschaeferger/dev 
Prevent cross-org site binding in target create/update
 2026-06-04 10:11:53 -07:00
miloschwartz
f5ab837cce remove idp user if unassociate idp, warn, and fix create user form bug 2026-06-03 21:42:18 -07:00
Owen
e408e735be Make alias cross compatable 2026-06-03 17:58:59 -07:00
Owen
bc6fd0b399 Get user resources from the right table 2026-06-03 16:53:39 -07:00
Owen
d00b737412 Pull the sso from the policies as well 2026-06-03 16:16:42 -07:00
Owen
cc5bec1d83 Pull the rules and the policy information 2026-06-03 15:33:15 -07:00
Owen
40125c717c Pull things in proper order 2026-06-03 14:52:36 -07:00
Owen
2b402f8fec Quiet logs 2026-06-03 14:48:51 -07:00
Owen
8e9071a336 Converting to use both inline and shared policy 2026-06-03 14:41:43 -07:00
Owen
18bcf40174 Merge branch 'dev' of github.com:fosrl/pangolin into dev 2026-06-03 13:50:54 -07:00
Fred KISSIE
a21569bd00 🏷️ fix types imports from a client component 2026-06-03 20:14:43 +02:00
Fred KISSIE
565727ad36 🏷️ import types correctly 2026-06-03 19:51:44 +02:00
Owen
b70a2bee58 Native ssh push users is working 2026-06-02 22:00:29 -07:00
Owen
f2f56dc6c2 Properly paywall the new resource types 2026-06-02 18:06:42 -07:00
Owen
128db20755 Remove migration test 2026-06-02 17:13:10 -07:00
Owen
12cbd40596 Fix types 2026-06-02 16:56:58 -07:00
Owen
ffd0d17b58 Add proxy protocl support in blueprints 2026-06-02 16:42:26 -07:00
Owen
33fad57bf7 Restrict the number of sites in the api 2026-06-02 16:38:04 -07:00
Owen
8bcc130947 Make sure the right type of select shows 2026-06-02 16:33:05 -07:00
Owen
19feaf4bf2 Add the policy information into missing places 2026-06-02 15:47:55 -07:00
Owen
88ea4391e0 Show new types of resources right 2026-06-02 15:31:33 -07:00
Owen
b6d688f15e Support pin,pass,whitelist correctly on login 2026-06-01 21:34:39 -07:00
Owen
4d6ed7eec5 Pull from the policies to show to users 2026-06-01 17:49:09 -07:00
Owen
1625dd1add Include the new policy tables in the data 2026-06-01 17:04:33 -07:00
Owen
605dd2f3c9 Add tcp and udp specific pages 2026-06-01 16:05:20 -07:00
Owen
2ae4c29418 Add missing set 2026-06-01 15:27:30 -07:00
Owen
ba71016f87 Add inline policy migration 2026-06-01 15:18:40 -07:00
Owen
85c2bd807e Handle the new added mode column 2026-06-01 14:49:41 -07:00
Owen
517e1d15c8 Add 1.19.0 migrations 2026-06-01 14:42:32 -07:00
Owen
5dd19edb56 Hold the hp error message until after 18 tries 2026-06-01 14:05:19 -07:00
Owen
c6a52ffc75 Dont run migration again when rc 2026-06-01 13:58:04 -07:00
Owen
09b2671759 Send hp error to olm 2026-06-01 13:57:54 -07:00
Owen
d11a244caa Push mode and sign key adjustments for native mode 2026-06-01 11:41:55 -07:00
Owen
b99e9a6468 Working on ui 2026-05-31 17:25:03 -07:00
Owen
cb2ee9c489 Fixing visual issues 2026-05-31 16:36:13 -07:00
Owen
c1d933259a Fix some ui form issues 2026-05-31 11:57:01 -07:00
Owen
0f2132e565 Merge branch 'main' into dev 2026-05-31 11:12:30 -07:00
Owen
5cc88dc73f Pull the session from badger 2026-05-31 11:11:26 -07:00
Owen Schwartz
ebe1c7a297 Improve OpenAPI response payload typing for Swagger data schemas (#3102) 
* Fix custom parser OpenAPI types and add structured default response schema

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/73990123-9c27-444b-bc6e-77e890a0d57c

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Document all registerPath responses and normalize OpenAPI parser schemas

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/73990123-9c27-444b-bc6e-77e890a0d57c

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Add concrete OpenAPI data schemas for selected routes

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Reformat generated OpenAPI response schemas for readability

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

* Remove obsolete stoi import from blueprint OpenAPI route

Agent-Logs-Url: https://github.com/fosrl/pangolin/sessions/7b395a8e-7fae-4f4d-952e-4030fea08262

Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: oschwartz10612 <4999704+oschwartz10612@users.noreply.github.com>
 2026-05-31 11:10:38 -07:00
Owen
0943cf5d4c Dont strip session 2026-05-30 12:10:06 -07:00
Owen
6df4bba3b6 Bump version 2026-05-29 17:12:26 -07:00
Marc Schäfer
f617f93a94 test(middleware): add regression tests for cross-org site binding prevention 
Test the org-match logic in verifySiteAccess:
- Same org: allowed
- Cross-org: rejected with 403
- No prior org context (site-only routes): check skipped, normal flow

Test route stack ordering:
- verifySiteAccess runs after verifyResourceAccess/verifyTargetAccess
- verifySiteAccess runs before the target create/update handler

Test security scenarios for both WireGuard and newt site types.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
 2026-05-29 22:57:39 +00:00
Marc Schäfer
51629247a5 fix(middleware): prevent cross-org site binding in target create/update 
Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
 2026-05-29 22:44:16 +00:00
Owen
0ab1854125 Fix import 2026-05-29 15:38:37 -07:00
Owen
b071fa2c9f Be able to pull users from the proxy 2026-05-29 15:34:34 -07:00
Owen
8e2a79a0f5 Move to private 2026-05-29 15:23:40 -07:00
Owen
76cd716caa Add user id 2026-05-29 10:57:16 -07:00