51629247a5
Extend verifySiteAccess to check that when req.userOrgId is already set by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the site from req.body.siteId belongs to the same organization. This prevents the cross-organization tunnel boundary bypass where an attacker with resource access in one org binds that resource's target to a site in another org. Add verifySiteAccess to both target route stacks: - PUT /resource/:resourceId/target (after verifyResourceAccess) - POST /target/:targetId (after verifyTargetAccess) The org-match check runs before req.userOrg is overwritten, so the resource's organization context is preserved for comparison. Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
Get started with Pangolin at app.pangolin.net
Pangolin is an open-source, identity-based remote access platform built on WireGuard® that enables secure, seamless connectivity to private and public resources. Pangolin combines reverse proxy and VPN capabilities into one platform, providing browser-based access to web applications and client-based access to any private resources with NAT traversal, all with granular access controls.
Installation
- Get started for free with Pangolin Cloud.
- Or, check out the quick install guide for how to self-host Pangolin.
- Install from the DigitalOcean marketplace for a one-click pre-configured installer.
Deployment Options
- Pangolin Cloud - Fully managed service - no infrastructure required.
- Self-Host: Community Edition - Free, open source, and licensed under AGPL-3.
- Self-Host: Enterprise Edition - Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses making less than $100K USD gross annual revenue.
Key Features
Connect remote networks with sites and NAT traversal
Pangolin's site connectors provide gateways into networks so you can access any networked resources. Sites use outbound tunnels and intelligent NAT traversal to make networks behind restrictive firewalls available for authorized access without public IPs or open ports. Easily deploy a site as a binary or container on any platform.
Browser-based reverse proxy access
Expose web applications through identity and context-aware tunneled reverse proxies. Users access applications through any web browser with authentication and granular access control without installing a client. Pangolin handles routing, load balancing, health checking, and automatic SSL certificates without exposing your network directly to the internet.
Client-based private resource access
Access private resources like SSH servers, databases, RDP, and entire network ranges through Pangolin clients. Intelligent NAT traversal enables connections even through restrictive firewalls, while DNS aliases provide friendly names and fast connections to resources across all your sites. Add redundancy by routing traffic through multiple connectors in your network.
Give users and roles access to resources
Use Pangolin's built in users or bring your own identity provider and set up role based access control (RBAC). Grant users access to specific resources, not entire networks. Unlike traditional VPNs that expose full network access, Pangolin's zero-trust model ensures users can only reach the applications, services, and routes you explicitly define.
Download Clients
Download the Pangolin client for your platform:
Get Started
Sign up now
Create a free account at app.pangolin.net to get started with Pangolin Cloud.
Check out the docs
We encourage everyone to read the full documentation first, which is available at docs.pangolin.net. This README provides only a very brief subset of the docs to illustrate some basic ideas.
Licensing
Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial License. For inquiries about commercial licensing, please contact us at contact@pangolin.net.
Contributions
Please see CONTRIBUTING in the repository for guidelines and best practices.