pangolin/server/routers at 51629247a51456325747dad493046031f90a1b06 - pangolin - Erfmann.dev Git

calvin.erfmann/pangolin

mirror of https://github.com/fosrl/pangolin.git synced 2026-06-06 07:38:46 +00:00

Files

History

Marc Schäfer 51629247a5 fix(middleware): prevent cross-org site binding in target create/update

Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>

2026-05-29 22:44:16 +00:00

..

Adjust validation to allow creation with (optional) path

2026-05-28 20:15:22 -07:00

Allow configuring the webhook body

2026-05-02 13:26:54 -07:00

openapi and swagger ui improvements and cleanup

2026-03-02 21:59:41 -08:00

Merge pull request #3119 from Adityakk9031/#3086

2026-05-28 15:50:27 -07:00

Merge pull request #3085 from marcschaeferger-org/security-updates

2026-05-28 11:54:23 -07:00

Add user id

2026-05-29 10:57:16 -07:00

add subscription violation banner

2026-02-11 10:06:56 -08:00

openapi and swagger ui improvements and cleanup

2026-03-02 21:59:41 -08:00

Update get cert to now allow restarting

2026-04-27 16:19:37 -07:00

Merge branch 'rdp-ssh' into dev

2026-05-28 13:59:14 -07:00

Merge pull request #3085 from marcschaeferger-org/security-updates

2026-05-28 11:54:23 -07:00

generatedLicense

Working on complete auth flow

2026-02-04 16:32:53 -08:00

Optimize get all relays

2026-05-14 16:59:15 -07:00

Add the site to the ui and allow picking

2026-04-21 14:34:28 -07:00

don't await second calculate func

2026-05-05 12:37:52 -07:00

🚧 Add CRUD endpoints and tables for labels

2026-05-05 20:53:16 +02:00

Merge dev into fix/log-analytics-adjustments

2025-12-10 03:19:14 +01:00

Merge dev into fix/log-analytics-adjustments

2025-12-10 03:19:14 +01:00

Merge branch 'auto-update' into dev

2026-05-28 13:59:34 -07:00

Optimize building aliases in jit mode

2026-05-14 12:25:05 -07:00

Control updates from the ui

2026-05-21 15:43:31 -07:00

import and unassocaite org idp

2026-04-16 20:58:18 -07:00

Support multiple roles

2026-05-04 14:54:20 -07:00

Show remote nodes update in table

2026-05-02 11:55:01 -07:00

Add path onto redirectUrl

2026-05-28 20:19:19 -07:00

Merge branch 'dev' into feat/paginate-user-roles-table

2026-03-31 18:55:21 +02:00

add server info endpoint

2026-01-18 12:19:07 -08:00

Merge branch 'resource-policies' into dev

2026-05-28 15:30:16 -07:00

siteProvisioning

Add basic provisioning room v1 and update keys

2026-03-29 16:28:51 -07:00

Merge branch 'rdp-ssh' into dev

2026-05-28 13:59:14 -07:00

Merge dev into fix/log-analytics-adjustments

2025-12-10 03:19:14 +01:00

Complete removal of http and protocol from public

2026-05-27 17:19:04 -07:00

Support overriding badger for testing

2026-03-28 21:24:13 -07:00

Merge branch 'dev' into resource-policies

2026-05-12 21:12:40 -07:00

cleaned comments - more concise

2026-05-03 00:00:11 -04:00

external.ts

fix(middleware): prevent cross-org site binding in target create/update

2026-05-29 22:44:16 +00:00

hybrid.ts

Merge dev into fix/log-analytics-adjustments

2025-12-10 03:19:14 +01:00

integration.ts

Merge branch 'feat/resource-policies' into resource-policies

2026-05-04 14:40:44 -07:00

internal.ts

Add internal api get for proxy information

2026-05-19 20:02:26 -07:00