Add java selection POST check

Protect against tampered post requests to front end Co-authored-by: andrew.charles.mcmanus@gmail.com <andrew.charles.mcmanus@gmail.com>
2024-08-30 18:23:09 +00:00 · 2022-06-21 18:39:20 +01:00 · 2022-06-21 18:39:20 +01:00 · 176f5a4004
commit 176f5a4004
parent e2d5e7cb69
1 changed files with 15 additions and 0 deletions
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@ -1389,6 +1389,21 @@ class PanelHandler(BaseHandler):
                return
            execution_list = shlex.split(execution_command)
            if java_selection:
+                if not any(
+                    java_selection in path for path in Helpers.find_java_installs()
+                ):
+                    self.redirect(
+                        "/panel/error?error=Attack attempted."
+                        + " A copy of this report is being sent to server owner."
+                    )
+                    self.controller.management.add_to_audit_log_raw(
+                        exec_user["username"],
+                        exec_user["user_id"],
+                        server_id,
+                        f"Attempted to send bad java path for {server_id}."
+                        + " Possible attack. Act accordingly.",
+                        self.get_remote_ip(),
+                    )
                if java_selection != "java":
                    if (
                        self.helper.is_os_windows()