Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'release/v0.7.14'

Browse source
This commit is contained in:
Dane Everitt 2019-06-29 12:29:04 -07:00
commit c741a1e41e
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
23 changed files with 144 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
CHANGELOG.md
View file

@ -3,6 +3,21 @@ This file is a running track of new features and fixes to each version of the pa
This project follows [Semantic Versioning](http://semver.org) guidelines.
## v0.7.14 (Derelict Dermodactylus)
### Fixed
* **[SECURITY]** Fixes an XSS vulnerability when performing certain actions in the file manager.
* **[SECURITY]** Attempting to login as a user who has 2FA enabled will no longer request the 2FA token before validating
that their password is correct. This closes a user existence leak that would expose that an account exists if
it had 2FA enabled.
### Changed
* Support for setting a node to listen on ports lower than 1024.
* QR code URLs are now generated without the use of an external library to reduce the dependency tree.
* Regenerated database passwords now respect the same settings that were used when initially created.
* Cleaned up 2FA QR code generation to use a more up-to-date library and API.
* Console charts now properly start at 0 and scale based on server configuration. No more crazy spikes that
are due to a change of one unit.
## v0.7.13 (Derelict Dermodactylus)
### Fixed
* Fixes a bug with the location update API endpoint throwing an error due to an unexected response value.

2
README.md
View file

@ -1,4 +1,4 @@
[![Logo Image](https://cdn.pterodactyl.io/logos/Banner%20Logo%20Black@2x.png)](https://pterodactyl.io)
[![Logo Image](https://cdn.pterodactyl.io/logos/new/pterodactyl_logo.png)](https://pterodactyl.io)
[![Build status](https://img.shields.io/travis/pterodactyl/panel/develop.svg?style=flat-square)](https://travis-ci.org/pterodactyl/panel)
[![StyleCI](https://styleci.io/repos/47508644/shield?branch=develop)](https://styleci.io/repos/47508644)

2
app/Http/Controllers/Admin/ServersController.php
View file

@ -599,7 +599,7 @@ class ServersController extends Controller
['id', '=', $request->input('database')],
]);
$this->databasePasswordService->handle($database, str_random(20));
$this->databasePasswordService->handle($database, str_random(24));
return response('', 204);
}

24
app/Http/Controllers/Auth/LoginController.php
View file

@ -126,21 +126,20 @@ class LoginController extends Controller
return $this->sendFailedLoginResponse($request);
}
$validCredentials = password_verify($request->input('password'), $user->password);
if (! password_verify($request->input('password'), $user->password)) {
return $this->sendFailedLoginResponse($request, $user);
}
if ($user->use_totp) {
$token = str_random(64);
$this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => $validCredentials], 5);
$this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => true], 5);
return redirect()->route('auth.totp')->with('authentication_token', $token);
}
if ($validCredentials) {
$this->auth->guard()->login($user, true);
$this->auth->guard()->login($user, true);
return $this->sendLoginResponse($request);
}
return $this->sendFailedLoginResponse($request, $user);
return $this->sendLoginResponse($request);
}
/**
@ -161,12 +160,13 @@ class LoginController extends Controller
/**
* Handle a login where the user is required to provide a TOTP authentication
* token. In order to add additional layers of security, users are not
* informed of an incorrect password until this stage, forcing them to
* provide a token on each login attempt.
* token.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
* @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
* @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
*/
public function loginUsingTotp(Request $request)
{
@ -181,7 +181,7 @@ class LoginController extends Controller
return $this->sendFailedLoginResponse($request);
}
if (is_null($request->input('2fa_token')) || ! array_get($cache, 'valid_credentials')) {
if (is_null($request->input('2fa_token'))) {
return $this->sendFailedLoginResponse($request, $user);
}

4
app/Http/Controllers/Base/SecurityController.php
View file

@ -90,8 +90,10 @@ class SecurityController extends Controller
*/
public function generateTotp(Request $request)
{
$totpData = $this->twoFactorSetupService->handle($request->user());
return response()->json([
'qrImage' => $this->twoFactorSetupService->handle($request->user()),
'qrImage' => 'https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=' . $totpData,
]);
}

2
app/Http/Controllers/Server/DatabaseController.php
View file

@ -142,7 +142,7 @@ class DatabaseController extends Controller
{
$this->authorize('reset-db-password', $request->attributes->get('server'));
$password = str_random(20);
$password = str_random(24);
$this->passwordService->handle($request->attributes->get('database'), $password);
return response()->json(['password' => $password]);

4
app/Models/Node.php
View file

@ -110,8 +110,8 @@ class Node extends Model implements CleansAttributes, ValidableContract
'disk' => 'numeric|min:1',
'disk_overallocate' => 'numeric|min:-1',
'daemonBase' => 'regex:/^([\/][\d\w.\-\/]+)$/',
'daemonSFTP' => 'numeric|between:1024,65535',
'daemonListen' => 'numeric|between:1024,65535',
'daemonSFTP' => 'numeric|between:1,65535',
'daemonListen' => 'numeric|between:1,65535',
'maintenance_mode' => 'boolean',
'upload_size' => 'int|between:1,1024',
];

2
app/Services/Databases/DatabaseManagementService.php
View file

@ -69,7 +69,7 @@ class DatabaseManagementService
$data['server_id'] = $server;
$data['database'] = sprintf('s%d_%s', $server, $data['database']);
$data['username'] = sprintf('u%d_%s', $server, str_random(10));
$data['password'] = $this->encrypter->encrypt(str_random(16));
$data['password'] = $this->encrypter->encrypt(str_random(24));
$this->database->beginTransaction();
try {

42
app/Services/Users/TwoFactorSetupService.php
View file

@ -1,22 +1,18 @@
<?php
/**
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* This software is licensed under the terms of the MIT license.
* https://opensource.org/licenses/MIT
*/
namespace Pterodactyl\Services\Users;
use Exception;
use RuntimeException;
use Pterodactyl\Models\User;
use PragmaRX\Google2FA\Google2FA;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
class TwoFactorSetupService
{
const VALID_BASE32_CHARACTERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
/**
* @var \Illuminate\Contracts\Config\Repository
*/
@ -27,11 +23,6 @@ class TwoFactorSetupService
*/
private $encrypter;
/**
* @var \PragmaRX\Google2FA\Google2FA
*/
private $google2FA;
/**
* @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
*/
@ -42,24 +33,22 @@ class TwoFactorSetupService
*
* @param \Illuminate\Contracts\Config\Repository $config
* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
* @param \PragmaRX\Google2FA\Google2FA $google2FA
* @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
*/
public function __construct(
ConfigRepository $config,
Encrypter $encrypter,
Google2FA $google2FA,
UserRepositoryInterface $repository
) {
$this->config = $config;
$this->encrypter = $encrypter;
$this->google2FA = $google2FA;
$this->repository = $repository;
}
/**
* Generate a 2FA token and store it in the database before returning the
* QR code image.
* QR code URL. This URL will need to be attached to a QR generating service in
* order to function.
*
* @param \Pterodactyl\Models\User $user
* @return string
@ -69,13 +58,26 @@ class TwoFactorSetupService
*/
public function handle(User $user): string
{
$secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
$image = $this->google2FA->getQRCodeGoogleUrl($this->config->get('app.name'), $user->email, $secret);
$secret = '';
try {
for ($i = 0; $i < $this->config->get('pterodactyl.auth.2fa.bytes', 16); $i++) {
$secret .= substr(self::VALID_BASE32_CHARACTERS, random_int(0, 31), 1);
}
} catch (Exception $exception) {
throw new RuntimeException($exception->getMessage(), 0, $exception);
}
$this->repository->withoutFreshModel()->update($user->id, [
'totp_secret' => $this->encrypter->encrypt($secret),
]);
return $image;
$company = $this->config->get('app.name');
return sprintf(
'otpauth://totp/%1$s:%2$s?secret=%3$s&issuer=%1$s',
rawurlencode($company),
rawurlencode($user->email),
rawurlencode($secret)
);
}
}

2
composer.json
View file

@ -29,7 +29,7 @@
"lord/laroute": "^2.4",
"matriphe/iso-639": "^1.2",
"nesbot/carbon": "^1.22",
"pragmarx/google2fa": "^2.0",
"pragmarx/google2fa": "^5.0",
"predis/predis": "^1.1",
"prologue/alerts": "^0.4",
"ramsey/uuid": "^3.7",

23
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2079d9e659d2f26492c9931277bd1f25",
"content-hash": "8a99f4996405b8080a0dcabb2609c39d",
"packages": [
{
"name": "appstract/laravel-blade-directives",
@ -2108,31 +2108,27 @@
},
{
"name": "pragmarx/google2fa",
"version": "v2.0.7",
"version": "v5.0.0",
"source": {
"type": "git",
"url": "https://github.com/antonioribeiro/google2fa.git",
"reference": "5a818bda62fab0c0a79060b06d50d50b5525d631"
"reference": "17c969c82f427dd916afe4be50bafc6299aef1b4"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/antonioribeiro/google2fa/zipball/5a818bda62fab0c0a79060b06d50d50b5525d631",
"reference": "5a818bda62fab0c0a79060b06d50d50b5525d631",
"url": "https://api.github.com/repos/antonioribeiro/google2fa/zipball/17c969c82f427dd916afe4be50bafc6299aef1b4",
"reference": "17c969c82f427dd916afe4be50bafc6299aef1b4",
"shasum": ""
},
"require": {
"paragonie/constant_time_encoding": "~1.0|~2.0",
"paragonie/random_compat": "~1.4|~2.0",
"paragonie/random_compat": ">=1",
"php": ">=5.4",
"symfony/polyfill-php56": "~1.2"
},
"require-dev": {
"bacon/bacon-qr-code": "~1.0",
"phpunit/phpunit": "~4|~5|~6"
},
"suggest": {
"bacon/bacon-qr-code": "Required to generate inline QR Codes."
},
"type": "library",
"extra": {
"component": "package",
@ -2148,7 +2144,7 @@
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-3-Clause"
"MIT"
],
"authors": [
{
@ -2162,10 +2158,9 @@
"2fa",
"Authentication",
"Two Factor Authentication",
"google2fa",
"laravel"
"google2fa"
],
"time": "2018-01-06T16:21:07+00:00"
"time": "2019-03-19T22:44:16+00:00"
},
{
"name": "predis/predis",

2
config/app.php
View file

@ -9,7 +9,7 @@ return [
| change this value if you are not maintaining your own internal versions.
*/
'version' => '0.7.13',
'version' => '0.7.14',
/*
|--------------------------------------------------------------------------

1
config/pterodactyl.php
View file

@ -1,6 +1,5 @@
<?php
return [
/*
|--------------------------------------------------------------------------

6
database/seeds/eggs/voice-servers/egg-teamspeak3-server.json
View file

@ -3,7 +3,7 @@
"meta": {
"version": "PTDL_v1"
},
"exported_at": "2018-10-28T20:50:23+01:00",
"exported_at": "2019-05-01T16:35:15+00:00",
"name": "Teamspeak3 Server",
"author": "support@pterodactyl.io",
"description": "VoIP software designed with security in mind, featuring crystal clear voice quality, endless customization options, and scalabilty up to thousands of simultaneous users.",
@ -27,10 +27,10 @@
"name": "Server Version",
"description": "The version of Teamspeak 3 to use when running the server.",
"env_variable": "TS_VERSION",
"default_value": "3.5.0",
"default_value": "3.7.1",
"user_viewable": 1,
"user_editable": 1,
"rules": "required|regex:\/^([0-9_\\.-]{5,10})$\/"
}
]
}
}

39
public/themes/pterodactyl/js/frontend/console.js
View file

@ -255,6 +255,31 @@ $(document).ready(function () {
TimeLabels.push($.format.date(new Date(), 'HH:mm:ss'));
// memory.cmax is the maximum given by the container
// memory.amax is given by the json config
// use the maximum of both
// with no limit memory.cmax will always be higher
// but with limit memory.amax is sometimes still smaller than memory.total
MemoryChart.config.options.scales.yAxes[0].ticks.max = Math.max(proc.data.memory.cmax, proc.data.memory.amax) / (1000 * 1000);
if (Pterodactyl.server.cpu > 0) {
// if there is a cpu limit defined use 100% as maximum
CPUChart.config.options.scales.yAxes[0].ticks.max = 100;
} else {
// if there is no cpu limit defined use linux percentage
// and find maximum in all values
var maxCpu = 1;
for(var i = 0; i < CPUData.length; i++) {
maxCpu = Math.max(maxCpu, parseFloat(CPUData[i]))
}
maxCpu = Math.ceil(maxCpu / 100) * 100;
CPUChart.config.options.scales.yAxes[0].ticks.max = maxCpu;
}
CPUChart.update();
MemoryChart.update();
});
@ -301,6 +326,13 @@ $(document).ready(function () {
},
animation: {
duration: 1,
},
scales: {
yAxes: [{
ticks: {
beginAtZero: true
}
}]
}
}
});
@ -346,6 +378,13 @@ $(document).ready(function () {
},
animation: {
duration: 1,
},
scales: {
yAxes: [{
ticks: {
beginAtZero: true
}
}]
}
}
});

4
public/themes/pterodactyl/js/frontend/files/filemanager.min.js vendored
View file

File diff suppressed because one or more lines are too long

2
public/themes/pterodactyl/js/frontend/files/filemanager.min.js.map
View file

File diff suppressed because one or more lines are too long

12
public/themes/pterodactyl/js/frontend/files/src/actions.js
View file

@ -29,6 +29,10 @@ class ActionsClass {
this.element = undefined;
}
sanitizedString(value) {
return $('<div>').text(value).html();
}
folder(path) {
let inputValue
if (path) {
@ -296,7 +300,7 @@ class ActionsClass {
swal({
type: 'warning',
title: '',
text: 'Are you sure you want to delete <code>' + delName + '</code>?',
text: 'Are you sure you want to delete <code>' + this.sanitizedString(delName) + '</code>?',
html: true,
showCancelButton: true,
showConfirmButton: true,
@ -394,7 +398,7 @@ class ActionsClass {
let formattedItems = "";
let i = 0;
$.each(selectedItems, function(key, value) {
formattedItems += ("<code>" + value + "</code>, ");
formattedItems += ("<code>" + this.sanitizedString(value) + "</code>, ");
i++;
return i < 5;
});
@ -407,7 +411,7 @@ class ActionsClass {
swal({
type: 'warning',
title: '',
text: 'Are you sure you want to delete the following files: ' + formattedItems + '?',
text: 'Are you sure you want to delete the following files: ' + this.sanitizedString(formattedItems) + '?',
html: true,
showCancelButton: true,
showConfirmButton: true,
@ -536,7 +540,7 @@ class ActionsClass {
type: 'error',
title: 'Whoops!',
html: true,
text: error
text: this.sanitizedString(error)
});
});
}

2
public/themes/pterodactyl/js/frontend/files/src/contextmenu.js
View file

@ -62,7 +62,7 @@ class ContextMenuClass {
if (Pterodactyl.permissions.createFiles) {
buildMenu += '<li class="divider"></li> \
<li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + newFilePath + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
<li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + $('<div>').text(newFilePath).html() + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
<li data-action="folder"><a tabindex="-1" href="#"><i class="fa fa-fw fa-folder"></i> New Folder</a></li>';
}

2
resources/themes/pterodactyl/partials/admin/settings/notice.blade.php
View file

@ -3,7 +3,7 @@
<div class="row">
<div class="col-xs-12">
<div class="alert alert-danger">
Your Panel is currently configured to read settings from the environment only. You will need to set <code>LOAD_ENVIRONMENT_ONLY=false</code> in your environment file in order to load settings dynamically.
Your Panel is currently configured to read settings from the environment only. You will need to set <code>APP_ENVIRONMENT_ONLY=false</code> in your environment file in order to load settings dynamically.
</div>
</div>
</div>

2
resources/themes/pterodactyl/server/files/index.blade.php
View file

@ -44,7 +44,7 @@
{!! Theme::js('vendor/lodash/lodash.js') !!}
{!! Theme::js('vendor/siofu/client.min.js') !!}
@if(App::environment('production'))
{!! Theme::js('js/frontend/files/filemanager.min.js?updated-cancel-buttons') !!}
{!! Theme::js('js/frontend/files/filemanager.min.js?hash=cd7ec731dc633e23ec36144929a237d18c07d2f0') !!}
@else
{!! Theme::js('js/frontend/files/src/index.js') !!}
{!! Theme::js('js/frontend/files/src/contextmenu.js') !!}

2
tests/Unit/Http/Controllers/Base/SecurityControllerTest.php
View file

@ -95,7 +95,7 @@ class SecurityControllerTest extends ControllerTestCase
$response = $this->getController()->generateTotp($this->request);
$this->assertIsJsonResponse($response);
$this->assertResponseJsonEquals(['qrImage' => 'qrCodeImage'], $response);
$this->assertResponseJsonEquals(['qrImage' => 'https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=qrCodeImage'], $response);
}
/**

32
tests/Unit/Services/Users/TwoFactorSetupServiceTest.php
View file

@ -5,7 +5,6 @@ namespace Tests\Unit\Services\Users;
use Mockery as m;
use Tests\TestCase;
use Pterodactyl\Models\User;
use PragmaRX\Google2FA\Google2FA;
use Illuminate\Contracts\Config\Repository;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Services\Users\TwoFactorSetupService;
@ -23,11 +22,6 @@ class TwoFactorSetupServiceTest extends TestCase
*/
private $encrypter;
/**
* @var \PragmaRX\Google2FA\Google2FA|\Mockery\Mock
*/
private $google2FA;
/**
* @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface|\Mockery\Mock
*/
@ -42,7 +36,6 @@ class TwoFactorSetupServiceTest extends TestCase
$this->config = m::mock(Repository::class);
$this->encrypter = m::mock(Encrypter::class);
$this->google2FA = m::mock(Google2FA::class);
$this->repository = m::mock(UserRepositoryInterface::class);
}
@ -53,16 +46,27 @@ class TwoFactorSetupServiceTest extends TestCase
{
$model = factory(User::class)->make();
$this->config->shouldReceive('get')->with('pterodactyl.auth.2fa.bytes')->once()->andReturn(32);
$this->google2FA->shouldReceive('generateSecretKey')->with(32)->once()->andReturn('secretKey');
$this->config->shouldReceive('get')->with('app.name')->once()->andReturn('CompanyName');
$this->google2FA->shouldReceive('getQRCodeGoogleUrl')->with('CompanyName', $model->email, 'secretKey')->once()->andReturn('http://url.com');
$this->encrypter->shouldReceive('encrypt')->with('secretKey')->once()->andReturn('encryptedSecret');
$this->config->shouldReceive('get')->with('pterodactyl.auth.2fa.bytes', 16)->andReturn(32);
$this->config->shouldReceive('get')->with('app.name')->andReturn('Company Name');
$this->encrypter->shouldReceive('encrypt')
->with(m::on(function ($value) {
return preg_match('/([A-Z234567]{32})/', $value) !== false;
}))
->once()
->andReturn('encryptedSecret');
$this->repository->shouldReceive('withoutFreshModel->update')->with($model->id, ['totp_secret' => 'encryptedSecret'])->once()->andReturnNull();
$response = $this->getService()->handle($model);
$this->assertNotEmpty($response);
$this->assertSame('http://url.com', $response);
$companyName = preg_quote(rawurlencode('Company Name'));
$email = preg_quote(rawurlencode($model->email));
$this->assertRegExp(
'/otpauth:\/\/totp\/' . $companyName . ':' . $email . '\?secret=([A-Z234567]{32})&issuer=' . $companyName . '/',
$response
);
}
/**
@ -72,6 +76,6 @@ class TwoFactorSetupServiceTest extends TestCase
*/
private function getService(): TwoFactorSetupService
{
return new TwoFactorSetupService($this->config, $this->encrypter, $this->google2FA, $this->repository);
return new TwoFactorSetupService($this->config, $this->encrypter, $this->repository);
}
}