From 597196ad3e40e51b84fa2115b205a0376aa17d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20G=2E=20J=C3=B8rgensen?= Date: Sat, 11 Apr 2020 00:29:39 +0200 Subject: [PATCH 1/6] Fix server-description colspan --- resources/themes/pterodactyl/base/index.blade.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/themes/pterodactyl/base/index.blade.php b/resources/themes/pterodactyl/base/index.blade.php index 8b44b48df..a4ed83277 100644 --- a/resources/themes/pterodactyl/base/index.blade.php +++ b/resources/themes/pterodactyl/base/index.blade.php @@ -78,7 +78,7 @@ @if (! empty($server->description)) -

{{ str_limit($server->description, 400) }}

+

{{ str_limit($server->description, 400) }}

@endif @endforeach From 78514f9eb494b43d6aa7ddf0248dedd55784bcaa Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 26 Jul 2020 11:26:20 -0700 Subject: [PATCH 2/6] Disallow creating more than 5 account API keys; closes #2123 Additional fixes for https://github.com/pterodactyl/panel/security/advisories/GHSA-pjmh-7xfm-r4x9 --- app/Http/Controllers/Base/AccountKeyController.php | 11 +++++++---- app/Http/Controllers/Base/ClientApiController.php | 11 +++++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/app/Http/Controllers/Base/AccountKeyController.php b/app/Http/Controllers/Base/AccountKeyController.php index 7161b4abf..ee1a56832 100644 --- a/app/Http/Controllers/Base/AccountKeyController.php +++ b/app/Http/Controllers/Base/AccountKeyController.php @@ -82,10 +82,13 @@ class AccountKeyController extends Controller */ public function store(StoreAccountKeyRequest $request) { - if ($this->repository->findCountWhere(['user_id' => $request->user()->id]) >= 5) { - throw new DisplayException( - 'Cannot assign more than 5 API keys to an account.' - ); + $count = $this->repository->findCountWhere([ + ['user_id', '=', $request->user()->id], + ['key_type', '=', ApiKey::TYPE_ACCOUNT], + ]); + + if ($count >= 5) { + throw new DisplayException('Cannot assign more than 5 API keys to an account.'); } $this->keyService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([ diff --git a/app/Http/Controllers/Base/ClientApiController.php b/app/Http/Controllers/Base/ClientApiController.php index a74c28db8..94872ff0c 100644 --- a/app/Http/Controllers/Base/ClientApiController.php +++ b/app/Http/Controllers/Base/ClientApiController.php @@ -8,6 +8,7 @@ use Illuminate\Http\Response; use Pterodactyl\Models\ApiKey; use Illuminate\Http\RedirectResponse; use Prologue\Alerts\AlertsMessageBag; +use Pterodactyl\Exceptions\DisplayException; use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Services\Api\KeyCreationService; use Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest; @@ -73,10 +74,20 @@ class ClientApiController extends Controller * @param \Pterodactyl\Http\Requests\Base\CreateClientApiKeyRequest $request * @return \Illuminate\Http\RedirectResponse * + * @throws \Pterodactyl\Exceptions\DisplayException * @throws \Pterodactyl\Exceptions\Model\DataValidationException */ public function store(CreateClientApiKeyRequest $request): RedirectResponse { + $count = $this->repository->findCountWhere([ + ['user_id', '=', $request->user()->id], + ['key_type', '=', ApiKey::TYPE_ACCOUNT], + ]); + + if ($count >= 5) { + throw new DisplayException('Cannot assign more than 5 API keys to an account.'); + } + $allowedIps = null; if (! is_null($request->input('allowed_ips'))) { $allowedIps = json_encode(explode(PHP_EOL, $request->input('allowed_ips'))); From 6d69f6ef479d076afd7e996f22939a675f393c8c Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 26 Jul 2020 11:40:48 -0700 Subject: [PATCH 3/6] Address security vulnerability when listing servers as a client --- .../Eloquent/ServerRepository.php | 25 +++++++++++-------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/app/Repositories/Eloquent/ServerRepository.php b/app/Repositories/Eloquent/ServerRepository.php index 820093cf4..4612d86ed 100644 --- a/app/Repositories/Eloquent/ServerRepository.php +++ b/app/Repositories/Eloquent/ServerRepository.php @@ -225,18 +225,23 @@ class ServerRepository extends EloquentRepository implements ServerRepositoryInt $instance->where('owner_id', $user->id); } - // If set to all, display all servers they can access, including - // those they access as an admin. If set to subuser, only return - // the servers they can access because they are owner, or marked - // as a subuser of the server. - elseif (($level === User::FILTER_LEVEL_ALL && ! $user->root_admin) || $level === User::FILTER_LEVEL_SUBUSER) { - $instance->whereIn('id', $this->getUserAccessServers($user->id)); + // Only allow these two filters if the user is an administrator. + elseif ($user->root_admin && in_array($level, [ User::FILTER_LEVEL_ALL, User::FILTER_LEVEL_ADMIN ])) { + // We specifically only match admin in here. If they request all servers and are a root admin + // we just won't append any filters to the builder and thus they'll be able to see everything + // since this will skip over that final else block. + if ($level === User::FILTER_LEVEL_ADMIN) { + $instance->whereNotIn('id', $this->getUserAccessServers($user->id)); + } } - // If set to admin, only display the servers a user can access - // as an administrator (leaves out owned and subuser of). - elseif ($level === User::FILTER_LEVEL_ADMIN && $user->root_admin) { - $instance->whereNotIn('id', $this->getUserAccessServers($user->id)); + // If we did not match on the user being an administrator and requesting all/admin only or the user + // is not an admin and requested those locked endpoints, just return all of the servers the user actually + // has access to. + // + // @see https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx + else { + $instance->whereIn('id', $this->getUserAccessServers($user->id)); } $instance->search($this->getSearchTerm()); From dcf5cb3cd3e0fe4d05db35acce201cc3e7d477bf Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 26 Jul 2020 11:58:27 -0700 Subject: [PATCH 4/6] Update changelog --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36586d886..f5d7d93d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,11 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v0.7.18 (Derelict Dermodactylus) +### Fixed +* **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys. +* **[Security]** Addresses a Client API vulnerability that would allow a user to list all servers on the system ([`GHSA-6888-7f3w-92jx`](https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx)) + ## v0.7.17 (Derelict Dermodactylus) ### Fixed * Limited accounts to 5 API keys at a time. From 1cd08e2f8d52b9cc9a537f0e8ab731d61b393208 Mon Sep 17 00:00:00 2001 From: Stepan Fedotov Date: Sat, 3 Oct 2020 19:55:35 +0300 Subject: [PATCH 5/6] Fix XSS in server owner selection (#2441) Co-authored-by: Stepan Fedotov Co-authored-by: Sergej --- CHANGELOG.md | 4 ++++ .../themes/pterodactyl/js/admin/new-server.js | 18 ++++++++++++------ .../admin/servers/view/details.blade.php | 18 ++++++++++++------ 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5d7d93d1..8958e82be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v0.7.19 (Derelict Dermodactylus) +### Fixed +* **[Security]** Fixes XSS in the admin area's server owner selection. + ## v0.7.18 (Derelict Dermodactylus) ### Fixed * **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys. diff --git a/public/themes/pterodactyl/js/admin/new-server.js b/public/themes/pterodactyl/js/admin/new-server.js index 97f05487b..b94e804d7 100644 --- a/public/themes/pterodactyl/js/admin/new-server.js +++ b/public/themes/pterodactyl/js/admin/new-server.js @@ -37,6 +37,12 @@ $(document).ready(function() { placeholder: 'Select Additional Allocations', }); + function escapeHtml(str) { + var div = document.createElement('div'); + div.appendChild(document.createTextNode(str)); + return div.innerHTML; + } + $('#pUserId').select2({ ajax: { url: Router.route('admin.users.json'), @@ -56,23 +62,23 @@ $(document).ready(function() { escapeMarkup: function (markup) { return markup; }, minimumInputLength: 2, templateResult: function (data) { - if (data.loading) return data.text; + if (data.loading) return escapeHtml(data.text); return '
\ - User Image \ + User Image \ \ - ' + data.name_first + ' ' + data.name_last +' \ + ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +' \ \ - ' + data.email + ' - ' + data.username + ' \ + ' + escapeHtml(data.email) + ' - ' + escapeHtml(data.username) + ' \
'; }, templateSelection: function (data) { return '
\ \ - User Image \ + User Image \ \ \ - ' + data.name_first + ' ' + data.name_last + ' (' + data.email + ') \ + ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (' + escapeHtml(data.email) + ') \ \
'; } diff --git a/resources/themes/pterodactyl/admin/servers/view/details.blade.php b/resources/themes/pterodactyl/admin/servers/view/details.blade.php index a84a9144c..5eb8d2055 100644 --- a/resources/themes/pterodactyl/admin/servers/view/details.blade.php +++ b/resources/themes/pterodactyl/admin/servers/view/details.blade.php @@ -83,6 +83,12 @@ @section('footer-scripts') @parent