Fix security vulnerability in file manager allowing XSS attack

Author: DaneEveritt

CHANGELOG.md

@@ -3,6 +3,17 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.14 (Derelict Dermodactylus)
+### Fixed
+* **[SECURITY]** Fixes an XSS vulnerability when performing certain actions in the file manager.
+
+### Changed
+* Support for setting a node to listen on ports lower than 1024.
+* Regenerated database passwords now respect the same settings that were used when initially created.
+* Cleaned up 2FA QR code generation to use a more up-to-date library and API.
+* Console charts now properly start at 0 and scale based on server configuration. No more crazy spikes that
+are due to a change of one unit.
+
 ## v0.7.13 (Derelict Dermodactylus)
 ### Fixed
 * Fixes a bug with the location update API endpoint throwing an error due to an unexected response value.

README.md

@@ -1,4 +1,4 @@
-[![Logo Image](https://cdn.pterodactyl.io/logos/Banner%20Logo%20Black@2x.png)](https://pterodactyl.io)
+[![Logo Image](https://cdn.pterodactyl.io/logos/new/pterodactyl_logo.png)](https://pterodactyl.io)
 
 [![Build status](https://img.shields.io/travis/pterodactyl/panel/develop.svg?style=flat-square)](https://travis-ci.org/pterodactyl/panel)
 [![StyleCI](https://styleci.io/repos/47508644/shield?branch=develop)](https://styleci.io/repos/47508644)

public/themes/pterodactyl/js/frontend/files/filemanager.min.js

@@ -29,6 +29,10 @@ class ActionsClass {
         this.element = undefined;
     }
 
+    sanitizedString(value) {
+        return $('<div>').text(value).html();
+    }
+
     folder(path) {
         let inputValue
         if (path) {
@@ -296,7 +300,7 @@ class ActionsClass {
         swal({
             type: 'warning',
             title: '',
-            text: 'Are you sure you want to delete <code>' + delName + '</code>?',
+            text: 'Are you sure you want to delete <code>' + this.sanitizedString(delName) + '</code>?',
             html: true,
             showCancelButton: true,
             showConfirmButton: true,
@@ -394,7 +398,7 @@ class ActionsClass {
             let formattedItems = "";
             let i = 0;
             $.each(selectedItems, function(key, value) {
-                formattedItems += ("<code>" + value + "</code>, ");
+                formattedItems += ("<code>" + this.sanitizedString(value) + "</code>, ");
                 i++;
                 return i < 5;
             });
@@ -407,7 +411,7 @@ class ActionsClass {
             swal({
                 type: 'warning',
                 title: '',
-                text: 'Are you sure you want to delete the following files: ' + formattedItems + '?',
+                text: 'Are you sure you want to delete the following files: ' + this.sanitizedString(formattedItems) + '?',
                 html: true,
                 showCancelButton: true,
                 showConfirmButton: true,
@@ -536,7 +540,7 @@ class ActionsClass {
                 type: 'error',
                 title: 'Whoops!',
                 html: true,
-                text: error
+                text: this.sanitizedString(error)
             });
         });
     }

public/themes/pterodactyl/js/frontend/files/filemanager.min.js.map

@@ -62,7 +62,7 @@ class ContextMenuClass {
 
         if (Pterodactyl.permissions.createFiles) {
             buildMenu += '<li class="divider"></li> \
-                          <li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + newFilePath + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
+                          <li data-action="file"><a href="/server/'+ Pterodactyl.server.uuidShort +'/files/add/?dir=' + $('<div>').text(newFilePath).html() + '" class="text-muted"><i class="fa fa-fw fa-plus"></i> New File</a></li> \
                           <li data-action="folder"><a tabindex="-1" href="#"><i class="fa fa-fw fa-folder"></i> New Folder</a></li>';
         }
 

public/themes/pterodactyl/js/frontend/files/src/actions.js

@@ -44,7 +44,7 @@
     {!! Theme::js('vendor/lodash/lodash.js') !!}
     {!! Theme::js('vendor/siofu/client.min.js') !!}
     @if(App::environment('production'))
-        {!! Theme::js('js/frontend/files/filemanager.min.js?updated-cancel-buttons') !!}
+        {!! Theme::js('js/frontend/files/filemanager.min.js?hash=cd7ec731dc633e23ec36144929a237d18c07d2f0') !!}
     @else
         {!! Theme::js('js/frontend/files/src/index.js') !!}
         {!! Theme::js('js/frontend/files/src/contextmenu.js') !!}