Merge branch 'develop' into showunlimited

Author: notAreYouScared

SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+The following versions of Pterodactyl are receiving active support and maintenance. Any security vulnerabilities discovered must be reproducible in supported versions.
+
+| Panel | Daemon       | Supported          |
+| ----- | ------------ | ------------------ |
+| 1.0.x | wings@1.0.x  | :white_check_mark: |
+| 0.7.x | daemon@0.6.x | :white_check_mark: |
+| 0.6.x | daemon@0.5.x | :x:                |
+| 0.5.x | daemon@0.4.x | :x:                |
+
+## Reporting a Vulnerability
+
+Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane [ät] pterodactyl.io`.
+
+We make every effort to respond as soon as possible, although it may take a day or two for us to sync internally and determine the severity of the report and its impact. Please, _do not_ use a public facing channel or GitHub issues to report sensitive security issues.
+
+As part of our process, we will create a security advisory for the affected versions and disclose it publicly, usually two to four weeks after a releasing a version that addresses it.

app/Http/Controllers/Admin/ServersController.php

@@ -323,6 +323,7 @@ public function newDatabase(StoreServerDatabaseRequest $request, $server)
             'database' => $request->input('database'),
             'remote' => $request->input('remote'),
             'database_host_id' => $request->input('database_host_id'),
+            'max_connections' => $request->input('max_connections'),
         ]);
 
         return redirect()->route('admin.servers.view.database', $server)->withInput();

app/Repositories/Wings/DaemonFileRepository.php

@@ -2,29 +2,13 @@
 
 namespace Pterodactyl\Repositories\Wings;
 
-use stdClass;
-use Exception;
 use Webmozart\Assert\Assert;
 use Pterodactyl\Models\Server;
 use Psr\Http\Message\ResponseInterface;
 use Pterodactyl\Exceptions\Http\Server\FileSizeTooLargeException;
 
 class DaemonFileRepository extends DaemonRepository
 {
-    /**
-     * Return stat information for a given file.
-     *
-     * @param string $path
-     * @return \stdClass
-     *
-     * @throws \Exception
-     * @throws \GuzzleHttp\Exception\TransferException
-     */
-    public function getFileStat(string $path): stdClass
-    {
-        throw new Exception('Function not implemented.');
-    }
-
     /**
      * Return the contents of a given file.
      *
@@ -55,29 +39,6 @@ public function getContent(string $path, int $notLargerThan = null): string
         return $response->getBody()->__toString();
     }
 
-    /**
-     * Returns a stream of a file's contents back to the calling function to allow
-     * proxying the request through the Panel rather than needing a direct call to
-     * the Daemon in order to work.
-     *
-     * @param string $path
-     * @return \Psr\Http\Message\ResponseInterface
-     */
-    public function streamContent(string $path): ResponseInterface
-    {
-        Assert::isInstanceOf($this->server, Server::class);
-
-        $response = $this->getHttpClient()->get(
-            sprintf('/api/servers/%s/files/contents', $this->server->uuid),
-            [
-                'query' => ['file' => $path, 'download' => true],
-                'stream' => true,
-            ]
-        );
-
-        return $response;
-    }
-
     /**
      * Save new contents to a given file. This works for both creating and updating
      * a file.
@@ -138,8 +99,8 @@ public function createDirectory(string $name, string $path): ResponseInterface
             sprintf('/api/servers/%s/files/create-directory', $this->server->uuid),
             [
                 'json' => [
-                    'name' => $name,
-                    'path' => $path,
+                    'name' => urldecode($name),
+                    'path' => urldecode($path),
                 ],
             ]
         );
@@ -160,8 +121,8 @@ public function renameFile(string $from, string $to): ResponseInterface
             sprintf('/api/servers/%s/files/rename', $this->server->uuid),
             [
                 'json' => [
-                    'rename_from' => $from,
-                    'rename_to' => $to,
+                    'rename_from' => urldecode($from),
+                    'rename_to' => urldecode($to),
                 ],
             ]
         );
@@ -181,7 +142,7 @@ public function copyFile(string $location): ResponseInterface
             sprintf('/api/servers/%s/files/copy', $this->server->uuid),
             [
                 'json' => [
-                    'location' => $location,
+                    'location' => urldecode($location),
                 ],
             ]
         );

database/seeds/eggs/minecraft/egg-forge-minecraft.json

@@ -3,7 +3,7 @@
     "meta": {
         "version": "PTDL_v1"
     },
-    "exported_at": "2019-02-10T22:57:27+01:00",
+    "exported_at": "2020-05-24T12:15:13-04:00",
     "name": "Forge Minecraft",
     "author": "support@pterodactyl.io",
     "description": "Minecraft Forge Server. Minecraft Forge is a modding API (Application Programming Interface), which makes it easier to create mods, and also make sure mods are compatible with each other.",
@@ -17,8 +17,8 @@
     },
     "scripts": {
         "installation": {
-            "script": "#!\/bin\/bash\r\n# Forge Installation Script\r\n#\r\n# Server Files: \/mnt\/server\r\napt update\r\napt install -y curl\r\n\r\n#Fetching version\r\nif [ -z \"$MC_VERSION\" ] || [ \"$MC_VERSION\" == \"latest\" ]; then\r\n  echo \"Fetching latest\"\r\n  MC_VERSION=$(curl -sl https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/index.html | grep -A 2 \"Latest\" | awk NF=NF RS= OFS=\" \" | grep -o -e '[1].[0-9]*.[0-9]* - [0-9]*.[0-9]*.[0-9]*.[0-9]*' | sed 's\/ \/\/g')\r\nelif [[ ! \"$MC_VERSION\" =~ - ]]; then\r\n  echo \"Fetching latest from version $MC_VERSION\"\r\n  MC_VERSION=$(curl -sl https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/index_$MC_VERSION.html | grep -A 2 \"Latest\" | awk NF=NF RS= OFS=\" \" | grep -o -e '[1].[0-9]*.[0-9]* - [0-9]*.[0-9]*.[0-9]*.[0-9]*' | sed 's\/ \/\/g')\r\nfi\r\n\r\n#Checking if forge version valid\r\nif [[ ! \"$MC_VERSION\" =~ [1].[0-9]*.[0-9]*-[0-9]*.[0-9]*.[0-9]*.[0-9]* ]]; then\r\n    echo \"!!! Invalid forge version \\\"$MC_VERSION\\\" !!!\"\r\n    exit\r\nfi\r\n\r\n#Go into main direction\r\ncd \/mnt\/server\r\n\r\n#Adding .jar when not eding by SERVER_JARFILE\r\nif [[ ! $SERVER_JARFILE = *\\.jar ]]; then\r\n  SERVER_JARFILE=\"$SERVER_JARFILE.jar\"\r\nfi\r\n\r\n#Downloading jars\r\necho -e \"Downloading forge version \\\"$MC_VERSION\\\"\"\r\ncurl -o installer.jar -sS https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/$MC_VERSION\/forge-$MC_VERSION-installer.jar\r\ncurl -o $SERVER_JARFILE -sS https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/$MC_VERSION\/forge-$MC_VERSION-universal.jar\r\n\r\n#Checking if downloaded jars exist\r\nif [ ! -f .\/installer.jar ] || [ ! -f .\/$SERVER_JARFILE ]; then\r\n    echo \"!!! Error by downloading forge version \\\"$MC_VERSION\\\" !!!\"\r\n    exit\r\nfi\r\n\r\n#Installing server\r\necho -e \"Installing forge server.\\n\"\r\njava -jar installer.jar --installServer\r\n\r\n#Deleting installer.jar\r\necho -e \"Deleting installer.jar file.\\n\"\r\nrm -rf installer.jar",
-            "container": "openjdk:8",
+            "script": "#!\/bin\/bash\r\n# Forge Installation Script\r\n#\r\n# Server Files: \/mnt\/server\r\napt update\r\napt install -y curl jq\r\n\r\n#Go into main direction\r\nif [ ! -d \/mnt\/server ]; then\r\n    mkdir \/mnt\/server\r\nfi\r\n\r\ncd \/mnt\/server\r\n\r\nif [ ! -z ${FORGE_VERSION} ]; then\r\n    DOWNLOAD_LINK=https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/${FORGE_VERSION}\/forge-${FORGE_VERSION}\r\nelse\r\n    JSON_DATA=$(curl -sSL https:\/\/files.minecraftforge.net\/maven\/net\/minecraftforge\/forge\/promotions_slim.json)\r\n\r\n    if [ \"${MC_VERSION}\" == \"latest\" ] || [ \"${MC_VERSION}\" == \"\" ] ; then\r\n        echo -e \"getting latest recommended version of forge.\"\r\n        MC_VERSION=$(echo -e ${JSON_DATA} | jq -r '.promos | del(.\"latest-1.7.10\") | del(.\"1.7.10-latest-1.7.10\") | to_entries[] | .key | select(contains(\"recommended\")) | split(\"-\")[0]' | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n | tail -1)\r\n    \tBUILD_TYPE=recommended\r\n    fi\r\n\r\n    if [ \"${BUILD_TYPE}\" != \"recommended\" ] && [ \"${BUILD_TYPE}\" != \"latest\" ]; then\r\n        BUILD_TYPE=recommended\r\n    fi\r\n\r\n    echo -e \"minecraft version: ${MC_VERSION}\"\r\n    echo -e \"build type: ${BUILD_TYPE}\"\r\n\r\n    ## some variables for getting versions and things\r\n    FILE_SITE=$(echo -e ${JSON_DATA} | jq -r '.homepage' | sed \"s\/http:\/https:\/g\")\r\n    VERSION_KEY=$(echo -e ${JSON_DATA} | jq -r --arg MC_VERSION \"${MC_VERSION}\" --arg BUILD_TYPE \"${BUILD_TYPE}\" '.promos | del(.\"latest-1.7.10\") | del(.\"1.7.10-latest-1.7.10\") | to_entries[] | .key | select(contains($MC_VERSION)) | select(contains($BUILD_TYPE))')\r\n\r\n    ## locating the forge version\r\n    if [ \"${VERSION_KEY}\" == \"\" ] && [ \"${BUILD_TYPE}\" == \"recommended\" ]; then\r\n        echo -e \"dropping back to latest from recommended due to there not being a recommended version of forge for the mc version requested.\"\r\n        VERSION_KEY=$(echo -e ${JSON_DATA} | jq -r --arg MC_VERSION \"${MC_VERSION}\" '.promos | del(.\"latest-1.7.10\") | del(.\"1.7.10-latest-1.7.10\") | to_entries[] | .key | select(contains($MC_VERSION)) | select(contains(\"recommended\"))')\r\n    fi\r\n\r\n    ## Error if the mc version set wasn't valid.\r\n    if [ \"${VERSION_KEY}\" == \"\" ] || [ \"${VERSION_KEY}\" == \"null\" ]; then\r\n    \techo -e \"The install failed because there is no valid version of forge for the version on minecraft selected.\"\r\n    \texit 1\r\n    fi\r\n\r\n    FORGE_VERSION=$(echo -e ${JSON_DATA} | jq -r --arg VERSION_KEY \"$VERSION_KEY\" '.promos | .[$VERSION_KEY]')\r\n\r\n    if [ \"${MC_VERSION}\" == \"1.7.10\" ] || [ \"${MC_VERSION}\" == \"1.8.9\" ]; then\r\n        DOWNLOAD_LINK=${FILE_SITE}${MC_VERSION}-${FORGE_VERSION}-${MC_VERSION}\/forge-${MC_VERSION}-${FORGE_VERSION}-${MC_VERSION}\r\n        FORGE_JAR=forge-${MC_VERSION}-${FORGE_VERSION}-${MC_VERSION}.jar\r\n        if [ \"${MC_VERSION}\" == \"1.7.10\" ]; then\r\n            FORGE_JAR=forge-${MC_VERSION}-${FORGE_VERSION}-${MC_VERSION}-universal.jar\r\n        fi\r\n    else\r\n        DOWNLOAD_LINK=${FILE_SITE}${MC_VERSION}-${FORGE_VERSION}\/forge-${MC_VERSION}-${FORGE_VERSION}\r\n        FORGE_JAR=forge-${MC_VERSION}-${FORGE_VERSION}.jar\r\n    fi\r\nfi\r\n\r\n\r\n#Adding .jar when not eding by SERVER_JARFILE\r\nif [[ ! $SERVER_JARFILE = *\\.jar ]]; then\r\n  SERVER_JARFILE=\"$SERVER_JARFILE.jar\"\r\nfi\r\n\r\n#Downloading jars\r\necho -e \"Downloading forge version ${FORGE_VERSION}\"\r\nif [ ! -z \"${DOWNLOAD_LINK}\" ]; then \r\n    if curl --output \/dev\/null --silent --head --fail ${DOWNLOAD_LINK}-installer.jar; then\r\n        echo -e \"installer jar download link is valid.\"\r\n    else\r\n        echo -e \"link is invalid closing out\"\r\n        exit 2\r\n    fi\r\n\r\n    echo -e \"no download link closing out\"\r\n    exit 3\r\nfi\r\n\r\ncurl -s -o installer.jar -sS ${DOWNLOAD_LINK}-installer.jar\r\n\r\n#Checking if downloaded jars exist\r\nif [ ! -f .\/installer.jar ]; then\r\n    echo \"!!! Error by downloading forge version ${FORGE_VERSION} !!!\"\r\n    exit\r\nfi\r\n\r\n#Installing server\r\necho -e \"Installing forge server.\\n\"\r\njava -jar installer.jar --installServer || { echo -e \"install failed\"; exit 4; }\r\n\r\nmv $FORGE_JAR $SERVER_JARFILE\r\n\r\n#Deleting installer.jar\r\necho -e \"Deleting installer.jar file.\\n\"\r\nrm -rf installer.jar",
+            "container": "openjdk:8-jdk-slim",
             "entrypoint": "bash"
         }
     },
@@ -34,11 +34,29 @@
         },
         {
             "name": "Forge version",
-            "description": "The version of forge that you want to run.\r\nExamples:\r\n- 1.12.2\r\n- 1.12.2-14.23.5.2810",
+            "description": "The version of minecraft you want to install for.\r\n\r\nLeaving latest will install the latest recommended version.",
             "env_variable": "MC_VERSION",
             "default_value": "latest",
             "user_viewable": 1,
             "user_editable": 1,
+            "rules": "required|string|max:9"
+        },
+        {
+            "name": "Build Type",
+            "description": "The type of server jar to download from forge.\r\n\r\nValid types are \"recommended\" and \"latest\".",
+            "env_variable": "BUILD_TYPE",
+            "default_value": "recommended",
+            "user_viewable": 1,
+            "user_editable": 1,
+            "rules": "required|string|max:20"
+        },
+        {
+            "name": "Forge Version",
+            "description": "Gets an exact version.\r\n\r\nEx. 1.15.2-31.2.4\r\n\r\nOverrides MC_VERSION and BUILD_TYPE. If it fails to download the server files it will fail to install.",
+            "env_variable": "FORGE_VERSION",
+            "default_value": "",
+            "user_viewable": 1,
+            "user_editable": 1,
             "rules": "required|string|max:20"
         }
     ]

resources/scripts/components/server/StatGraphs.tsx

@@ -17,14 +17,14 @@ const chartDefaults: ChartConfiguration = {
             enabled: false,
         },
         animation: {
-            duration: 250,
+            duration: 0,
         },
         elements: {
             point: {
                 radius: 0,
             },
             line: {
-                tension: 0.1,
+                tension: 0.3,
                 backgroundColor: 'rgba(15, 178, 184, 0.45)',
                 borderColor: '#32D0D9',
             },

resources/scripts/components/server/users/EditSubuserModal.tsx

@@ -53,6 +53,8 @@ const EditSubuserModal = forwardRef<HTMLHeadingElement, Props>(({ subuser, ...pr
     const [ canEditUser ] = usePermissions(subuser ? [ 'user.update' ] : [ 'user.create' ]);
     const permissions = useStoreState(state => state.permissions.data);
 
+    const user = useStoreState(state => state.user.data!);
+
     // The currently logged in user's permissions. We're going to filter out any permissions
     // that they should not need.
     const loggedInPermissions = ServerContext.useStoreState(state => state.server.permissions);
@@ -64,7 +66,7 @@ const EditSubuserModal = forwardRef<HTMLHeadingElement, Props>(({ subuser, ...pr
 
         const list: string[] = ([] as string[]).concat.apply([], Object.values(cleaned));
 
-        if (loggedInPermissions.length === 1 && loggedInPermissions[0] === '*') {
+        if (user.rootAdmin || (loggedInPermissions.length === 1 && loggedInPermissions[0] === '*')) {
             return list;
         }
 
@@ -81,12 +83,14 @@ const EditSubuserModal = forwardRef<HTMLHeadingElement, Props>(({ subuser, ...pr
                 }
             </h3>
             <FlashMessageRender byKey={'user:edit'} className={'mt-4'}/>
+            {(!user.rootAdmin && loggedInPermissions[0] !== '*') &&
             <div className={'mt-4 pl-4 py-2 border-l-4 border-cyan-400'}>
                 <p className={'text-sm text-neutral-300'}>
                     Only permissions which your account is currently assigned may be selected when creating or
                     modifying other users.
                 </p>
             </div>
+            }
             {!subuser &&
             <div className={'mt-6'}>
                 <Field

routes/api-remote.php

@@ -2,9 +2,6 @@
 
 use Illuminate\Support\Facades\Route;
 
-Route::get('/authenticate/{token}', 'ValidateKeyController@index');
-Route::post('/download-file', 'FileDownloadController@index');
-
 // Routes for the Wings daemon.
 Route::post('/sftp/auth', 'SftpAuthenticationController');