Merge branch 'release/v0.7.14' into feature/react

Author: DaneEveritt

CHANGELOG.md

@@ -3,6 +3,21 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.14 (Derelict Dermodactylus)
+### Fixed
+* **[SECURITY]** Fixes an XSS vulnerability when performing certain actions in the file manager.
+* **[SECURITY]** Attempting to login as a user who has 2FA enabled will no longer request the 2FA token before validating
+that their password is correct. This closes a user existence leak that would expose that an account exists if
+it had 2FA enabled.
+
+### Changed
+* Support for setting a node to listen on ports lower than 1024.
+* QR code URLs are now generated without the use of an external library to reduce the dependency tree.
+* Regenerated database passwords now respect the same settings that were used when initially created.
+* Cleaned up 2FA QR code generation to use a more up-to-date library and API.
+* Console charts now properly start at 0 and scale based on server configuration. No more crazy spikes that
+are due to a change of one unit.
+
 ## v0.7.13 (Derelict Dermodactylus)
 ### Fixed
 * Fixes a bug with the location update API endpoint throwing an error due to an unexected response value.

README.md

@@ -1,4 +1,4 @@
-[![Logo Image](https://cdn.pterodactyl.io/logos/Banner%20Logo%20Black@2x.png)](https://pterodactyl.io)
+[![Logo Image](https://cdn.pterodactyl.io/logos/new/pterodactyl_logo.png)](https://pterodactyl.io)
 
 [![Build status](https://img.shields.io/travis/pterodactyl/panel/develop.svg?style=flat-square)](https://travis-ci.org/pterodactyl/panel)
 [![StyleCI](https://styleci.io/repos/47508644/shield?branch=develop)](https://styleci.io/repos/47508644)

app/Http/Controllers/Auth/LoginController.php

@@ -54,6 +54,71 @@ public function login(Request $request): JsonResponse
             return $this->sendFailedLoginResponse($request, $user);
         }
 
+        if ($user->use_totp) {
+            $token = str_random(64);
+            $this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => true], 5);
+
+            return redirect()->route('auth.totp')->with('authentication_token', $token);
+        }
+
+        $this->auth->guard()->login($user, true);
+
+        return $this->sendLoginResponse($user, $request);
+    }
+
+    /**
+     * Handle a TOTP implementation page.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\View\View
+     */
+    public function totp(Request $request)
+    {
+        $token = $request->session()->get('authentication_token');
+        if (is_null($token) || $this->auth->guard()->user()) {
+            return redirect()->route('auth.login');
+        }
+
+        return view('auth.totp', ['verify_key' => $token]);
+    }
+
+    /**
+     * Handle a login where the user is required to provide a TOTP authentication
+     * token.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
+     *
+     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
+     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
+     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
+     * @throws \Pterodactyl\Exceptions\DisplayException
+     */
+    public function loginUsingTotp(Request $request)
+    {
+        if (is_null($request->input('verify_token'))) {
+            return $this->sendFailedLoginResponse($request);
+        }
+
+        try {
+            $cache = $this->cache->pull($request->input('verify_token'), []);
+            $user = $this->repository->find(array_get($cache, 'user_id', 0));
+        } catch (RecordNotFoundException $exception) {
+            return $this->sendFailedLoginResponse($request);
+        }
+
+        if (is_null($request->input('2fa_token'))) {
+            return $this->sendFailedLoginResponse($request, $user);
+        }
+
+        if (! $this->google2FA->verifyKey(
+            $this->encrypter->decrypt($user->totp_secret),
+            $request->input('2fa_token'),
+            $this->config->get('pterodactyl.auth.2fa.window')
+        )) {
+            return $this->sendFailedLoginResponse($request, $user);
+        }
+
         // If the user is using 2FA we do not actually log them in at this step, we return
         // a one-time token to link the 2FA credentials to this account via the UI.
         if ($user->use_totp) {

app/Http/Controllers/Base/SecurityController.php

@@ -83,8 +83,8 @@ public function index(Request $request): JsonResponse
 
         return JsonResponse::create([
             'enabled' => false,
-            'qr_image' => $response->get('image'),
-            'secret' => $response->get('secret'),
+            'qr_image' => $response,
+            'secret' => '',
         ]);
     }
 

app/Services/Users/TwoFactorSetupService.php

@@ -1,23 +1,18 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Services\Users;
 
+use Exception;
+use RuntimeException;
 use Pterodactyl\Models\User;
-use Illuminate\Support\Collection;
-use PragmaRX\Google2FAQRCode\Google2FA;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Illuminate\Contracts\Config\Repository as ConfigRepository;
 
 class TwoFactorSetupService
 {
+    const VALID_BASE32_CHARACTERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
     /**
      * @var \Illuminate\Contracts\Config\Repository
      */
@@ -28,11 +23,6 @@ class TwoFactorSetupService
      */
     private $encrypter;
 
-    /**
-     * @var PragmaRX\Google2FAQRCode\Google2FA
-     */
-    private $google2FA;
-
     /**
      * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
      */
@@ -43,43 +33,51 @@ class TwoFactorSetupService
      *
      * @param \Illuminate\Contracts\Config\Repository                   $config
      * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
-     * @param PragmaRX\Google2FAQRCode\Google2FA                        $google2FA
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
         ConfigRepository $config,
         Encrypter $encrypter,
-        Google2FA $google2FA,
         UserRepositoryInterface $repository
     ) {
         $this->config = $config;
         $this->encrypter = $encrypter;
-        $this->google2FA = $google2FA;
         $this->repository = $repository;
     }
 
     /**
      * Generate a 2FA token and store it in the database before returning the
-     * QR code image.
+     * QR code URL. This URL will need to be attached to a QR generating service in
+     * order to function.
      *
      * @param \Pterodactyl\Models\User $user
-     * @return \Illuminate\Support\Collection
+     * @return string
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function handle(User $user): Collection
+    public function handle(User $user): string
     {
-        $secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
-        $image = $this->google2FA->getQRCodeInline($this->config->get('app.name'), $user->email, $secret);
+        $secret = '';
+        try {
+            for ($i = 0; $i < $this->config->get('pterodactyl.auth.2fa.bytes', 16); $i++) {
+                $secret .= substr(self::VALID_BASE32_CHARACTERS, random_int(0, 31), 1);
+            }
+        } catch (Exception $exception) {
+            throw new RuntimeException($exception->getMessage(), 0, $exception);
+        }
 
         $this->repository->withoutFreshModel()->update($user->id, [
             'totp_secret' => $this->encrypter->encrypt($secret),
         ]);
 
-        return new Collection([
-            'image' => $image,
-            'secret' => $secret,
-        ]);
+        $company = $this->config->get('app.name');
+
+        return sprintf(
+            'otpauth://totp/%1$s:%2$s?secret=%3$s&issuer=%1$s',
+            rawurlencode($company),
+            rawurlencode($user->email),
+            rawurlencode($secret)
+        );
     }
 }

composer.json

@@ -30,7 +30,6 @@
         "matriphe/iso-639": "^1.2",
         "nesbot/carbon": "^1.22",
         "pragmarx/google2fa": "^5.0",
-        "pragmarx/google2fa-qrcode": "^1.0.3",
         "predis/predis": "^1.1",
         "prologue/alerts": "^0.4",
         "ramsey/uuid": "^3.7",

config/app.php

@@ -9,7 +9,7 @@
     | change this value if you are not maintaining your own internal versions.
     */
 
-    'version' => 'canary',
+    'version' => '0.7.14',
 
     /*
     |--------------------------------------------------------------------------

config/pterodactyl.php

@@ -1,6 +1,5 @@
 <?php
 
-
 return [
     /*
     |--------------------------------------------------------------------------

public/themes/pterodactyl/js/frontend/console.js

@@ -255,6 +255,31 @@ $(document).ready(function () {
 
             TimeLabels.push($.format.date(new Date(), 'HH:mm:ss'));
 
+
+            // memory.cmax is the maximum given by the container
+            // memory.amax is given by the json config
+            // use the maximum of both
+            // with no limit memory.cmax will always be higher
+            // but with limit memory.amax is sometimes still smaller than memory.total
+            MemoryChart.config.options.scales.yAxes[0].ticks.max = Math.max(proc.data.memory.cmax, proc.data.memory.amax) / (1000 * 1000);
+
+            if (Pterodactyl.server.cpu > 0) {
+                // if there is a cpu limit defined use 100% as maximum
+                CPUChart.config.options.scales.yAxes[0].ticks.max = 100;
+            } else {
+                // if there is no cpu limit defined use linux percentage
+                // and find maximum in all values
+                var maxCpu = 1;
+                for(var i = 0; i < CPUData.length; i++) {
+                    maxCpu = Math.max(maxCpu, parseFloat(CPUData[i]))
+                }
+
+                maxCpu = Math.ceil(maxCpu / 100) * 100;
+                CPUChart.config.options.scales.yAxes[0].ticks.max = maxCpu;
+            }
+
+
+
             CPUChart.update();
             MemoryChart.update();
         });
@@ -301,6 +326,13 @@ $(document).ready(function () {
                 },
                 animation: {
                     duration: 1,
+                },
+                scales: {
+                    yAxes: [{
+                        ticks: {
+                            beginAtZero: true
+                        }
+                    }]
                 }
             }
         });
@@ -346,6 +378,13 @@ $(document).ready(function () {
                 },
                 animation: {
                     duration: 1,
+                },
+                scales: {
+                    yAxes: [{
+                        ticks: {
+                            beginAtZero: true
+                        }
+                    }]
                 }
             }
         });