Apply security fixes from pterodactyl#2441 to 1.0

Author: TrixterTheTux

CHANGELOG.md

@@ -3,6 +3,15 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.19 (Derelict Dermodactylus)
+### Fixed
+* **[Security]** Fixes XSS in the admin area's server owner selection.
+
+## v0.7.18 (Derelict Dermodactylus)
+### Fixed
+* **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys.
+* **[Security]** Addresses a Client API vulnerability that would allow a user to list all servers on the system ([`GHSA-6888-7f3w-92jx`](https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx))
+
 ## v0.7.17 (Derelict Dermodactylus)
 ### Fixed
 * Limited accounts to 5 API keys at a time.
@@ -301,7 +310,7 @@ the response from the server `GET` endpoint.
 * Nest and Egg listings now show the associated ID in order to make API requests easier.
 * Added star indicators to user listing in Admin CP to indicate users who are set as a root admin.
 * Creating a new node will now requires a SSL connection if the Panel is configured to use SSL as well.
-* Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
+* Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
 * File manager now supports mass deletion option for files and folders.
 * Support for CS:GO as a default service option selection.
 * Support for GMOD as a default service option selection.
@@ -431,7 +440,7 @@ the response from the server `GET` endpoint.
 * Changed 2FA login process to be more secure. Previously authentication checking happened on the 2FA post page, now it happens prior and is passed along to the 2FA page to avoid storing any credentials.
 
 ### Added
-* Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
+* Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
 
 ## v0.7.0-beta.1 (Derelict Dermodactylus)
 ### Added

public/themes/pterodactyl/js/admin/new-server.js

@@ -153,6 +153,12 @@ function updateAdditionalAllocations() {
 }
 
 function initUserIdSelect(data) {
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     $('#pUserId').select2({
         ajax: {
             url: '/admin/users/accounts.json',
@@ -176,28 +182,27 @@ function initUserIdSelect(data) {
         data: data,
         escapeMarkup: function (markup) { return markup; },
         minimumInputLength: 2,
-
         templateResult: function (data) {
-            if (data.loading) return data.text;
+            if (data.loading) return escapeHtml(data.text);
 
             return '<div class="user-block"> \
-                        <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \
-                        <span class="username"> \
-                            <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \
-                        </span> \
-                        <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \
-                    </div>';
+                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
+                <span class="username"> \
+                    <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
+                </span> \
+                <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
+            </div>';
         },
-
         templateSelection: function (data) {
             return '<div> \
-                        <span> \
-                            <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
-                        </span> \
-                        <span style="padding-left:5px;"> \
-                            ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \
-                        </span> \
-                    </div>';
+                <span> \
+                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
+                </span> \
+                <span style="padding-left:5px;"> \
+                    ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
+                </span> \
+            </div>';
         }
+
     });
 }

resources/views/admin/servers/view/details.blade.php

@@ -66,6 +66,12 @@
 @section('footer-scripts')
     @parent
     <script>
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     $('#pUserId').select2({
         ajax: {
             url: '/admin/users/accounts.json',
@@ -85,14 +91,14 @@
         escapeMarkup: function (markup) { return markup; },
         minimumInputLength: 2,
         templateResult: function (data) {
-            if (data.loading) return data.text;
+            if (data.loading) return escapeHtml(data.text);
 
             return '<div class="user-block"> \
-                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \
+                <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
                 <span class="username"> \
-                    <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \
+                    <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
                 </span> \
-                <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \
+                <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
             </div>';
         },
         templateSelection: function (data) {
@@ -108,10 +114,10 @@
 
             return '<div> \
                 <span> \
-                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
+                    <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
                 </span> \
                 <span style="padding-left:5px;"> \
-                    ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \
+                    ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
                 </span> \
             </div>';
         }