Merge branch 'develop' into dane/restore-backups

Author: DaneEveritt

.github/workflows/docker.yml

@@ -25,6 +25,12 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Bump Version
+        if: "!contains(github.ref, 'develop')"
+        env:
+          REF: ${{ github.ref }}
+        run: |
+          sed -i "s/    'version' => 'canary',/    'version' => '${REF:11}',/" config/app.php
       - name: Release Production Build
         uses: docker/build-push-action@v2
         if: "!contains(github.ref, 'develop')"

.github/workflows/tests.yml

@@ -19,9 +19,9 @@ jobs:
           - 3306
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
     strategy:
-      fail-fast: true
+      fail-fast: false
       matrix:
-        php: [7.3, 7.4]
+        php: [7.4, 8.0]
     name: PHP ${{ matrix.php }}
     steps:
       - name: checkout
@@ -44,14 +44,14 @@ jobs:
         with:
           php-version: ${{ matrix.php }}
           extensions: cli, openssl, gd, mysql, pdo, mbstring, tokenizer, bcmath, xml, curl, zip
-          tools: composer:v1
+          tools: composer:v2
           coverage: none
       - name: configure
         run: cp .env.ci .env
       - name: install dependencies
         run: composer install --prefer-dist --no-interaction --no-progress
       - name: run cs-fixer
-        run: vendor/bin/php-cs-fixer fix --dry-run --diff --diff-format=udiff
+        run: vendor/bin/php-cs-fixer fix --dry-run --diff --diff-format=udiff --rules=psr_autoloading
         continue-on-error: true
       - name: execute unit tests
         run: vendor/bin/phpunit --bootstrap bootstrap/app.php tests/Unit

.gitignore

@@ -1,6 +1,9 @@
 /vendor
 *.DS_Store*
-.env
+!.env.ci
+!.env.dusk
+!.env.example
+.env*
 .vagrant/*
 .vscode/*
 storage/framework/*

.php_cs

@@ -0,0 +1,33 @@
+<?php
+
+use PhpCsFixer\Config;
+use PhpCsFixer\Finder;
+
+$finder = (new Finder())->in(__DIR__)->exclude(['vendor', 'node_modules', 'storage', 'bootstrap/cache']);
+
+return (new Config())
+    ->setRiskyAllowed(true)
+    ->setFinder($finder)
+    ->setRules([
+        '@Symfony' => true,
+        '@PSR1' => true,
+        '@PSR2' => true,
+        '@PSR12' => true,
+        'align_multiline_comment' => ['comment_type' => 'phpdocs_like'],
+        'combine_consecutive_unsets' => true,
+        'concat_space' => ['spacing' => 'one'],
+        'heredoc_to_nowdoc' => true,
+        'no_alias_functions' => true,
+        'no_unreachable_default_argument_value' => true,
+        'no_useless_return' => true,
+        'ordered_imports' => [
+            'sortAlgorithm' => 'length',
+        ],
+        'random_api_migration' => true,
+        'ternary_to_null_coalescing' => true,
+        'yoda_style' => [
+            'equal' => false,
+            'identical' => false,
+            'less_and_greater' => false,
+        ],
+    ]);

.php_cs.dist

@@ -3,6 +3,9 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v1.2.2
+* **[security]** Fixes authentication bypass allowing a user to take control of specific server actions such as executing schedules, rotating database passwords, and viewing or deleting a backup.
+
 ## v1.2.1
 ### Fixed
 * Fixes URL-encoding of filenames when working in the filemanager to fix issues when moving, renaming, or deleting files.

CHANGELOG.md

@@ -19,21 +19,21 @@ class AppSettingsCommand extends Command
 {
     use EnvironmentWriterTrait;
 
-    const ALLOWED_CACHE_DRIVERS = [
+    public const ALLOWED_CACHE_DRIVERS = [
         'redis' => 'Redis (recommended)',
         'memcached' => 'Memcached',
         'file' => 'Filesystem',
     ];
 
-    const ALLOWED_SESSION_DRIVERS = [
+    public const ALLOWED_SESSION_DRIVERS = [
         'redis' => 'Redis (recommended)',
         'memcached' => 'Memcached',
         'database' => 'MySQL Database',
         'file' => 'Filesystem',
         'cookie' => 'Cookie',
     ];
 
-    const ALLOWED_QUEUE_DRIVERS = [
+    public const ALLOWED_QUEUE_DRIVERS = [
         'redis' => 'Redis (recommended)',
         'database' => 'MySQL Database',
         'sync' => 'Sync',
@@ -77,9 +77,6 @@ class AppSettingsCommand extends Command
 
     /**
      * AppSettingsCommand constructor.
-     *
-     * @param \Illuminate\Contracts\Config\Repository $config
-     * @param \Illuminate\Contracts\Console\Kernel $command
      */
     public function __construct(ConfigRepository $config, Kernel $command)
     {
@@ -102,43 +99,45 @@ public function handle()
 
         $this->output->comment(trans('command/messages.environment.app.author_help'));
         $this->variables['APP_SERVICE_AUTHOR'] = $this->option('author') ?? $this->ask(
-                trans('command/messages.environment.app.author'), $this->config->get('pterodactyl.service.author', 'unknown@unknown.com')
-            );
+            trans('command/messages.environment.app.author'),
+            $this->config->get('pterodactyl.service.author', 'unknown@unknown.com')
+        );
 
         $this->output->comment(trans('command/messages.environment.app.app_url_help'));
         $this->variables['APP_URL'] = $this->option('url') ?? $this->ask(
-                trans('command/messages.environment.app.app_url'), $this->config->get('app.url', 'http://example.org')
-            );
+            trans('command/messages.environment.app.app_url'),
+            $this->config->get('app.url', 'http://example.org')
+        );
 
         $this->output->comment(trans('command/messages.environment.app.timezone_help'));
         $this->variables['APP_TIMEZONE'] = $this->option('timezone') ?? $this->anticipate(
-                trans('command/messages.environment.app.timezone'),
-                DateTimeZone::listIdentifiers(DateTimeZone::ALL),
-                $this->config->get('app.timezone')
-            );
+            trans('command/messages.environment.app.timezone'),
+            DateTimeZone::listIdentifiers(DateTimeZone::ALL),
+            $this->config->get('app.timezone')
+        );
 
         $selected = $this->config->get('cache.default', 'redis');
         $this->variables['CACHE_DRIVER'] = $this->option('cache') ?? $this->choice(
-                trans('command/messages.environment.app.cache_driver'),
-                self::ALLOWED_CACHE_DRIVERS,
-                array_key_exists($selected, self::ALLOWED_CACHE_DRIVERS) ? $selected : null
-            );
+            trans('command/messages.environment.app.cache_driver'),
+            self::ALLOWED_CACHE_DRIVERS,
+            array_key_exists($selected, self::ALLOWED_CACHE_DRIVERS) ? $selected : null
+        );
 
         $selected = $this->config->get('session.driver', 'redis');
         $this->variables['SESSION_DRIVER'] = $this->option('session') ?? $this->choice(
-                trans('command/messages.environment.app.session_driver'),
-                self::ALLOWED_SESSION_DRIVERS,
-                array_key_exists($selected, self::ALLOWED_SESSION_DRIVERS) ? $selected : null
-            );
+            trans('command/messages.environment.app.session_driver'),
+            self::ALLOWED_SESSION_DRIVERS,
+            array_key_exists($selected, self::ALLOWED_SESSION_DRIVERS) ? $selected : null
+        );
 
         $selected = $this->config->get('queue.default', 'redis');
         $this->variables['QUEUE_CONNECTION'] = $this->option('queue') ?? $this->choice(
-                trans('command/messages.environment.app.queue_driver'),
-                self::ALLOWED_QUEUE_DRIVERS,
-                array_key_exists($selected, self::ALLOWED_QUEUE_DRIVERS) ? $selected : null
-            );
+            trans('command/messages.environment.app.queue_driver'),
+            self::ALLOWED_QUEUE_DRIVERS,
+            array_key_exists($selected, self::ALLOWED_QUEUE_DRIVERS) ? $selected : null
+        );
 
-        if (! is_null($this->option('settings-ui'))) {
+        if (!is_null($this->option('settings-ui'))) {
             $this->variables['APP_ENVIRONMENT_ONLY'] = $this->option('settings-ui') == 'true' ? 'false' : 'true';
         } else {
             $this->variables['APP_ENVIRONMENT_ONLY'] = $this->confirm(trans('command/messages.environment.app.settings'), true) ? 'false' : 'true';
@@ -171,28 +170,30 @@ private function checkForRedis()
 
         $this->output->note(trans('command/messages.environment.app.using_redis'));
         $this->variables['REDIS_HOST'] = $this->option('redis-host') ?? $this->ask(
-                trans('command/messages.environment.app.redis_host'), $this->config->get('database.redis.default.host')
-            );
+            trans('command/messages.environment.app.redis_host'),
+            $this->config->get('database.redis.default.host')
+        );
 
         $askForRedisPassword = true;
-        if (! empty($this->config->get('database.redis.default.password'))) {
+        if (!empty($this->config->get('database.redis.default.password'))) {
             $this->variables['REDIS_PASSWORD'] = $this->config->get('database.redis.default.password');
             $askForRedisPassword = $this->confirm(trans('command/messages.environment.app.redis_pass_defined'));
         }
 
         if ($askForRedisPassword) {
             $this->output->comment(trans('command/messages.environment.app.redis_pass_help'));
             $this->variables['REDIS_PASSWORD'] = $this->option('redis-pass') ?? $this->output->askHidden(
-                    trans('command/messages.environment.app.redis_password')
-                );
+                trans('command/messages.environment.app.redis_password')
+            );
         }
 
         if (empty($this->variables['REDIS_PASSWORD'])) {
             $this->variables['REDIS_PASSWORD'] = 'null';
         }
 
         $this->variables['REDIS_PORT'] = $this->option('redis-port') ?? $this->ask(
-                trans('command/messages.environment.app.redis_port'), $this->config->get('database.redis.default.port')
-            );
+            trans('command/messages.environment.app.redis_port'),
+            $this->config->get('database.redis.default.port')
+        );
     }
 }

app/Console/Commands/Environment/AppSettingsCommand.php

@@ -57,10 +57,6 @@ class DatabaseSettingsCommand extends Command
 
     /**
      * DatabaseSettingsCommand constructor.
-     *
-     * @param \Illuminate\Contracts\Config\Repository $config
-     * @param \Illuminate\Database\DatabaseManager $database
-     * @param \Illuminate\Contracts\Console\Kernel $console
      */
     public function __construct(ConfigRepository $config, DatabaseManager $database, Kernel $console)
     {
@@ -82,24 +78,28 @@ public function handle()
     {
         $this->output->note(trans('command/messages.environment.database.host_warning'));
         $this->variables['DB_HOST'] = $this->option('host') ?? $this->ask(
-                trans('command/messages.environment.database.host'), $this->config->get('database.connections.mysql.host', '127.0.0.1')
-            );
+            trans('command/messages.environment.database.host'),
+            $this->config->get('database.connections.mysql.host', '127.0.0.1')
+        );
 
         $this->variables['DB_PORT'] = $this->option('port') ?? $this->ask(
-                trans('command/messages.environment.database.port'), $this->config->get('database.connections.mysql.port', 3306)
-            );
+            trans('command/messages.environment.database.port'),
+            $this->config->get('database.connections.mysql.port', 3306)
+        );
 
         $this->variables['DB_DATABASE'] = $this->option('database') ?? $this->ask(
-                trans('command/messages.environment.database.database'), $this->config->get('database.connections.mysql.database', 'panel')
-            );
+            trans('command/messages.environment.database.database'),
+            $this->config->get('database.connections.mysql.database', 'panel')
+        );
 
         $this->output->note(trans('command/messages.environment.database.username_warning'));
         $this->variables['DB_USERNAME'] = $this->option('username') ?? $this->ask(
-                trans('command/messages.environment.database.username'), $this->config->get('database.connections.mysql.username', 'pterodactyl')
-            );
+            trans('command/messages.environment.database.username'),
+            $this->config->get('database.connections.mysql.username', 'pterodactyl')
+        );
 
         $askForMySQLPassword = true;
-        if (! empty($this->config->get('database.connections.mysql.password')) && $this->input->isInteractive()) {
+        if (!empty($this->config->get('database.connections.mysql.password')) && $this->input->isInteractive()) {
             $this->variables['DB_PASSWORD'] = $this->config->get('database.connections.mysql.password');
             $askForMySQLPassword = $this->confirm(trans('command/messages.environment.database.password_defined'));
         }