[Security] Address critical flaw in console rendering that allowed arbitrary command execution

Author: DaneEveritt

CHANGELOG.md

@@ -3,6 +3,13 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.6.3 (Courageous Carniadactylus)
+### Fixed
+* **[Security]** — Addresses an oversight in how the terminal rendered information sent from the server feed which allowed a malicious user to execute arbitrary commands on the game-server process itself by using a specifically crafted in-game command.
+
+### Changed
+* Removed `jquery.terminal` and replaced it with an in-house developed terminal with less potential for security issues.
+
 ## v0.6.2 (Courageous Carniadactylus)
 ### Fixed
 * Fixes a few typos throughout the panel, there are more don't worry.

README.md

@@ -39,6 +39,8 @@ AdminLTE - [license](https://github.com/almasaeed2010/AdminLTE/blob/master/LICEN
 
 Animate.css - [license](https://github.com/daneden/animate.css/blob/master/LICENSE) - [homepage](http://daneden.github.io/animate.css/)
 
+AnsiUp - [license](https://github.com/drudru/ansi_up/blob/master/Readme.md#license) - [homepage](https://github.com/drudru/ansi_up)
+
 Async.js - [license](https://github.com/caolan/async/blob/master/LICENSE) - [homepage](https://github.com/caolan/async/)
 
 Bootstrap - [license](https://github.com/twbs/bootstrap/blob/master/LICENSE) - [homepage](http://getbootstrap.com)
@@ -53,8 +55,6 @@ FontAwesome Animations - [license](https://github.com/l-lin/font-awesome-animati
 
 jQuery - [license](https://github.com/jquery/jquery/blob/master/LICENSE.txt) - [homepage](http://jquery.com)
 
-jQuery Terminal - [license](https://github.com/jcubic/jquery.terminal/blob/master/LICENSE) - [homepage](http://terminal.jcubic.pl)
-
 Laravel Framework - [license](https://github.com/laravel/framework/blob/5.4/LICENSE.md) - [homepage](https://laravel.com)
 
 Lodash - [license](https://github.com/lodash/lodash/blob/master/LICENSE) - [homepage](https://lodash.com/)

public/themes/pterodactyl/css/pterodactyl.css

@@ -311,3 +311,90 @@ input.form-autocomplete-stop[readonly] {
     background: white;
     box-shadow: none !important;
 }
+
+#terminal {
+    font-family: monospace;
+    color: #aaa;
+    background: #000;
+    font-size: 12px;
+    line-height: 14px;
+    padding: 10px 10px 0;
+    box-sizing: border-box;
+    min-height: 30px;
+    max-height: 500px;
+    overflow-y: auto;
+    overflow-x: hidden;
+    border-radius: 5px 5px 0 0;
+}
+
+#terminal > .cmd {
+    padding: 1px 0;
+}
+
+@keyframes blinky {
+    0% {
+        background: transparent;
+    }
+    100% {
+        background: rgba(170, 170, 170, 0.9);
+    }
+}
+
+@-webkit-keyframes blinky {
+    0% {
+        background: transparent;
+    }
+    100% {
+        background: rgba(170, 170, 170, 0.9);
+    }
+}
+
+#terminal_input {
+    width: 100%;
+    background: #000;
+    border-radius: 0 0 5px 5px;
+    padding: 5px 10px;
+}
+
+.terminal_input--input {
+    height: 0;
+    width: 0;
+    position: absolute;
+    top: -20px;
+}
+
+.terminal_input--text, .terminal_input--prompt {
+    line-height: 14px;
+    width: 100%;
+    vertical-align: middle;
+    font-size: 12px;
+    font-family: monospace;
+    margin-bottom: 0;
+    background: transparent;
+    color: #aaa;
+}
+
+.terminal_input--text:before, .terminal_input--text:after {
+    content: "";
+    display: inline-block;
+    width: 7px;
+    height: 14px;
+    margin: 0 0 -12px -6px;
+    vertical-align: middle;
+}
+
+.terminal_input--text:after {
+    position: relative;
+    bottom: 8px;
+    left: 8px;
+    background: #ff00;
+    animation: blinky 0.6s linear infinite alternate;
+    -webkit-animation: blinky 0.6s linear infinite alternate;
+}
+
+.terminal_input--input {
+    color: transparent;
+    background-color: transparent;
+    border: 0;
+    outline: none;
+}

public/themes/pterodactyl/js/frontend/console.js

@@ -20,39 +20,56 @@
 var CONSOLE_PUSH_COUNT = Pterodactyl.config.console_count || 10;
 var CONSOLE_PUSH_FREQ = Pterodactyl.config.console_freq || 200;
 var CONSOLE_OUTPUT_LIMIT = Pterodactyl.config.console_limit || 2000;
+
 var InitialLogSent = false;
+var AnsiUp = new AnsiUp;
 
-(function initConsole() {
-    window.TerminalQueue = [];
-    window.ConsoleServerStatus = 0;
-    window.Terminal = $('#terminal').terminal(function (command, term) {
-        Socket.emit((ConsoleServerStatus !== 0) ? 'send command' : 'set status', command);
-    }, {
-        greetings: '',
-        name: Pterodactyl.server.uuid,
-        height: 450,
-        exit: false,
-        echoCommand: false,
-        outputLimit: CONSOLE_OUTPUT_LIMIT,
-        prompt: Pterodactyl.server.username + ':~$ ',
-        scrollOnEcho: false,
-        scrollBottomOffset: 5,
-        onBlur: function (terminal) {
-            return false;
-        }
+var $terminal = $('#terminal');
+var $ghostInput = $('.terminal_input--input');
+var $visibleInput = $('.terminal_input--text');
+var $scrollNotify = $('#terminalNotify');
+
+$(document).ready(function () {
+    $ghostInput.focus();
+    $('.terminal_input--text, #terminal_input, #terminal, #terminalNotify').on('click', function () {
+        $ghostInput.focus();
     });
 
-    window.TerminalNotifyElement = $('#terminalNotify');
-    TerminalNotifyElement.on('click', function () {
-        Terminal.scroll_to_bottom();
-        TerminalNotifyElement.addClass('hidden');
-    })
+    $ghostInput.on('input', function () {
+        $visibleInput.html($(this).val());
+    });
+
+    $ghostInput.on('keyup', function (e) {
+        if (e.which === 13) {
+            Socket.emit((ConsoleServerStatus !== 0) ? 'send command' : 'set status', $(this).val());
 
-    Terminal.on('scroll', function () {
-        if (Terminal.is_bottom()) {
-            TerminalNotifyElement.addClass('hidden');
+            $(this).val('');
+            $visibleInput.html('');
         }
-    })
+    });
+});
+
+$terminal.on('scroll', function () {
+    if ($(this).scrollTop() + $(this).innerHeight() < $(this)[0].scrollHeight) {
+        $scrollNotify.removeClass('hidden');
+    } else {
+        $scrollNotify.addClass('hidden');
+    }
+});
+
+window.scrollToBottom = function () {
+    $terminal.scrollTop($terminal[0].scrollHeight);
+};
+
+(function initConsole() {
+    window.TerminalQueue = [];
+    window.ConsoleServerStatus = 0;
+    window.ConsoleElements = 0;
+
+    $scrollNotify.on('click', function () {
+        window.scrollToBottom();
+        $scrollNotify.addClass('hidden');
+    });
 })();
 
 (function pushOutputQueue() {
@@ -62,16 +79,22 @@ var InitialLogSent = false;
 
     if (TerminalQueue.length > 0) {
         for (var i = 0; i < CONSOLE_PUSH_COUNT && TerminalQueue.length > 0; i++) {
-            Terminal.echo(TerminalQueue[0], { flush: false });
+            $terminal.append(
+                '<div class="cmd">' + AnsiUp.ansi_to_html(TerminalQueue[0] + '\u001b[0m') + '</div>'
+            );
+
+            if (! $scrollNotify.is(':visible')) {
+                window.scrollToBottom();
+            }
+
+            window.ConsoleElements++;
             TerminalQueue.shift();
         }
 
-        // Flush after looping through all.
-        Terminal.flush();
-
-        // Show Warning
-        if (! Terminal.is_bottom()) {
-            TerminalNotifyElement.removeClass('hidden');
+        var removeElements = window.ConsoleElements - CONSOLE_OUTPUT_LIMIT;
+        if (removeElements > 0) {
+            $('#terminal').find('.cmd').slice(0, removeElements).remove();
+            window.ConsoleElements = window.ConsoleElements - removeElements;
         }
     }
 
@@ -99,14 +122,18 @@ var InitialLogSent = false;
 
     Socket.on('server log', function (data) {
         if (! InitialLogSent) {
-            Terminal.clear();
-            TerminalQueue.push(data);
+            $('#terminal').html('');
+            data.split(/\n/g).forEach(function (item) {
+                TerminalQueue.push(item);
+            });
             InitialLogSent = true;
         }
     });
 
     Socket.on('console', function (data) {
-        TerminalQueue.push(data.line);
+        data.line.split(/\n/g).forEach(function (item) {
+            TerminalQueue.push(item);
+        });
     });
 })();