From 45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sat, 23 Oct 2021 13:00:21 -0700 Subject: [PATCH 1/3] (security) use POST for logout rather than GET see https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 --- SECURITY.md | 2 +- .../scripts/components/NavigationBar.tsx | 19 ++++++++++++++++--- routes/auth.php | 2 +- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a00178658..171a0cb13 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,7 +11,7 @@ The following versions of Pterodactyl are receiving active support and maintenan ## Reporting a Vulnerability -Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane [ät] pterodactyl.io`. +Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane@pterodactyl.io`. We make every effort to respond as soon as possible, although it may take a day or two for us to sync internally and determine the severity of the report and its impact. Please, _do not_ use a public facing channel or GitHub issues to report sensitive security issues. diff --git a/resources/scripts/components/NavigationBar.tsx b/resources/scripts/components/NavigationBar.tsx index 64845591a..9500d215d 100644 --- a/resources/scripts/components/NavigationBar.tsx +++ b/resources/scripts/components/NavigationBar.tsx @@ -7,6 +7,9 @@ import { ApplicationStore } from '@/state'; import SearchContainer from '@/components/dashboard/search/SearchContainer'; import tw, { theme } from 'twin.macro'; import styled from 'styled-components/macro'; +import http from '@/api/http'; +import SpinnerOverlay from '@/components/elements/SpinnerOverlay'; +import { useState } from 'react'; const Navigation = styled.div` ${tw`w-full bg-neutral-900 shadow-md overflow-x-auto`}; @@ -27,7 +30,7 @@ const Navigation = styled.div` const RightNavigation = styled.div` ${tw`flex h-full items-center justify-center`}; - & > a, & > .navigation-link { + & > a, & > button, & > .navigation-link { ${tw`flex items-center h-full no-underline text-neutral-300 px-6 cursor-pointer transition-all duration-150`}; &:active, &:hover { @@ -43,9 +46,19 @@ const RightNavigation = styled.div` export default () => { const name = useStoreState((state: ApplicationStore) => state.settings.data!.name); const rootAdmin = useStoreState((state: ApplicationStore) => state.user.data!.rootAdmin); + const [ isLoggingOut, setIsLoggingOut ] = useState(false); + + const onTriggerLogout = () => { + setIsLoggingOut(true); + http.post('/auth/logout').finally(() => { + // @ts-ignore + window.location = '/'; + }); + }; return ( +
@@ -65,9 +78,9 @@ export default () => { } - +
diff --git a/routes/auth.php b/routes/auth.php index 2e9a01eaf..0acd9fded 100644 --- a/routes/auth.php +++ b/routes/auth.php @@ -48,4 +48,4 @@ Route::group(['middleware' => 'guest'], function () { | Endpoint: /auth | */ -Route::get('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth'); +Route::post('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth', 'csrf'); From d65e2978d0af2a41375c1b313663071933d5158a Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sat, 23 Oct 2021 13:02:25 -0700 Subject: [PATCH 2/3] Update CHANGELOG.md --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f72f306f5..56744b194 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,15 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v1.6.3 +### Fixed +* **[Security]** Changes logout endpoint to be a POST request with CSRF-token validation to prevent a malicious actor from triggering a user logout. +* Fixes Wings receiving the wrong server suspension state when syncing servers. + +### Added +* Adds additional throttling to login and password reset endpoints. +* Adds server uptime display when viewing a server console. + ## v1.6.2 ### Fixed * **[Security]** Fixes an authentication bypass vulerability that could allow a malicious actor to login as another user in the Panel without knowing that user's email or password. From 72680fc954efff090db9ab1918e05c7b108f8ef6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20G=2E=20J=C3=B8rgensen?= Date: Sat, 23 Oct 2021 22:11:45 +0200 Subject: [PATCH 3/3] Don't force enable-query (#3700) But make sure the query.port is set correctly, if query is enabled. --- database/Seeders/eggs/minecraft/egg-forge-minecraft.json | 4 ++-- database/Seeders/eggs/minecraft/egg-paper.json | 4 ++-- .../Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json | 4 ++-- database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/database/Seeders/eggs/minecraft/egg-forge-minecraft.json b/database/Seeders/eggs/minecraft/egg-forge-minecraft.json index 6ac6eaaf7..804f65a8d 100644 --- a/database/Seeders/eggs/minecraft/egg-forge-minecraft.json +++ b/database/Seeders/eggs/minecraft/egg-forge-minecraft.json @@ -4,7 +4,7 @@ "version": "PTDL_v1", "update_url": null }, - "exported_at": "2021-10-10T07:10:13-04:00", + "exported_at": "2021-10-22T19:29:26+02:00", "name": "Forge Minecraft", "author": "support@pterodactyl.io", "description": "Minecraft Forge Server. Minecraft Forge is a modding API (Application Programming Interface), which makes it easier to create mods, and also make sure mods are compatible with each other.", @@ -20,7 +20,7 @@ "file_denylist": [], "startup": "java -Xms128M -Xmx{{SERVER_MEMORY}}M -Dterminal.jline=false -Dterminal.ansi=true $( [ ! -f unix_args.txt ] && printf %s \"-jar {{SERVER_JARFILE}}\" || printf %s \"@unix_args.txt\" )", "config": { - "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"enable-query\": \"true\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", + "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", "startup": "{\r\n \"done\": \")! For help, type \"\r\n}", "logs": "{}", "stop": "stop" diff --git a/database/Seeders/eggs/minecraft/egg-paper.json b/database/Seeders/eggs/minecraft/egg-paper.json index 4153227a4..2c3f130c2 100644 --- a/database/Seeders/eggs/minecraft/egg-paper.json +++ b/database/Seeders/eggs/minecraft/egg-paper.json @@ -4,7 +4,7 @@ "version": "PTDL_v1", "update_url": null }, - "exported_at": "2021-08-01T03:54:45+03:00", + "exported_at": "2021-10-22T19:19:11+02:00", "name": "Paper", "author": "parker@pterodactyl.io", "description": "High performance Spigot fork that aims to fix gameplay and mechanics inconsistencies.", @@ -20,7 +20,7 @@ "file_denylist": [], "startup": "java -Xms128M -Xmx{{SERVER_MEMORY}}M -Dterminal.jline=false -Dterminal.ansi=true -jar {{SERVER_JARFILE}}", "config": { - "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"server-port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", + "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", "startup": "{\r\n \"done\": \")! For help, type \"\r\n}", "logs": "{}", "stop": "stop" diff --git a/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json b/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json index c25fda1c2..9c502f747 100644 --- a/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json +++ b/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json @@ -4,7 +4,7 @@ "version": "PTDL_v1", "update_url": null }, - "exported_at": "2021-08-01T03:55:24+03:00", + "exported_at": "2021-10-22T19:19:17+02:00", "name": "Sponge (SpongeVanilla)", "author": "support@pterodactyl.io", "description": "SpongeVanilla is the SpongeAPI implementation for Vanilla Minecraft.", @@ -20,7 +20,7 @@ "file_denylist": [], "startup": "java -Xms128M -Xmx{{SERVER_MEMORY}}M -jar {{SERVER_JARFILE}}", "config": { - "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"enable-query\": \"true\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", + "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", "startup": "{\r\n \"done\": \")! For help, type \"\r\n}", "logs": "{}", "stop": "stop" diff --git a/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json b/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json index 236a0cff3..64310fcf1 100644 --- a/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json +++ b/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json @@ -4,7 +4,7 @@ "version": "PTDL_v1", "update_url": null }, - "exported_at": "2021-07-04T19:19:24-04:00", + "exported_at": "2021-10-22T19:19:23+02:00", "name": "Vanilla Minecraft", "author": "support@pterodactyl.io", "description": "Minecraft is a game about placing blocks and going on adventures. Explore randomly generated worlds and build amazing things from the simplest of homes to the grandest of castles. Play in Creative Mode with unlimited resources or mine deep in Survival Mode, crafting weapons and armor to fend off dangerous mobs. Do all this alone or with friends.", @@ -20,7 +20,7 @@ "file_denylist": [], "startup": "java -Xms128M -Xmx{{SERVER_MEMORY}}M -jar {{SERVER_JARFILE}}", "config": { - "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"enable-query\": \"true\",\r\n \"server-port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", + "files": "{\r\n \"server.properties\": {\r\n \"parser\": \"properties\",\r\n \"find\": {\r\n \"server-ip\": \"0.0.0.0\",\r\n \"server-port\": \"{{server.build.default.port}}\",\r\n \"query.port\": \"{{server.build.default.port}}\"\r\n }\r\n }\r\n}", "startup": "{\r\n \"done\": \")! For help, type \"\r\n}", "logs": "{\r\n \"custom\": false,\r\n \"location\": \"logs\/latest.log\"\r\n}", "stop": "stop"