Merge branch 'tweak/java-version-retention' into 'dev'

Fix sec bug with server creation roles/Java Version Select improvements See merge request crafty-controller/crafty-4!376
2025-01-19 09:45:28 +01:00 · 2022-06-21 19:17:35 +00:00 · 2022-06-21 19:17:35 +00:00 · e727e6662a
commit e727e6662a
parent 44e5d27d88 e5b0c93de7
5 changed files with 70 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,7 @@
 ### Bug fixes
 - Backup/Config.json rework for API key hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/369))
 - Fix stack on ping result being falsy ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/371))
+- Fix sec bug with server creation roles ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/376))
 ### Tweaks
 - Spelling mistake fixed in German lang file ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/370))
 - Backup failure warning (Tab text goes red) ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/373))
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@ -633,6 +633,17 @@ class PanelHandler(BaseHandler):
                        )
                        return
                page_data["java_versions"] = Helpers.find_java_installs()
+                server_obj: Servers = self.controller.servers.get_server_obj(server_id)
+                page_java = []
+                page_data["java_versions"].append("java")
+                for version in page_data["java_versions"]:
+                    if os.name == "nt":
+                        page_java.append(version)
+                    else:
+                        if len(version) > 0:
+                            page_java.append(version)
+
+                page_data["java_versions"] = page_java

            if subpage == "files":
                if (
@ -1369,12 +1380,37 @@ class PanelHandler(BaseHandler):
            server_id = self.check_server_id()
            if server_id is None:
                return
-            execution_list = shlex.split(execution_command)
            if java_selection:
-                if self.helper.is_os_windows():
-                    execution_list[0] = '"' + java_selection + '/bin/java"'
+                try:
+                    execution_list = shlex.split(execution_command)
+                except ValueError:
+                    self.redirect(
+                        "/panel/error?error=Invalid execution command. Java path"
+                        " must be surrounded by quotes."
+                        " (Are you missing a closing quote?)"
+                    )
+                if not any(
+                    java_selection in path for path in Helpers.find_java_installs()
+                ):
+                    self.redirect(
+                        "/panel/error?error=Attack attempted."
+                        + " A copy of this report is being sent to server owner."
+                    )
+                    self.controller.management.add_to_audit_log_raw(
+                        exec_user["username"],
+                        exec_user["user_id"],
+                        server_id,
+                        f"Attempted to send bad java path for {server_id}."
+                        + " Possible attack. Act accordingly.",
+                        self.get_remote_ip(),
+                    )
+                if java_selection != "java":
+                    if self.helper.is_os_windows():
+                        execution_list[0] = '"' + java_selection + '/bin/java"'
+                    else:
+                        execution_list[0] = '"' + java_selection + '"'
                else:
-                    execution_list[0] = '"' + java_selection + '"'
+                    execution_list[0] = "java"
                execution_command = ""
                for item in execution_list:
                    execution_command += item + " "
@ -1407,7 +1443,7 @@ class PanelHandler(BaseHandler):
                server_obj.path = server_obj.path
                server_obj.log_path = server_obj.log_path
                server_obj.executable = server_obj.executable
-                server_obj.execution_command = server_obj.execution_command
+                server_obj.execution_command = execution_command
                server_obj.server_ip = server_obj.server_ip
                server_obj.server_port = server_obj.server_port
                server_obj.executable_update_url = server_obj.executable_update_url
--- a/app/classes/web/server_handler.py
+++ b/app/classes/web/server_handler.py
@ -17,6 +17,15 @@ logger = logging.getLogger(__name__)


 class ServerHandler(BaseHandler):
+    def get_user_roles(self):
+        user_roles = {}
+        for user_id in self.controller.users.get_all_user_ids():
+            user_roles_list = self.controller.users.get_user_roles_names(user_id)
+            # user_servers =
+            # self.controller.servers.get_authorized_servers(user.user_id)
+            user_roles[user_id] = user_roles_list
+        return user_roles
+
    @tornado.web.authenticated
    def get(self, page):
        (
@ -283,7 +292,7 @@ class ServerHandler(BaseHandler):
            if not superuser:
                user_roles = self.controller.roles.get_all_roles()
            else:
-                user_roles = self.controller.roles.get_all_roles()
+                user_roles = self.get_user_roles()
            server = bleach.clean(self.get_argument("server", ""))
            server_name = bleach.clean(self.get_argument("server_name", ""))
            min_mem = bleach.clean(self.get_argument("min_memory", ""))
--- a/app/frontend/templates/panel/server_config.html
+++ b/app/frontend/templates/panel/server_config.html
@ -79,18 +79,22 @@
                    placeholder="{{ translate('serverConfig', 'serverExecutable', data['lang']) }}" required>
                </div>
                {% end %}
+                {% if data['server_stats']['server_type'] == "minecraft-java" %}
                <div class="form-group">
-                  <label for="java_selection">{{ translate('serverConfig', 'javaVersion', data['lang']) }} <small
-                      class="text-muted ml-1"> - {{ translate('serverConfig', 'javaVersionDesc', data['lang'])
-                      }}</small> </label>
+                  <label for="java_selection">{{ translate('serverConfig', 'javaVersion', data['lang']) }}
+                    <small class="text-muted ml-1">{{ translate('serverConfig', 'javaVersionDesc', data['lang']) }}</small>
+                  </label>
                  <select class="form-select form-control form-control-lg select-css" id="java_selection"
                    name="java_selection" form="config_form">
-                    <option value="">{{ translate('serverConfig', 'javaNoChange', data['lang'])}}</option>
+                    <option value="">{{ translate('serverConfig',
+                      'javaNoChange', data['lang'])}}</option>
                    {% for path in data['java_versions'] %}
-                    <option value="{{path}}">{{path}}</option>
+                      <option value="{{path}}">{{path}}</option>
                    {% end %}
                  </select>
                </div>
+                {% end %}
+
                {% if data['super_user'] %}
                <div class="form-group">
                  <label for="execution_command">{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}
@ -100,6 +104,12 @@
                    value="{{ data['server_stats']['server_id']['execution_command']  }}"
                    placeholder="{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}" required>
                </div>
+                {% else %}
+                <label for="execution_command">{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}
+                <div class="card-header header-sm d-flex justify-content-between align-items-center">
+                  <span style="color: gray;">{{ data['server_stats']['server_id']['execution_command']  }}</span> 🔒
+                </div>
+                <br>
                {% end %}

                <div class="form-group">
@ -386,4 +396,4 @@

 </script>

-{% end %}
+{% end %}
--- a/app/translations/en_EN.json
+++ b/app/translations/en_EN.json
@ -302,7 +302,7 @@
        "serverExecutable": "Server Executable",
        "serverExecutableDesc": "The server's executable file",
        "javaVersion": "Override current Java Version",
-        "javaVersionDesc": "If we've been able to find local java installs. (Windows 'Oracle' only)",
+        "javaVersionDesc": "If you're going to override java. Make sure your current java path in 'execution command' is wrapped in quotes (default 'java' variable excluded)",
        "javaNoChange": "Do Not Override",
        "serverExecutionCommand": "Server Execution Command",
        "serverExecutionCommandDesc": "What will be launched in a hidden terminal",
@ -534,4 +534,4 @@
        "userSettings": "User Settings",
        "uses": "Number of uses allowed (-1==No Limit)"
    }
-}
+}