Merge branch 'tweak/java-version-retention' into 'dev'

Fix sec bug with server creation roles/Java Version Select improvements

See merge request crafty-controller/crafty-4!376
This commit is contained in:
Andrew 2022-06-21 19:17:35 +00:00
commit e727e6662a
5 changed files with 70 additions and 14 deletions

View File

@ -8,6 +8,7 @@
### Bug fixes ### Bug fixes
- Backup/Config.json rework for API key hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/369)) - Backup/Config.json rework for API key hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/369))
- Fix stack on ping result being falsy ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/371)) - Fix stack on ping result being falsy ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/371))
- Fix sec bug with server creation roles ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/376))
### Tweaks ### Tweaks
- Spelling mistake fixed in German lang file ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/370)) - Spelling mistake fixed in German lang file ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/370))
- Backup failure warning (Tab text goes red) ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/373)) - Backup failure warning (Tab text goes red) ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/373))

View File

@ -633,6 +633,17 @@ class PanelHandler(BaseHandler):
) )
return return
page_data["java_versions"] = Helpers.find_java_installs() page_data["java_versions"] = Helpers.find_java_installs()
server_obj: Servers = self.controller.servers.get_server_obj(server_id)
page_java = []
page_data["java_versions"].append("java")
for version in page_data["java_versions"]:
if os.name == "nt":
page_java.append(version)
else:
if len(version) > 0:
page_java.append(version)
page_data["java_versions"] = page_java
if subpage == "files": if subpage == "files":
if ( if (
@ -1369,12 +1380,37 @@ class PanelHandler(BaseHandler):
server_id = self.check_server_id() server_id = self.check_server_id()
if server_id is None: if server_id is None:
return return
execution_list = shlex.split(execution_command)
if java_selection: if java_selection:
if self.helper.is_os_windows(): try:
execution_list[0] = '"' + java_selection + '/bin/java"' execution_list = shlex.split(execution_command)
except ValueError:
self.redirect(
"/panel/error?error=Invalid execution command. Java path"
" must be surrounded by quotes."
" (Are you missing a closing quote?)"
)
if not any(
java_selection in path for path in Helpers.find_java_installs()
):
self.redirect(
"/panel/error?error=Attack attempted."
+ " A copy of this report is being sent to server owner."
)
self.controller.management.add_to_audit_log_raw(
exec_user["username"],
exec_user["user_id"],
server_id,
f"Attempted to send bad java path for {server_id}."
+ " Possible attack. Act accordingly.",
self.get_remote_ip(),
)
if java_selection != "java":
if self.helper.is_os_windows():
execution_list[0] = '"' + java_selection + '/bin/java"'
else:
execution_list[0] = '"' + java_selection + '"'
else: else:
execution_list[0] = '"' + java_selection + '"' execution_list[0] = "java"
execution_command = "" execution_command = ""
for item in execution_list: for item in execution_list:
execution_command += item + " " execution_command += item + " "
@ -1407,7 +1443,7 @@ class PanelHandler(BaseHandler):
server_obj.path = server_obj.path server_obj.path = server_obj.path
server_obj.log_path = server_obj.log_path server_obj.log_path = server_obj.log_path
server_obj.executable = server_obj.executable server_obj.executable = server_obj.executable
server_obj.execution_command = server_obj.execution_command server_obj.execution_command = execution_command
server_obj.server_ip = server_obj.server_ip server_obj.server_ip = server_obj.server_ip
server_obj.server_port = server_obj.server_port server_obj.server_port = server_obj.server_port
server_obj.executable_update_url = server_obj.executable_update_url server_obj.executable_update_url = server_obj.executable_update_url

View File

@ -17,6 +17,15 @@ logger = logging.getLogger(__name__)
class ServerHandler(BaseHandler): class ServerHandler(BaseHandler):
def get_user_roles(self):
user_roles = {}
for user_id in self.controller.users.get_all_user_ids():
user_roles_list = self.controller.users.get_user_roles_names(user_id)
# user_servers =
# self.controller.servers.get_authorized_servers(user.user_id)
user_roles[user_id] = user_roles_list
return user_roles
@tornado.web.authenticated @tornado.web.authenticated
def get(self, page): def get(self, page):
( (
@ -283,7 +292,7 @@ class ServerHandler(BaseHandler):
if not superuser: if not superuser:
user_roles = self.controller.roles.get_all_roles() user_roles = self.controller.roles.get_all_roles()
else: else:
user_roles = self.controller.roles.get_all_roles() user_roles = self.get_user_roles()
server = bleach.clean(self.get_argument("server", "")) server = bleach.clean(self.get_argument("server", ""))
server_name = bleach.clean(self.get_argument("server_name", "")) server_name = bleach.clean(self.get_argument("server_name", ""))
min_mem = bleach.clean(self.get_argument("min_memory", "")) min_mem = bleach.clean(self.get_argument("min_memory", ""))

View File

@ -79,18 +79,22 @@
placeholder="{{ translate('serverConfig', 'serverExecutable', data['lang']) }}" required> placeholder="{{ translate('serverConfig', 'serverExecutable', data['lang']) }}" required>
</div> </div>
{% end %} {% end %}
{% if data['server_stats']['server_type'] == "minecraft-java" %}
<div class="form-group"> <div class="form-group">
<label for="java_selection">{{ translate('serverConfig', 'javaVersion', data['lang']) }} <small <label for="java_selection">{{ translate('serverConfig', 'javaVersion', data['lang']) }}
class="text-muted ml-1"> - {{ translate('serverConfig', 'javaVersionDesc', data['lang']) <small class="text-muted ml-1">{{ translate('serverConfig', 'javaVersionDesc', data['lang']) }}</small>
}}</small> </label> </label>
<select class="form-select form-control form-control-lg select-css" id="java_selection" <select class="form-select form-control form-control-lg select-css" id="java_selection"
name="java_selection" form="config_form"> name="java_selection" form="config_form">
<option value="">{{ translate('serverConfig', 'javaNoChange', data['lang'])}}</option> <option value="">{{ translate('serverConfig',
'javaNoChange', data['lang'])}}</option>
{% for path in data['java_versions'] %} {% for path in data['java_versions'] %}
<option value="{{path}}">{{path}}</option> <option value="{{path}}">{{path}}</option>
{% end %} {% end %}
</select> </select>
</div> </div>
{% end %}
{% if data['super_user'] %} {% if data['super_user'] %}
<div class="form-group"> <div class="form-group">
<label for="execution_command">{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }} <label for="execution_command">{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}
@ -100,6 +104,12 @@
value="{{ data['server_stats']['server_id']['execution_command'] }}" value="{{ data['server_stats']['server_id']['execution_command'] }}"
placeholder="{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}" required> placeholder="{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}" required>
</div> </div>
{% else %}
<label for="execution_command">{{ translate('serverConfig', 'serverExecutionCommand', data['lang']) }}
<div class="card-header header-sm d-flex justify-content-between align-items-center">
<span style="color: gray;">{{ data['server_stats']['server_id']['execution_command'] }}</span> 🔒
</div>
<br>
{% end %} {% end %}
<div class="form-group"> <div class="form-group">
@ -386,4 +396,4 @@
</script> </script>
{% end %} {% end %}

View File

@ -302,7 +302,7 @@
"serverExecutable": "Server Executable", "serverExecutable": "Server Executable",
"serverExecutableDesc": "The server's executable file", "serverExecutableDesc": "The server's executable file",
"javaVersion": "Override current Java Version", "javaVersion": "Override current Java Version",
"javaVersionDesc": "If we've been able to find local java installs. (Windows 'Oracle' only)", "javaVersionDesc": "If you're going to override java. Make sure your current java path in 'execution command' is wrapped in quotes (default 'java' variable excluded)",
"javaNoChange": "Do Not Override", "javaNoChange": "Do Not Override",
"serverExecutionCommand": "Server Execution Command", "serverExecutionCommand": "Server Execution Command",
"serverExecutionCommandDesc": "What will be launched in a hidden terminal", "serverExecutionCommandDesc": "What will be launched in a hidden terminal",
@ -534,4 +534,4 @@
"userSettings": "User Settings", "userSettings": "User Settings",
"uses": "Number of uses allowed (-1==No Limit)" "uses": "Number of uses allowed (-1==No Limit)"
} }
} }