Merge branch 'secops/pre-beta-security-fixes' into 'dev'

pre beta release security fixes See merge request crafty-controller/crafty-4!289
2024-08-30 18:23:09 +00:00 · 2022-06-03 15:36:28 +00:00 · 2022-06-03 15:36:28 +00:00 · 3200c72571
commit 3200c72571
parent 2c6b5f88ec eaecb2f09b
3 changed files with 8 additions and 8 deletions
--- a/app/classes/shared/helpers.py
+++ b/app/classes/shared/helpers.py
@ -8,7 +8,7 @@ import uuid
 import string
 import base64
 import socket
-import random
+import secrets
 import logging
 import html
 import zipfile
@ -722,8 +722,8 @@ class Helpers:
        # create a self-signed cert
        cert = crypto.X509()
        cert.get_subject().C = "US"
-        cert.get_subject().ST = "Georgia"
-        cert.get_subject().L = "Atlanta"
+        cert.get_subject().ST = "Michigan"
+        cert.get_subject().L = "Kent County"
        cert.get_subject().O = "Crafty Controller"
        cert.get_subject().OU = "Server Ops"
        cert.get_subject().CN = gethostname()
@ -743,7 +743,7 @@ class Helpers:
            b"basicConstraints", True, b"CA:false"
        )
        cert.add_extensions([subject_alt_names_ext, basic_constraints_ext])
-        cert.set_serial_number(random.randint(1, 255))
+        cert.set_serial_number(secrets.randbelow(254) + 1)
        cert.gmtime_adj_notBefore(0)
        cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
        cert.set_issuer(cert.get_subject())
@ -766,7 +766,7 @@ class Helpers:
        random_generator() = G8sjO2
        random_generator(3, abcdef) = adf
        """
-        return "".join(random.choice(chars) for x in range(size))
+        return "".join(secrets.choice(chars) for x in range(size))

    @staticmethod
    def is_os_windows():
--- a/app/classes/shared/main_controller.py
+++ b/app/classes/shared/main_controller.py
@ -682,7 +682,7 @@ class Controller:
        )
        if os.name != "nt":
            if Helpers.check_file_exists(full_jar_path):
-                os.chmod(full_jar_path, 0o2775)
+                os.chmod(full_jar_path, 0o2760)
        return new_id

    def import_bedrock_zip_server(
@ -751,7 +751,7 @@ class Controller:
        )
        if os.name != "nt":
            if Helpers.check_file_exists(full_jar_path):
-                os.chmod(full_jar_path, 0o2775)
+                os.chmod(full_jar_path, 0o2760)

        return new_id

--- a/requirements.txt
+++ b/requirements.txt
@ -11,7 +11,7 @@ peewee==3.13
 pexpect==4.8
 psutil==5.9
 pyOpenSSL==19.1.0
-pyjwt==2.3
+pyjwt==2.4.0
 PyYAML==5.4
 requests==2.26
 termcolor==1.1