From 18ab2cd76d773b0d14cb77f25e97a787dae67dbc Mon Sep 17 00:00:00 2001
From: Iain Powrie <zedifus@zediverse.gg>
Date: Fri, 3 Jun 2022 11:42:20 +0000
Subject: [PATCH 1/3] Drop to less permissive mask for bedrock imports

`Owner` of the file (which should be us) can r-w-e
`Group` of the file can r-w
`World` can do nothing.

Sticky bit is still set.
---
 app/classes/shared/main_controller.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/classes/shared/main_controller.py b/app/classes/shared/main_controller.py
index 9040d51f..83918fee 100644
--- a/app/classes/shared/main_controller.py
+++ b/app/classes/shared/main_controller.py
@@ -682,7 +682,7 @@ class Controller:
         )
         if os.name != "nt":
             if Helpers.check_file_exists(full_jar_path):
-                os.chmod(full_jar_path, 0o2775)
+                os.chmod(full_jar_path, 0o2760)
         return new_id
 
     def import_bedrock_zip_server(
@@ -751,7 +751,7 @@ class Controller:
         )
         if os.name != "nt":
             if Helpers.check_file_exists(full_jar_path):
-                os.chmod(full_jar_path, 0o2775)
+                os.chmod(full_jar_path, 0o2760)
 
         return new_id
 

From ba283692223ec0ef3bd718a0e2789c9ccfe63c3d Mon Sep 17 00:00:00 2001
From: Iain Powrie <zedifus@zediverse.gg>
Date: Fri, 3 Jun 2022 11:58:43 +0000
Subject: [PATCH 2/3] Bump PyJWT version to resolve `CVE-2022-29217`

---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 21f035b5..cf65cd9f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -11,7 +11,7 @@ peewee==3.13
 pexpect==4.8
 psutil==5.9
 pyOpenSSL==19.1.0
-pyjwt==2.3
+pyjwt==2.4.0
 PyYAML==5.4
 requests==2.26
 termcolor==1.1

From eaecb2f09bc6699e20de72e99a259c5916700bfc Mon Sep 17 00:00:00 2001
From: Zedifus <zedifus@zediverse.gg>
Date: Fri, 3 Jun 2022 14:05:26 +0100
Subject: [PATCH 3/3] Replace standard pseudo-random generators

Resolves: `Bandit ID B311`
[Standard pseudo-random generators are not suitable for security/cryptographic purposes.]
---
 app/classes/shared/helpers.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py
index 51916ecd..167576ce 100644
--- a/app/classes/shared/helpers.py
+++ b/app/classes/shared/helpers.py
@@ -8,7 +8,7 @@ import uuid
 import string
 import base64
 import socket
-import random
+import secrets
 import logging
 import html
 import zipfile
@@ -722,8 +722,8 @@ class Helpers:
         # create a self-signed cert
         cert = crypto.X509()
         cert.get_subject().C = "US"
-        cert.get_subject().ST = "Georgia"
-        cert.get_subject().L = "Atlanta"
+        cert.get_subject().ST = "Michigan"
+        cert.get_subject().L = "Kent County"
         cert.get_subject().O = "Crafty Controller"
         cert.get_subject().OU = "Server Ops"
         cert.get_subject().CN = gethostname()
@@ -743,7 +743,7 @@ class Helpers:
             b"basicConstraints", True, b"CA:false"
         )
         cert.add_extensions([subject_alt_names_ext, basic_constraints_ext])
-        cert.set_serial_number(random.randint(1, 255))
+        cert.set_serial_number(secrets.randbelow(254) + 1)
         cert.gmtime_adj_notBefore(0)
         cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
         cert.set_issuer(cert.get_subject())
@@ -766,7 +766,7 @@ class Helpers:
         random_generator() = G8sjO2
         random_generator(3, abcdef) = adf
         """
-        return "".join(random.choice(chars) for x in range(size))
+        return "".join(secrets.choice(chars) for x in range(size))
 
     @staticmethod
     def is_os_windows():