From a2ad23548cc37adefdab4000308f20a42ed597d8 Mon Sep 17 00:00:00 2001 From: Andrew Date: Fri, 17 Jun 2022 19:08:57 -0400 Subject: [PATCH 01/15] Check for Oracle Java before changing start string --- app/classes/shared/server.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py index cdd5f796..2463ac2b 100644 --- a/app/classes/shared/server.py +++ b/app/classes/shared/server.py @@ -239,18 +239,22 @@ class ServerInstance: "Detected nebulous java in start command. " "Replacing with full java path." ) - which_java_raw = self.helper.which_java() - java_path = which_java_raw + "\\bin\\java" - if str(which_java_raw) != str(self.helper.get_servers_root_dir) or str( - self.helper.get_servers_root_dir - ) in str(which_java_raw): - self.server_command[0] = java_path - else: - logger.critcal( - "Possible attack detected. User attempted to exec " - "java binary from server directory." + if "/Oracle/Java/" in str(shutil.which("java")): + logger.info( + "Oracle Java detected. Changing start command to avoid re-exec." ) - return + which_java_raw = self.helper.which_java() + java_path = which_java_raw + "\\bin\\java" + if str(which_java_raw) != str(self.helper.get_servers_root_dir) or str( + self.helper.get_servers_root_dir + ) in str(which_java_raw): + self.server_command[0] = java_path + else: + logger.critcal( + "Possible attack detected. User attempted to exec " + "java binary from server directory." + ) + return self.server_path = Helpers.get_os_understandable_path(self.settings["path"]) # let's do some quick checking to make sure things actually exists From 9bbf316494f74dc2a6eaf8de18ced9908a60031a Mon Sep 17 00:00:00 2001 From: Andrew Date: Fri, 17 Jun 2022 19:11:03 -0400 Subject: [PATCH 02/15] Check for Oracle Java before changing start string --- app/classes/shared/server.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py index 2463ac2b..93b83459 100644 --- a/app/classes/shared/server.py +++ b/app/classes/shared/server.py @@ -239,6 +239,7 @@ class ServerInstance: "Detected nebulous java in start command. " "Replacing with full java path." ) + # Checks for Oracle Java. Only Oracle Java's helper will cause a re-exec. if "/Oracle/Java/" in str(shutil.which("java")): logger.info( "Oracle Java detected. Changing start command to avoid re-exec." From aac3a84ab827cf1a3ec93422096181cef97fc6e9 Mon Sep 17 00:00:00 2001 From: Andrew Date: Fri, 17 Jun 2022 20:03:42 -0400 Subject: [PATCH 03/15] Update changelog.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9f61e90..9410043a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,10 @@ TBD ### Tweaks TBD +## [4.0.2-hotfix2] - 2022/06/17 + +### Crit Bug fixes +Ammend Java system variable fix to be more specfic since they only affect Oracle. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364)) ## [4.0.2-hotfix1] - 2022/06/17 From fd0da1ef203ab4a43990e944570ae4a88c6b0868 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 16:20:57 -0400 Subject: [PATCH 04/15] Fix any user can recieve all api keys --- app/classes/web/panel_handler.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index bb44138f..4f6dfe87 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1926,6 +1926,12 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid Key ID") return + if key.user_id != exec_user["user_id"]: + self.redirect( + "/panel/error?error=You are not authorized to access this key." + ) + return + self.controller.management.add_to_audit_log( exec_user["user_id"], f"Generated a new API token for the key {key.name} " From 72f97e4ff0cbca33a9c3008aa9fd11283d64474c Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 16:55:39 -0400 Subject: [PATCH 05/15] Fix issue where any user could add/remove api keys --- app/classes/web/panel_handler.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 4f6dfe87..e234c03c 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1893,6 +1893,13 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid User ID") return + if user_id != exec_user["user_id"] or not exec_user["superuser"]: + self.redirect( + "/panel/error?error=You do not have access to change" + + "this user's api key." + ) + return + crafty_permissions_mask = self.get_perms() server_permissions_mask = self.get_perms_server() @@ -2148,6 +2155,15 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid Key ID") return + key_obj = self.controller.users.get_user_api_key(key_id) + + if key_obj.user_id != exec_user["user_id"] or not exec_user["superuser"]: + self.redirect( + "/panel/error?error=You do not have access to change" + + "this user's api key." + ) + return + self.controller.users.delete_user_api_key(key_id) self.controller.management.add_to_audit_log( From 37765dbebc0c65e5511e836abb54eaf11fd5b6fb Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 17:02:10 -0400 Subject: [PATCH 06/15] Fix general user can view any api-key page --- app/classes/web/panel_handler.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index e234c03c..cbb5de0e 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1058,6 +1058,9 @@ class PanelHandler(BaseHandler): if user_id is None: self.redirect("/panel/error?error=Invalid User ID") return + if user_id != exec_user["user_id"] or not exec_user["superuser"]: + self.redirect("/panel/error?error=Invalid User ID") + return template = "panel/panel_edit_user_apikeys.html" From a8cd982b966ceb5a0ac255e39bc196fd7e39b000 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 17:03:44 -0400 Subject: [PATCH 07/15] Fix warning message --- app/classes/web/panel_handler.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index cbb5de0e..a59ca8d7 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1059,7 +1059,9 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid User ID") return if user_id != exec_user["user_id"] or not exec_user["superuser"]: - self.redirect("/panel/error?error=Invalid User ID") + self.redirect( + "/panel/error?error=You are not authorized to view this page." + ) return template = "panel/panel_edit_user_apikeys.html" From 31097da97164832ccbb77fe774e9f49a87a14f4e Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 17:06:44 -0400 Subject: [PATCH 08/15] Fix type issue comparing --- app/classes/web/panel_handler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index a59ca8d7..96053378 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1058,7 +1058,7 @@ class PanelHandler(BaseHandler): if user_id is None: self.redirect("/panel/error?error=Invalid User ID") return - if user_id != exec_user["user_id"] or not exec_user["superuser"]: + if str(user_id) != str(exec_user["user_id"]) or not exec_user["superuser"]: self.redirect( "/panel/error?error=You are not authorized to view this page." ) From 478dfdc6efc82d51ab69fcf95e713b9741661224 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 17:18:21 -0400 Subject: [PATCH 09/15] Fix -1 showing on dashboard when offline --- app/classes/minecraft/stats.py | 23 +++++++++++++---------- app/classes/shared/server.py | 4 ++-- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/app/classes/minecraft/stats.py b/app/classes/minecraft/stats.py index e2fdfe8f..4b699717 100644 --- a/app/classes/minecraft/stats.py +++ b/app/classes/minecraft/stats.py @@ -130,16 +130,19 @@ class Stats: } @staticmethod - def _try_get_process_stats(process): - try: - return Stats._get_process_stats(process) - except Exception as e: - logger.debug( - f"getting process stats for pid {process.pid} " - "failed due to the following error:", - exc_info=e, - ) - return {"cpu_usage": -1, "memory_usage": -1, "mem_percentage": -1} + def _try_get_process_stats(process, running): + if running: + try: + return Stats._get_process_stats(process) + except Exception as e: + logger.debug( + f"getting process stats for pid {process.pid} " + "failed due to the following error:", + exc_info=e, + ) + return {"cpu_usage": -1, "memory_usage": -1, "mem_percentage": -1} + else: + return {"cpu_usage": 0, "memory_usage": 0, "mem_percentage": 0} @staticmethod def _get_process_stats(process): diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py index cdd5f796..50169647 100644 --- a/app/classes/shared/server.py +++ b/app/classes/shared/server.py @@ -1250,7 +1250,7 @@ class ServerInstance: server_path = server["path"] # process stats - p_stats = Stats._try_get_process_stats(self.process) + p_stats = Stats._try_get_process_stats(self.process, self.check_running()) # TODO: search server properties file for possible override of 127.0.0.1 internal_ip = server["server_ip"] @@ -1383,7 +1383,7 @@ class ServerInstance: server_path = server_dt["path"] # process stats - p_stats = Stats._try_get_process_stats(self.process) + p_stats = Stats._try_get_process_stats(self.process, self.check_running()) # TODO: search server properties file for possible override of 127.0.0.1 # internal_ip = server['server_ip'] From 8b6d70ba9a4325d607d6b0a6ee6a230194a294ec Mon Sep 17 00:00:00 2001 From: xithical <86810816+xithical@users.noreply.github.com> Date: Sat, 18 Jun 2022 16:27:06 -0500 Subject: [PATCH 10/15] Fix bug where non-superusers could not edit their own API keys --- app/classes/web/panel_handler.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 96053378..cd5d8cf7 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1058,7 +1058,11 @@ class PanelHandler(BaseHandler): if user_id is None: self.redirect("/panel/error?error=Invalid User ID") return - if str(user_id) != str(exec_user["user_id"]) or not exec_user["superuser"]: + if int(user_id) != exec_user["user_id"] and not exec_user["superuser"]: + print(f"{user_id} {type(user_id)}") + print(f"{exec_user['user_id']} {type(exec_user['user_id'])}") + print(int(user_id) != exec_user["user_id"]) + print((int(user_id) != exec_user["user_id"]) or (not exec_user["superuser"])) self.redirect( "/panel/error?error=You are not authorized to view this page." ) From 464428ea7e1e0d6003355ce6192d84e408948e39 Mon Sep 17 00:00:00 2001 From: xithical <86810816+xithical@users.noreply.github.com> Date: Sat, 18 Jun 2022 16:29:36 -0500 Subject: [PATCH 11/15] Remove erroneous print statements --- app/classes/web/panel_handler.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index cd5d8cf7..147b6606 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1059,10 +1059,6 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid User ID") return if int(user_id) != exec_user["user_id"] and not exec_user["superuser"]: - print(f"{user_id} {type(user_id)}") - print(f"{exec_user['user_id']} {type(exec_user['user_id'])}") - print(int(user_id) != exec_user["user_id"]) - print((int(user_id) != exec_user["user_id"]) or (not exec_user["superuser"])) self.redirect( "/panel/error?error=You are not authorized to view this page." ) From 9569e760c9dfffa0effe9d85eb2e8aa892864e73 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 18 Jun 2022 17:40:50 -0400 Subject: [PATCH 12/15] Fix api key permission logic issue --- app/classes/web/panel_handler.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 147b6606..e2e83e23 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1898,7 +1898,7 @@ class PanelHandler(BaseHandler): self.redirect("/panel/error?error=Invalid User ID") return - if user_id != exec_user["user_id"] or not exec_user["superuser"]: + if str(user_id) != str(exec_user["user_id"]) and not exec_user["superuser"]: self.redirect( "/panel/error?error=You do not have access to change" + "this user's api key." @@ -2162,7 +2162,7 @@ class PanelHandler(BaseHandler): key_obj = self.controller.users.get_user_api_key(key_id) - if key_obj.user_id != exec_user["user_id"] or not exec_user["superuser"]: + if key_obj.user_id != exec_user["user_id"] and not exec_user["superuser"]: self.redirect( "/panel/error?error=You do not have access to change" + "this user's api key." @@ -2178,7 +2178,8 @@ class PanelHandler(BaseHandler): server_id=0, source_ip=self.get_remote_ip(), ) - self.redirect("/panel/panel_config") + self.finish() + self.redirect(f"/panel/edit_user_apikeys?id={key_obj.user_id}") else: self.set_status(404) self.render( From c8d88e1b5074e139c40849fd1d5639aa0082c9a4 Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 18 Jun 2022 22:52:02 +0100 Subject: [PATCH 13/15] Bump version & Update latest link --- README.md | 6 +++--- app/config/version.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7334e0e1..19e8fca6 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black) [![Supported Python Versions](https://shields.io/badge/python-3.8%20%7C%203.9%20%7C%203.10%20-blue)](https://www.python.org) -[![Version(temp-hardcoded)](https://img.shields.io/badge/release-v4.0.2--beta-orange)](https://gitlab.com/crafty-controller/crafty-4/-/releases) +[![Version(temp-hardcoded)](https://img.shields.io/badge/release-v4.0.3--beta-orange)](https://gitlab.com/crafty-controller/crafty-4/-/releases) [![Code Quality(temp-hardcoded)](https://img.shields.io/badge/code%20quality-10-brightgreen)](https://gitlab.com/crafty-controller/crafty-4) [![Build Status](https://gitlab.com/crafty-controller/crafty-4/badges/master/pipeline.svg)](https://gitlab.com/crafty-controller/crafty-4/-/commits/master) -# Crafty Controller 4.0.2-beta +# Crafty Controller 4.0.3-beta > Python based Control Panel for your Minecraft Server ## What is Crafty Controller? @@ -39,7 +39,7 @@ With `Crafty Controller 4.0` we have focused on building our DevOps Principles, > __**⚠ 🔻WARNING: [WSL/WSL2 | WINDOWS 11 | DOCKER DESKTOP]🔻**__
BE ADVISED! Upstream is currently broken for Minecraft running on **Docker under WSL/WSL2, Windows 11 / DOCKER DESKTOP!**
On '**Stop**' or '**Restart**' of the MC Server, there is a 90% chance the World's Chunks will be shredded irreparably!
- Please only run Docker on Linux, If you are using Windows we have a portable installs found here: [Latest-Stable](https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/master/download?job=win-prod-build), [Latest-Development](https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/dev/download?job=win-dev-build) + Please only run Docker on Linux, If you are using Windows we have a portable installs found here: [Latest-Stable](https://gitlab.com/crafty-controller/crafty-4/-/releases), [Latest-Development](https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/dev/download?job=win-dev-build) ---- diff --git a/app/config/version.json b/app/config/version.json index 4b9d8e69..0f1b738a 100644 --- a/app/config/version.json +++ b/app/config/version.json @@ -1,6 +1,6 @@ { "major": 4, "minor": 0, - "sub": 2, + "sub": 3, "meta": "beta" } From 51b8165c0e42386f4f83c9405fc206be2b84f23f Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 18 Jun 2022 22:57:12 +0100 Subject: [PATCH 14/15] Rename crafty_commander to crafty Also make win master only run on release: https://gitlab.com/crafty-controller/crafty-4/-/releases --- .gitlab/windows-build.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.gitlab/windows-build.yml b/.gitlab/windows-build.yml index 75555151..2af1acc2 100644 --- a/.gitlab/windows-build.yml +++ b/.gitlab/windows-build.yml @@ -21,7 +21,7 @@ win-dev-build: - pyinstaller -F main.py --distpath . --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico - --name "crafty_commander" + --name "crafty" --paths .venv\Lib\site-packages --hidden-import cryptography --hidden-import cffi @@ -37,7 +37,7 @@ win-dev-build: name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}" paths: - app\ - - .\crafty_commander.exe + - .\crafty.exe exclude: - app\classes\**\* @@ -49,7 +49,6 @@ win-prod-build: paths: - .venv/ rules: - - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" - if: $CI_COMMIT_TAG environment: name: production @@ -63,7 +62,7 @@ win-prod-build: - pyinstaller -F main.py --distpath . --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico - --name "crafty_commander" + --name "crafty" --paths .venv\Lib\site-packages --hidden-import cryptography --hidden-import cffi @@ -81,7 +80,7 @@ win-prod-build: name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}" paths: - app\ - - .\crafty_commander.exe + - .\crafty.exe expire_in: never exclude: - app\classes\**\* From 27cba00e16ca86704fbdf87910b6a9d82cccaf8b Mon Sep 17 00:00:00 2001 From: Zedifus Date: Sat, 18 Jun 2022 23:03:23 +0100 Subject: [PATCH 15/15] Bump CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3fb4ebd..8cfa6417 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ None ### Bug fixes - Amend Java system variable fix to be more specfic since they only affect Oracle. ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364)) - +- API Token authentication hardening ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/364)) ### Tweaks - Add better error logging for statistic collection ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/359))