From 5bfd564ef43b9956b67ecaff7013f1aeb4e3f252 Mon Sep 17 00:00:00 2001 From: luukas Date: Sat, 18 Jun 2022 01:27:55 +0300 Subject: [PATCH 1/4] Use with-blocks when opening files --- app/classes/shared/helpers.py | 26 ++++++++++++++++---------- app/classes/shared/server.py | 7 +++---- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index 31273a60..ae5670ea 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -89,7 +89,8 @@ class Helpers: @staticmethod def check_file_perms(path): try: - open(path, "r", encoding="utf-8").close() + with open(path, "r", encoding="utf-8"): + pass logger.info(f"{path} is readable") return True except PermissionError: @@ -425,7 +426,8 @@ class Helpers: def check_writeable(path: str): filename = os.path.join(path, "tempfile.txt") try: - open(filename, "w", encoding="utf-8").close() + with open(filename, "w", encoding="utf-8"): + pass os.remove(filename) logger.info(f"{filename} is writable") @@ -510,7 +512,8 @@ class Helpers: # ensure the log file is there try: - open(log_file, "a", encoding="utf-8").close() + with open(log_file, "a", encoding="utf-8"): + pass except Exception as e: Console.critical(f"Unable to open log file! {e}") sys.exit(1) @@ -774,13 +777,15 @@ class Helpers: cert.set_version(2) cert.sign(k, "sha256") - f = open(cert_file, "w", encoding="utf-8") - f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()) - f.close() + with open(cert_file, "w", encoding="utf-8") as cert_file_handle: + cert_file_handle.write( + crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode() + ) - f = open(key_file, "w", encoding="utf-8") - f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode()) - f.close() + with open(key_file, "w", encoding="utf-8") as key_file_handle: + key_file_handle.write( + crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode() + ) @staticmethod def random_string_generator(size=6, chars=string.ascii_uppercase + string.digits): @@ -1006,7 +1011,8 @@ class Helpers: return False try: - open(jar_path, "wb").write(response.content) + with open(jar_path, "wb") as jar_file: + jar_file.write(response.content) except Exception as e: logger.error("Unable to finish executable download. Error: %s", e) return False diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py index cdd5f796..595e5328 100644 --- a/app/classes/shared/server.py +++ b/app/classes/shared/server.py @@ -795,10 +795,9 @@ class ServerInstance: self.server_scheduler.remove_job("c_" + str(self.server_id)) def agree_eula(self, user_id): - file = os.path.join(self.server_path, "eula.txt") - f = open(file, "w", encoding="utf-8") - f.write("eula=true") - f.close() + eula_file = os.path.join(self.server_path, "eula.txt") + with open(eula_file, "w", encoding="utf-8") as f: + f.write("eula=true") self.run_threaded_server(user_id) def backup_server(self): From b4770bc9a0d53445a22cd41d62e4b549090170e4 Mon Sep 17 00:00:00 2001 From: luukas Date: Sat, 18 Jun 2022 01:30:50 +0300 Subject: [PATCH 2/4] Use indent=4 instead of indent=True `indent=True` is equivalent to `indent=1` You can test this by executing `'foo' * True`, `'foo' * 1` and `'foo' * 4` in a Python REPL. --- app/classes/shared/helpers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py index ae5670ea..0ad276fc 100644 --- a/app/classes/shared/helpers.py +++ b/app/classes/shared/helpers.py @@ -643,7 +643,7 @@ class Helpers: session_data = {"pid": pid, "started": now.strftime("%d-%m-%Y, %H:%M:%S")} with open(self.session_file, "w", encoding="utf-8") as f: - json.dump(session_data, f, indent=True) + json.dump(session_data, f, indent=4) # because this is a recursive function, we will return bytes, # and set human readable later From 4c0363192335ad27947ad83d106fba484eceaccb Mon Sep 17 00:00:00 2001 From: luukas Date: Sat, 18 Jun 2022 03:09:00 +0300 Subject: [PATCH 3/4] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aee550bc..85cdfd6a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,8 @@ TBD ### Tweaks -TBD +- Use 4 space indentation for the session file. +- Use with-blocks when opening files to prevent them from being left open ## [4.0.2] - 2022/06/16 From d3b1095867c4545785f69ea66d2d68f39cc6cf9f Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Tue, 21 Jun 2022 16:14:29 -0400 Subject: [PATCH 4/4] Disable backups directory from changing bad paths --- app/classes/web/panel_handler.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index a06fc02a..7cb18be0 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -1503,6 +1503,17 @@ class PanelHandler(BaseHandler): max_backups = bleach.clean(self.get_argument("max_backups", None)) server_obj = self.controller.servers.get_server_obj(server_id) + if ( + not backup_path + == self.helper.wtol_path( + os.path.join(self.helper.backup_path, server_obj.server_uuid) + ) + and self.helper.wtol_path(self.controller.project_root) in backup_path + ): + self.redirect( + "/panel/error?error=Nefarious activities detected." + " User attempted to make backup path within Crafty's root." + ) server_obj.backup_path = backup_path self.controller.servers.update_server(server_obj) self.controller.management.set_backup_config(