From 96e6c660407947a18d762e0c9c5ebe50e5e8a596 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Thu, 2 May 2024 13:22:31 -0600 Subject: [PATCH 1/9] Update README.md --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 068755ecc..d0041a47e 100644 --- a/README.md +++ b/README.md @@ -27,14 +27,15 @@ Stop settling for less. Make game servers a first class citizen on your platform I would like to extend my sincere thanks to the following sponsors for helping fund Pterodactyl's development. [Interested in becoming a sponsor?](https://github.com/sponsors/matthewpi) -| Company | About | -|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. | -| [**BisectHosting**](https://www.bisecthosting.com/) | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012. | -| [**MineStrator**](https://minestrator.com/) | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try! | -| [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa. | -| [**HostEZ**](https://hostez.io) | US & EU Rust & Minecraft Hosting. DDoS Protected bare metal, VPS and colocation with low latency, high uptime and maximum availability. EZ! | -| [**Blueprint**](https://blueprint.zip/?pterodactyl=true) | Create and install Pterodactyl addons and themes with the growing Blueprint framework - the package-manager for Pterodactyl. Use multiple modifications at once without worrying about conflicts and make use of the large extension ecosystem. | +| Company | About | +|--------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. | +| [**BisectHosting**](https://www.bisecthosting.com/) | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012. | +| [**MineStrator**](https://minestrator.com/) | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try! | +| [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa. | +| [**HostEZ**](https://hostez.io) | US & EU Rust & Minecraft Hosting. DDoS Protected bare metal, VPS and colocation with low latency, high uptime and maximum availability. EZ! | +| [**Blueprint**](https://blueprint.zip/?pterodactyl=true) | Create and install Pterodactyl addons and themes with the growing Blueprint framework - the package-manager for Pterodactyl. Use multiple modifications at once without worrying about conflicts and make use of the large extension ecosystem. | +| [**indifferent broccoli**](https://indifferentbroccoli.com/) | indifferent broccoli is a game server hosting and rental company. With us, you get top-notch computer power for your gaming sessions. We destroy lag, latency, and complexity--letting you focus on the fun stuff. | ### Supported Games From b7b2413f3d9e41ec2242fd390df11edcc61c1b11 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Thu, 2 May 2024 13:29:25 -0600 Subject: [PATCH 2/9] Update CHANGELOG.md --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e9e805eb..d9a687281 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,17 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v1.11.6 + +### Changed + +* Better node ownership checks for internal backup endpoints +* Improved validation rules on `docker_image` fields to prevent invalid inputs + +### Fixed + +* Multiple XSS vulnerabilities in the admin area ([GHSA-384w-wffr-x63q](https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q)) + ## v1.11.5 ### Fixed * Rust egg using the wrong Docker image, breaking Rust modding frameworks. From 7bfc265a7ef0b7f8f55b69edb12a8552bfd50a8c Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Sat, 4 May 2024 16:06:13 -0600 Subject: [PATCH 3/9] api(remote): fix use of missing `node_id` field Fixes #5088 --- .../Backups/BackupRemoteUploadController.php | 19 +++++++++++++------ .../Remote/Backups/BackupStatusController.php | 9 ++++++++- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php index c3bf72662..15fe8d9bd 100644 --- a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php +++ b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php @@ -42,15 +42,22 @@ class BackupRemoteUploadController extends Controller throw new BadRequestHttpException('A non-empty "size" query parameter must be provided.'); } - /** @var \Pterodactyl\Models\Backup $backup */ - $backup = Backup::query() - ->where('node_id', $node->id) + /** @var \Pterodactyl\Models\Backup $model */ + $model = Backup::query() ->where('uuid', $backup) ->firstOrFail(); + // Check that the backup is "owned" by the node making the request. This avoids other nodes + // from messing with backups that they don't own. + /** @var \Pterodactyl\Models\Server $server */ + $server = $model->server; + if ($server->node_id !== $node->id) { + throw new HttpForbiddenException('You do not have permission to access that backup.'); + } + // Prevent backups that have already been completed from trying to // be uploaded again. - if (!is_null($backup->completed_at)) { + if (!is_null($model->completed_at)) { throw new ConflictHttpException('This backup is already in a completed state.'); } @@ -61,7 +68,7 @@ class BackupRemoteUploadController extends Controller } // The path where backup will be uploaded to - $path = sprintf('%s/%s.tar.gz', $backup->server->uuid, $backup->uuid); + $path = sprintf('%s/%s.tar.gz', $model->server->uuid, $model->uuid); // Get the S3 client $client = $adapter->getClient(); @@ -99,7 +106,7 @@ class BackupRemoteUploadController extends Controller } // Set the upload_id on the backup in the database. - $backup->update(['upload_id' => $params['UploadId']]); + $model->update(['upload_id' => $params['UploadId']]); return new JsonResponse([ 'parts' => $parts, diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php index 75f039d28..7b30e0758 100644 --- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php +++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php @@ -36,10 +36,17 @@ class BackupStatusController extends Controller /** @var \Pterodactyl\Models\Backup $model */ $model = Backup::query() - ->where('node_id', $node->id) ->where('uuid', $backup) ->firstOrFail(); + // Check that the backup is "owned" by the node making the request. This avoids other nodes + // from messing with backups that they don't own. + /** @var \Pterodactyl\Models\Server $server */ + $server = $model->server; + if ($server->node_id !== $node->id) { + throw new HttpForbiddenException('You do not have permission to access that backup.'); + } + if ($model->is_successful) { throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.'); } From 2ffe01967553415ae5c9c48f44bcb6f4bb6ea170 Mon Sep 17 00:00:00 2001 From: Daniel Barton Date: Sun, 5 May 2024 07:16:00 +0800 Subject: [PATCH 4/9] ui(server): support for decompressing .7z files (#5016) --- resources/scripts/api/transformers.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/resources/scripts/api/transformers.ts b/resources/scripts/api/transformers.ts index f2bea86d0..602ac217d 100644 --- a/resources/scripts/api/transformers.ts +++ b/resources/scripts/api/transformers.ts @@ -40,6 +40,7 @@ export const rawDataToFileObject = (data: FractalResponseData): FileObject => ({ 'application/x-xz', // .tar.xz, .xz 'application/zstd', // .tar.zst, .zst 'application/zip', // .zip + 'application/x-7z-compressed', // .7z ].indexOf(this.mimetype) >= 0 ); }, From dbd7f31c41d5d93ae80941a105cd0f13c70347f1 Mon Sep 17 00:00:00 2001 From: Daniel Barton Date: Tue, 7 May 2024 08:50:06 +0800 Subject: [PATCH 5/9] Update Minecraft Eula link (#5090) Co-authored-by: Alan Escarcha --- .../components/server/features/eula/EulaModalFeature.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/scripts/components/server/features/eula/EulaModalFeature.tsx b/resources/scripts/components/server/features/eula/EulaModalFeature.tsx index fd7afe1d4..574a6aac7 100644 --- a/resources/scripts/components/server/features/eula/EulaModalFeature.tsx +++ b/resources/scripts/components/server/features/eula/EulaModalFeature.tsx @@ -72,7 +72,7 @@ const EulaModalFeature = () => { target={'_blank'} css={tw`text-primary-300 underline transition-colors duration-150 hover:text-primary-400`} rel={'noreferrer noopener'} - href='https://account.mojang.com/documents/minecraft_eula' + href='https://www.minecraft.net/eula' > Minecraft® EULA From 049ad838e3c4c47103d4e4be2e817cc5c13a5085 Mon Sep 17 00:00:00 2001 From: Daniel Barton Date: Wed, 8 May 2024 11:52:33 +0800 Subject: [PATCH 6/9] egg(minecraft): add Java 21 to image list (#5093) --- database/Seeders/eggs/minecraft/egg-bungeecord.json | 5 +++-- database/Seeders/eggs/minecraft/egg-forge-minecraft.json | 5 +++-- database/Seeders/eggs/minecraft/egg-paper.json | 5 +++-- .../Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json | 5 +++-- database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json | 5 +++-- 5 files changed, 15 insertions(+), 10 deletions(-) diff --git a/database/Seeders/eggs/minecraft/egg-bungeecord.json b/database/Seeders/eggs/minecraft/egg-bungeecord.json index 0a9959692..0ecf03ac2 100644 --- a/database/Seeders/eggs/minecraft/egg-bungeecord.json +++ b/database/Seeders/eggs/minecraft/egg-bungeecord.json @@ -4,7 +4,7 @@ "version": "PTDL_v2", "update_url": null }, - "exported_at": "2022-06-17T08:10:44+03:00", + "exported_at": "2024-05-07T12:55:57+00:00", "name": "Bungeecord", "author": "support@pterodactyl.io", "description": "For a long time, Minecraft server owners have had a dream that encompasses a free, easy, and reliable way to connect multiple Minecraft servers together. BungeeCord is the answer to said dream. Whether you are a small server wishing to string multiple game-modes together, or the owner of the ShotBow Network, BungeeCord is the ideal solution for you. With the help of BungeeCord, you will be able to unlock your community's full potential.", @@ -14,6 +14,7 @@ "pid_limit" ], "docker_images": { + "Java 21": "ghcr.io\/pterodactyl\/yolks:java_21", "Java 17": "ghcr.io\/pterodactyl\/yolks:java_17", "Java 16": "ghcr.io\/pterodactyl\/yolks:java_16", "Java 11": "ghcr.io\/pterodactyl\/yolks:java_11", @@ -56,4 +57,4 @@ "field_type": "text" } ] -} +} \ No newline at end of file diff --git a/database/Seeders/eggs/minecraft/egg-forge-minecraft.json b/database/Seeders/eggs/minecraft/egg-forge-minecraft.json index 189cafad9..a30a3087c 100644 --- a/database/Seeders/eggs/minecraft/egg-forge-minecraft.json +++ b/database/Seeders/eggs/minecraft/egg-forge-minecraft.json @@ -4,7 +4,7 @@ "version": "PTDL_v2", "update_url": null }, - "exported_at": "2022-11-06T06:33:01-05:00", + "exported_at": "2024-05-07T12:55:56+00:00", "name": "Forge Minecraft", "author": "support@pterodactyl.io", "description": "Minecraft Forge Server. Minecraft Forge is a modding API (Application Programming Interface), which makes it easier to create mods, and also make sure mods are compatible with each other.", @@ -14,6 +14,7 @@ "pid_limit" ], "docker_images": { + "Java 21": "ghcr.io\/pterodactyl\/yolks:java_21", "Java 17": "ghcr.io\/pterodactyl\/yolks:java_17", "Java 16": "ghcr.io\/pterodactyl\/yolks:java_16", "Java 11": "ghcr.io\/pterodactyl\/yolks:java_11", @@ -76,4 +77,4 @@ "field_type": "text" } ] -} +} \ No newline at end of file diff --git a/database/Seeders/eggs/minecraft/egg-paper.json b/database/Seeders/eggs/minecraft/egg-paper.json index 8f0011110..cb78f7807 100644 --- a/database/Seeders/eggs/minecraft/egg-paper.json +++ b/database/Seeders/eggs/minecraft/egg-paper.json @@ -4,7 +4,7 @@ "version": "PTDL_v2", "update_url": null }, - "exported_at": "2022-06-17T08:11:30+03:00", + "exported_at": "2024-05-07T12:55:55+00:00", "name": "Paper", "author": "parker@pterodactyl.io", "description": "High performance Spigot fork that aims to fix gameplay and mechanics inconsistencies.", @@ -14,6 +14,7 @@ "pid_limit" ], "docker_images": { + "Java 21": "ghcr.io\/pterodactyl\/yolks:java_21", "Java 17": "ghcr.io\/pterodactyl\/yolks:java_17", "Java 16": "ghcr.io\/pterodactyl\/yolks:java_16", "Java 11": "ghcr.io\/pterodactyl\/yolks:java_11", @@ -76,4 +77,4 @@ "field_type": "text" } ] -} +} \ No newline at end of file diff --git a/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json b/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json index 61a531ae3..51575f86f 100644 --- a/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json +++ b/database/Seeders/eggs/minecraft/egg-sponge--sponge-vanilla.json @@ -4,7 +4,7 @@ "version": "PTDL_v2", "update_url": null }, - "exported_at": "2022-06-17T08:11:42+03:00", + "exported_at": "2024-05-07T12:55:54+00:00", "name": "Sponge (SpongeVanilla)", "author": "support@pterodactyl.io", "description": "SpongeVanilla is the SpongeAPI implementation for Vanilla Minecraft.", @@ -14,6 +14,7 @@ "pid_limit" ], "docker_images": { + "Java 21": "ghcr.io\/pterodactyl\/yolks:java_21", "Java 16": "ghcr.io\/pterodactyl\/yolks:java_16", "Java 11": "ghcr.io\/pterodactyl\/yolks:java_11", "Java 8": "ghcr.io\/pterodactyl\/yolks:java_8" @@ -55,4 +56,4 @@ "field_type": "text" } ] -} +} \ No newline at end of file diff --git a/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json b/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json index 19964bccb..71fd16547 100644 --- a/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json +++ b/database/Seeders/eggs/minecraft/egg-vanilla-minecraft.json @@ -4,7 +4,7 @@ "version": "PTDL_v2", "update_url": null }, - "exported_at": "2022-06-17T08:11:58+03:00", + "exported_at": "2024-05-07T12:55:58+00:00", "name": "Vanilla Minecraft", "author": "support@pterodactyl.io", "description": "Minecraft is a game about placing blocks and going on adventures. Explore randomly generated worlds and build amazing things from the simplest of homes to the grandest of castles. Play in Creative Mode with unlimited resources or mine deep in Survival Mode, crafting weapons and armor to fend off dangerous mobs. Do all this alone or with friends.", @@ -14,6 +14,7 @@ "pid_limit" ], "docker_images": { + "Java 21": "ghcr.io\/pterodactyl\/yolks:java_21", "Java 17": "ghcr.io\/pterodactyl\/yolks:java_17", "Java 16": "ghcr.io\/pterodactyl\/yolks:java_16", "Java 11": "ghcr.io\/pterodactyl\/yolks:java_11", @@ -56,4 +57,4 @@ "field_type": "text" } ] -} +} \ No newline at end of file From a96d87cf23a86b4ea072b0c5b0cba24a9c9a4409 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Tue, 7 May 2024 22:12:15 -0600 Subject: [PATCH 7/9] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d0041a47e..af2332ff3 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,6 @@ I would like to extend my sincere thanks to the following sponsors for helping f | [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. | | [**BisectHosting**](https://www.bisecthosting.com/) | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012. | | [**MineStrator**](https://minestrator.com/) | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try! | -| [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa. | | [**HostEZ**](https://hostez.io) | US & EU Rust & Minecraft Hosting. DDoS Protected bare metal, VPS and colocation with low latency, high uptime and maximum availability. EZ! | | [**Blueprint**](https://blueprint.zip/?pterodactyl=true) | Create and install Pterodactyl addons and themes with the growing Blueprint framework - the package-manager for Pterodactyl. Use multiple modifications at once without worrying about conflicts and make use of the large extension ecosystem. | | [**indifferent broccoli**](https://indifferentbroccoli.com/) | indifferent broccoli is a game server hosting and rental company. With us, you get top-notch computer power for your gaming sessions. We destroy lag, latency, and complexity--letting you focus on the fun stuff. | From 3a0b7d13a998cddc87f62839af517777ad21db03 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Tue, 7 May 2024 22:13:13 -0600 Subject: [PATCH 8/9] Update CHANGELOG.md --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9a687281..4f65904c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,21 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v1.11.7 + +### Added + +* Java 21 to Minecraft eggs + +### Changed + +* Updated Minecraft EULA link + +### Fixed + +* Fixed backups not ever being marked as completed (#5088) +* Fixed `.7z` files not being detected as a compressed file (#5016) + ## v1.11.6 ### Changed From f8dfef04c41edbafbd426357875046c82ac29229 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Wed, 8 May 2024 18:08:18 -0600 Subject: [PATCH 9/9] api(remote): fix oops in BackupStatusController, yet again --- .../Controllers/Api/Remote/Backups/BackupStatusController.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php index 7b30e0758..a7535a9ec 100644 --- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php +++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php @@ -11,6 +11,7 @@ use Pterodactyl\Exceptions\DisplayException; use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Extensions\Backups\BackupManager; use Pterodactyl\Extensions\Filesystem\S3Filesystem; +use Pterodactyl\Exceptions\Http\HttpForbiddenException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Pterodactyl\Http\Requests\Api\Remote\ReportBackupCompleteRequest;