Arguments parsed through shell are now checked by escapeshellarc($var).

Panel administrators will no longer have access to the shell. This includes the developer terminal turning into a Blueprint execute terminal. (something you'll probably never use anyways.)
2023-06-27 21:40:35 +02:00 · 2023-06-27 21:40:35 +02:00 · 46158e6079
commit 46158e6079
parent 75907bd5df
7 changed files with 11 additions and 10 deletions
--- a/app/Http/Controllers/Admin/Extensions/Blueprint/BlueprintExtensionController.php
+++ b/app/Http/Controllers/Admin/Extensions/Blueprint/BlueprintExtensionController.php
@ -44,8 +44,8 @@ class BlueprintExtensionController extends Controller
  public function index(): View
  {
    if($this->bp->dbGet('developer:cmd') != "") {
-      $this->bplib->notify("Console command sent.");
-      $this->bp->dbSet('developer:log', shell_exec("cd /var/www/".$this->placeholderservice->folder().";".$this->bp->dbGet('developer:cmd')));
+      $this->bplib->notify("Execute arguments sent to Blueprint.");
+      $this->bp->dbSet('developer:log', $this->bp->exec($this->bp->dbGet('developer:cmd')));
    };

    if ($this->settings->get('blueprint::panel:id') == "" || $this->bp->version() != $this->settings->get('blueprint::version:cache')) {
--- a/app/Http/Controllers/Admin/ExtensionsController.php
+++ b/app/Http/Controllers/Admin/ExtensionsController.php
@ -23,7 +23,7 @@ class ExtensionsController extends Controller
    public function index(): View
    {
        // Onboarding check.
-        if(shell_exec("cd /var/www/pterodactyl;cat .blueprint/.flags/onboarding.md") == "*blueprint*") {
+        if(shell_exec("cd /var/www/pterodactyl;cat .blueprint/data/internal/db/onboarding") == "*blueprint*") {
            $onboarding = true;
        } else {
            $onboarding = false;
--- a/app/Http/Requests/Admin/Extensions/Blueprint/BlueprintSettingsFormRequest.php
+++ b/app/Http/Requests/Admin/Extensions/Blueprint/BlueprintSettingsFormRequest.php
@ -27,7 +27,7 @@ class BlueprintSettingsFormRequest extends AdminFormRequest
            'placeholder' => 'Placeholder',

            'developer' => 'Developer Mode',
-            'developer:cmd' => 'Developer Command',
+            'developer:cmd' => 'Blueprint Execute Command',

            'telemetry' => 'Telemetry',
        ];
--- a/app/Services/Helpers/BlueprintExtensionLibrary.php
+++ b/app/Services/Helpers/BlueprintExtensionLibrary.php
@ -45,13 +45,13 @@ class BlueprintExtensionLibrary
    */
    public function notify($text) {
        $this->dbSet("blueprint", "notification:text", $text);
-        shell_exec("cd /var/www/".$this->placeholder->folder().";echo \"$text\" > .blueprint/data/internal/db/notification;");
+        shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo \"".escapeshellarg($text)."\" > .blueprint/data/internal/db/notification;");
        return;
    }

    public function notifyAfter($delay, $text) {
        $this->dbSet("blueprint", "notification:text", $text);
-        shell_exec("cd /var/www/".$this->placeholder->folder().";echo \"$text\" > .blueprint/data/internal/db/notification;");
+        shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo \"".escapeshellarg($text)."\" > .blueprint/data/internal/db/notification;");
        header("Refresh:$delay");
        return;
    }
--- a/app/Services/Helpers/BlueprintVariableService.php
+++ b/app/Services/Helpers/BlueprintVariableService.php
@ -47,6 +47,6 @@ class BlueprintVariableService
  }

  public function exec($arg): string|null {
-    return shell_exec("cd /var/www/".$this->blueprintplaceholderservice->folder().";bash blueprint.sh -exec ".$arg);
+    return shell_exec("cd /var/www/".$this->blueprintplaceholderservice->folder().";bash blueprint.sh -exec ".escapeshellarg($arg));
  }
 }
--- a/blueprint.sh
+++ b/blueprint.sh
@ -54,12 +54,13 @@ source .blueprint/lib/db.sh;
 source .blueprint/lib/telemetry.sh;

 # -exec
-if [[ "$1" == *"-exec"* ]]; then
+if [[ "$1" == "-exec" ]]; then
  # Update the telemetry id to argument.
  if [[ $2 == "key" ]]; then
    echo "$3" > .blueprint/data/internal/db/telemetry_id;
+    exit 1;
  fi;
-  exit 1;
+  log "Command not found.";exit 1;
 fi;

 # Function that exits the script after logging a "red" message.
--- a/resources/views/admin/extensions/blueprint/index.blade.php
+++ b/resources/views/admin/extensions/blueprint/index.blade.php
@ -39,7 +39,7 @@
                        <form action="" method="POST">
                            <div class="col-xs-12" style="padding-top:5px;">
                                <input type="text" required name="developer:cmd" id="developer:cmd" value="{{ $bp->dbGet('developer:cmd') }}" class="form-control" style="height:40px;width:100%;"/>
-                                <p class="text-muted small">Be careful with what you run, some commands may end up breaking this page.</p>
+                                <p class="text-muted small">Run a execute command on blueprint.sh, but you'll probably never use this anyways.</p>
                                {{ csrf_field() }}
                                <button type="submit" name="_method" value="PATCH" class="btn btn-gray-alt btn-sm pull-right" style="display:none;">Send</button>
                            </div>