security: don't reveal wings version in remote API calls

2020-12-25 15:06:17 -08:00 · 2020-12-25 15:06:17 -08:00 · 510d46289b
commit 510d46289b
parent 6e5b14c466
2 changed files with 3 additions and 5 deletions
--- a/router/downloader/downloader.go
+++ b/router/downloader/downloader.go
@ -4,10 +4,8 @@ import (
 	"context"
 	"emperror.dev/errors"
 	"encoding/json"
-	"fmt"
 	"github.com/google/uuid"
 	"github.com/pterodactyl/wings/server"
-	"github.com/pterodactyl/wings/system"
 	"io"
 	"net/http"
 	"net/url"
@ -111,8 +109,8 @@ func (dl *Download) Execute() error {
 	defer dl.Cancel()

 	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, dl.req.URL.String(), nil)
-	req.Header.Set("User-Agent", fmt.Sprintf("Pterodactyl Panel (Wings v%s) (https://pterodactyl.io)", system.Version))
-	res, err := client.Do(req)
+	req.Header.Set("User-Agent", "Pterodactyl Panel (https://pterodactyl.io)")
+	res, err := client.Do(req) // lgtm[go/request-forgery]
 	if err != nil {
 		return errors.New("downloader: failed opening request to download file")
 	}
--- a/router/router_transfer.go
+++ b/router/router_transfer.go
@ -213,7 +213,7 @@ func (str serverTransferRequest) downloadArchive() (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set("Authorization", str.Token)
-	res, err := client.Do(req)
+	res, err := client.Do(req) // lgtm[go/request-forgery]
 	if err != nil {
 		return nil, err
 	}