From 510d46289bf783f4f84a2c45f6df1c4f4018e5d2 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Fri, 25 Dec 2020 15:06:17 -0800
Subject: [PATCH] security: don't reveal wings version in remote API calls

---
 router/downloader/downloader.go | 6 ++----
 router/router_transfer.go       | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/router/downloader/downloader.go b/router/downloader/downloader.go
index 905bdd2..fc5f054 100644
--- a/router/downloader/downloader.go
+++ b/router/downloader/downloader.go
@@ -4,10 +4,8 @@ import (
 	"context"
 	"emperror.dev/errors"
 	"encoding/json"
-	"fmt"
 	"github.com/google/uuid"
 	"github.com/pterodactyl/wings/server"
-	"github.com/pterodactyl/wings/system"
 	"io"
 	"net/http"
 	"net/url"
@@ -111,8 +109,8 @@ func (dl *Download) Execute() error {
 	defer dl.Cancel()
 
 	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, dl.req.URL.String(), nil)
-	req.Header.Set("User-Agent", fmt.Sprintf("Pterodactyl Panel (Wings v%s) (https://pterodactyl.io)", system.Version))
-	res, err := client.Do(req)
+	req.Header.Set("User-Agent", "Pterodactyl Panel (https://pterodactyl.io)")
+	res, err := client.Do(req) // lgtm[go/request-forgery]
 	if err != nil {
 		return errors.New("downloader: failed opening request to download file")
 	}
diff --git a/router/router_transfer.go b/router/router_transfer.go
index b0f1a1d..2a1fb46 100644
--- a/router/router_transfer.go
+++ b/router/router_transfer.go
@@ -213,7 +213,7 @@ func (str serverTransferRequest) downloadArchive() (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set("Authorization", str.Token)
-	res, err := client.Do(req)
+	res, err := client.Do(req) // lgtm[go/request-forgery]
 	if err != nil {
 		return nil, err
 	}