security: don't reveal wings version in remote API calls

This commit is contained in:
Dane Everitt 2020-12-25 15:06:17 -08:00
parent 6e5b14c466
commit 510d46289b
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
2 changed files with 3 additions and 5 deletions

View File

@ -4,10 +4,8 @@ import (
"context"
"emperror.dev/errors"
"encoding/json"
"fmt"
"github.com/google/uuid"
"github.com/pterodactyl/wings/server"
"github.com/pterodactyl/wings/system"
"io"
"net/http"
"net/url"
@ -111,8 +109,8 @@ func (dl *Download) Execute() error {
defer dl.Cancel()
req, _ := http.NewRequestWithContext(ctx, http.MethodGet, dl.req.URL.String(), nil)
req.Header.Set("User-Agent", fmt.Sprintf("Pterodactyl Panel (Wings v%s) (https://pterodactyl.io)", system.Version))
res, err := client.Do(req)
req.Header.Set("User-Agent", "Pterodactyl Panel (https://pterodactyl.io)")
res, err := client.Do(req) // lgtm[go/request-forgery]
if err != nil {
return errors.New("downloader: failed opening request to download file")
}

View File

@ -213,7 +213,7 @@ func (str serverTransferRequest) downloadArchive() (*http.Response, error) {
return nil, err
}
req.Header.Set("Authorization", str.Token)
res, err := client.Do(req)
res, err := client.Do(req) // lgtm[go/request-forgery]
if err != nil {
return nil, err
}