From b811d2474e3f4c06c81e521c803b164c5d20edc6 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Fri, 31 Jul 2020 16:19:09 -0600 Subject: [PATCH 1/2] Add the ability to define additional allowed origins --- config/config.go | 3 +++ router/middleware.go | 16 +++++++++++++++- router/websocket/websocket.go | 15 ++++++++++++++- server/environment_docker.go | 6 +++--- server/update.go | 4 ++-- 5 files changed, 37 insertions(+), 7 deletions(-) diff --git a/config/config.go b/config/config.go index 4ceef36..0aeb3a8 100644 --- a/config/config.go +++ b/config/config.go @@ -83,6 +83,9 @@ type Configuration struct { // AllowedMounts . AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"` + + // AllowedOrigins . + AllowedOrigins []string `json:"allowed_origins" yaml:"allowed_origins"` } // Defines the configuration of the internal SFTP server. diff --git a/router/middleware.go b/router/middleware.go index 102d1aa..1a4d013 100644 --- a/router/middleware.go +++ b/router/middleware.go @@ -11,8 +11,22 @@ import ( // Set the access request control headers on all of the requests. func SetAccessControlHeaders(c *gin.Context) { - c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation) c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization") + + o := c.GetHeader("Origin") + if o != config.Get().PanelLocation { + for _, origin := range config.Get().AllowedOrigins { + if o != origin { + continue + } + + c.Header("Access-Control-Allow-Origin", origin) + c.Next() + return + } + } + + c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation) c.Next() } diff --git a/router/websocket/websocket.go b/router/websocket/websocket.go index 5b0cf3c..d14caa6 100644 --- a/router/websocket/websocket.go +++ b/router/websocket/websocket.go @@ -57,7 +57,20 @@ func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Hand // Ensure that the websocket request is originating from the Panel itself, // and not some other location. CheckOrigin: func(r *http.Request) bool { - return r.Header.Get("Origin") == config.Get().PanelLocation + o := r.Header.Get("Origin") + if o == config.Get().PanelLocation { + return true + } + + for _, origin := range config.Get().AllowedOrigins { + if o != origin { + continue + } + + return true + } + + return false }, } diff --git a/server/environment_docker.go b/server/environment_docker.go index fd2dda6..d339944 100644 --- a/server/environment_docker.go +++ b/server/environment_docker.go @@ -364,7 +364,7 @@ func (d *DockerEnvironment) Restart() error { } // Check if the server is currently running the restart process by checking if there is a semaphore -// allocated, and if so, if we can aquire a lock on it. +// allocated, and if so, if we can acquire a lock on it. func (d *DockerEnvironment) IsRestarting() bool { if d.restartSem == nil { return false @@ -469,7 +469,7 @@ func (d *DockerEnvironment) ExitState() (uint32, bool, error) { // // However, someone reported an error in Discord about this scenario happening, // so I guess this should prevent it? They didn't tell me how they caused it though - // so thats a mystery that will have to go unsolved. + // so that's a mystery that will have to go unsolved. // // @see https://github.com/pterodactyl/panel/issues/2003 if client.IsErrNotFound(err) { @@ -928,7 +928,7 @@ func (d *DockerEnvironment) portBindings() nat.PortMap { for ip, ports := range d.Server.Config().Allocations.Mappings { for _, port := range ports { // Skip over invalid ports. - if port < 0 || port > 65535 { + if port < 1 || port > 65535 { continue } diff --git a/server/update.go b/server/update.go index 7ab63ba..91ff032 100644 --- a/server/update.go +++ b/server/update.go @@ -30,8 +30,8 @@ func (s *Server) UpdateDataStructure(data []byte, background bool) error { // Grab a copy of the configuration to work on. c := *s.Config() - // Lock our copy of the configuration since the defered unlock will end up acting upon this - // new memory address rather than the old one. If we don't lock this, the defered unlock will + // Lock our copy of the configuration since the deferred unlock will end up acting upon this + // new memory address rather than the old one. If we don't lock this, the deferred unlock will // cause a panic when it goes to run. However, since we only update s.cfg at the end, if there // is an error before that point we'll still properly unlock the original configuration for the // server. From 43795a4be39f20a731dba58608b08a15d7de4678 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Fri, 31 Jul 2020 16:21:27 -0600 Subject: [PATCH 2/2] Document config options --- config/config.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/config.go b/config/config.go index 0aeb3a8..ca98967 100644 --- a/config/config.go +++ b/config/config.go @@ -81,10 +81,13 @@ type Configuration struct { // to collect data and send events. PanelLocation string `json:"remote" yaml:"remote"` - // AllowedMounts . + // AllowedMounts is a list of allowed host-system mount points. + // This is required to have the "Server Mounts" feature work properly. AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"` - // AllowedOrigins . + // AllowedOrigins is a list of allowed request origins. + // The Panel URL is automatically allowed, this is only needed for adding + // additional origins. AllowedOrigins []string `json:"allowed_origins" yaml:"allowed_origins"` }