Merge pull request #43 from pterodactyl/impl/2194

Add the ability to define additional allowed origins

config/config.go

@@ -81,8 +81,14 @@ type Configuration struct {
 	// to collect data and send events.
 	PanelLocation string `json:"remote" yaml:"remote"`
 
-	// AllowedMounts .
+	// AllowedMounts is a list of allowed host-system mount points.
+	// This is required to have the "Server Mounts" feature work properly.
 	AllowedMounts []string `json:"allowed_mounts" yaml:"allowed_mounts"`
+
+	// AllowedOrigins is a list of allowed request origins.
+	// The Panel URL is automatically allowed, this is only needed for adding
+	// additional origins.
+	AllowedOrigins []string `json:"allowed_origins" yaml:"allowed_origins"`
 }
 
 // Defines the configuration of the internal SFTP server.

router/middleware.go

@@ -11,8 +11,22 @@ import (
 
 // Set the access request control headers on all of the requests.
 func SetAccessControlHeaders(c *gin.Context) {
-	c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)
 	c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
+
+	o := c.GetHeader("Origin")
+	if o != config.Get().PanelLocation {
+		for _, origin := range config.Get().AllowedOrigins {
+			if o != origin {
+				continue
+			}
+
+			c.Header("Access-Control-Allow-Origin", origin)
+			c.Next()
+			return
+		}
+	}
+
+	c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)
 	c.Next()
 }
 

router/websocket/websocket.go

@@ -57,7 +57,20 @@ func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Hand
 		// Ensure that the websocket request is originating from the Panel itself,
 		// and not some other location.
 		CheckOrigin: func(r *http.Request) bool {
-			return r.Header.Get("Origin") == config.Get().PanelLocation
+			o := r.Header.Get("Origin")
+			if o == config.Get().PanelLocation {
+				return true
+			}
+
+			for _, origin := range config.Get().AllowedOrigins {
+				if o != origin {
+					continue
+				}
+
+				return true
+			}
+
+			return false
 		},
 	}
 

server/environment_docker.go

@@ -364,7 +364,7 @@ func (d *DockerEnvironment) Restart() error {
 }
 
 // Check if the server is currently running the restart process by checking if there is a semaphore
-// allocated, and if so, if we can aquire a lock on it.
+// allocated, and if so, if we can acquire a lock on it.
 func (d *DockerEnvironment) IsRestarting() bool {
 	if d.restartSem == nil {
 		return false
@@ -469,7 +469,7 @@ func (d *DockerEnvironment) ExitState() (uint32, bool, error) {
 		//
 		// However, someone reported an error in Discord about this scenario happening,
 		// so I guess this should prevent it? They didn't tell me how they caused it though
-		// so thats a mystery that will have to go unsolved.
+		// so that's a mystery that will have to go unsolved.
 		//
 		// @see https://github.com/pterodactyl/panel/issues/2003
 		if client.IsErrNotFound(err) {
@@ -928,7 +928,7 @@ func (d *DockerEnvironment) portBindings() nat.PortMap {
 	for ip, ports := range d.Server.Config().Allocations.Mappings {
 		for _, port := range ports {
 			// Skip over invalid ports.
-			if port < 0 || port > 65535 {
+			if port < 1 || port > 65535 {
 				continue
 			}
 

server/update.go

@@ -30,8 +30,8 @@ func (s *Server) UpdateDataStructure(data []byte, background bool) error {
 	// Grab a copy of the configuration to work on.
 	c := *s.Config()
 
-	// Lock our copy of the configuration since the defered unlock will end up acting upon this
-	// new memory address rather than the old one. If we don't lock this, the defered unlock will
+	// Lock our copy of the configuration since the deferred unlock will end up acting upon this
+	// new memory address rather than the old one. If we don't lock this, the deferred unlock will
 	// cause a panic when it goes to run. However, since we only update s.cfg at the end, if there
 	// is an error before that point we'll still properly unlock the original configuration for the
 	// server.