File transfer

This commit is contained in:
2026-06-11 20:33:44 -05:00
parent 2cb1d58264
commit b362357bcb
58 changed files with 5096 additions and 4 deletions

97
docs/SECURITY.md Normal file
View File

@@ -0,0 +1,97 @@
# Security Notes
> **Ball Studios** — https://git.balls.studio/BallStudios/pterodactyl_addon
## Security Architecture
All security controls are **server-side only**. The frontend never makes authorization decisions.
---
## Security Checklist
### Authentication & Authorization
- [x] All API endpoints require authenticated session (`auth:sanctum`)
- [x] Every endpoint checks server ownership (owner, admin, or permitted subuser)
- [x] Role assignment prevents privilege escalation: cannot assign role with higher priority than own
- [x] Admin-only endpoints check `root_admin = true` on the User model
- [x] Effective permission preview is also server-side computed
### Input Validation
- [x] All POST/PUT/PATCH requests use Laravel Form Requests with strict validation
- [x] Permission names validated against known Pterodactyl permission key list
- [x] File paths validated: no absolute paths, no `../` traversal sequences
- [x] Color values validated against hex regex
- [x] Priority values bounded (09999)
### Injection Prevention
- [x] All DB queries use Eloquent/Query Builder — no raw string interpolation
- [x] Console-derived player names sanitized before storage and rendering (strip tags, control chars)
- [x] Command suggestions are server-side generated — user query is never executed
- [x] Storage keys are validated against known prefix before any file operation
### XSS Prevention
- [x] All user-controlled output escaped in React components
- [x] `dangerouslySetInnerHTML` is never used
- [x] Player names from console output are sanitized via regex before cache insert
### CSRF Protection
- [x] All mutating endpoints protected by Laravel's SPA CSRF (Sanctum)
- [x] No state-changing GET endpoints
### SSRF Prevention
- [x] Wings API URLs constructed **only** from trusted Node model data (not user input)
- [x] Server UUID validated against UUID format before inclusion in any URL
- [x] No user-supplied URLs are followed
### Path Traversal Prevention (File Revisions)
- [x] `guardFilePath()` rejects absolute paths and `../` sequences before any operation
- [x] Storage keys validated against allowed prefix: `addons/revisions/`
- [x] No server can access another server's revisions (server_id enforced on all queries)
### Sensitive File Handling
- [x] Configurable exclusion patterns applied before any revision is stored
- [x] Default exclusions: `.env`, `*.key`, `*.pem`, `*.p12`, `secrets.yml`, `*.sql`, `*.bak`, etc.
- [x] Binary files detected and stored without diff rendering (prevents binary exfiltration via diff)
### Rate Limiting
- [x] Live network metrics: 12 requests/min per user per server
- [x] Console autocomplete: 60 requests/min per user per server
- [x] Revision restore: 10 requests/min per user
- [x] Role write operations: 30 requests/min per admin
### Data Isolation
- [x] Users can only see metrics/revisions/permissions for servers they own or have access to
- [x] Node-wide metrics visible only to `root_admin` users
- [x] Revision download streams content directly — no temp files with predictable names
- [x] Player cache is per-server — no cross-server data leakage
### Infrastructure
- [x] Docker socket is never exposed to the web panel
- [x] Wings stats collected via REST API with token auth, not via Docker socket directly
- [x] No container privileges escalated beyond Wings' standard operation
- [x] Secrets never stored in frontend code or returned in API responses
### Audit Logging
- [x] Role create/update/delete logged
- [x] Role assign/unassign logged
- [x] Permission override set logged
- [x] File revision created logged
- [x] File revision restored logged
- [x] All logs include actor_id, IP address, timestamp, and payload
---
## Known Limitations
1. **Port-level network metrics** require iptables on the host node. If not available, the port table shows a friendly "unavailable" message rather than failing silently.
2. **Container flow graph** currently derives inter-container traffic from shared Docker networks — it cannot identify application-layer routing (e.g., Velocity routing logic) purely from network layer data.
3. **File revision listener** depends on Pterodactyl's `ConsoleDataReceived` event. If a future panel version removes this event, the listener degrades gracefully (no crash).
---
## Reporting Security Issues
Email: **security@balls.studio** (or open a private issue at https://git.balls.studio/BallStudios/pterodactyl_addon)
Please do **not** publicly disclose security vulnerabilities before they are patched.