From 1172d71d31561c4e465dabdf6b838e64de48ad16 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Wed, 10 Apr 2024 14:41:32 -0600
Subject: [PATCH 1/9] app: improve `docker_image` validation

---
 app/Http/Requests/Admin/Egg/EggFormRequest.php                  | 2 +-
 .../Api/Client/Servers/Settings/SetDockerImageRequest.php       | 2 +-
 app/Models/Egg.php                                              | 2 +-
 app/Models/Server.php                                           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Http/Requests/Admin/Egg/EggFormRequest.php b/app/Http/Requests/Admin/Egg/EggFormRequest.php
index 0f153393fb..a41ac4eba9 100644
--- a/app/Http/Requests/Admin/Egg/EggFormRequest.php
+++ b/app/Http/Requests/Admin/Egg/EggFormRequest.php
@@ -11,7 +11,7 @@ public function rules(): array
         $rules = [
             'name' => 'required|string|max:191',
             'description' => 'nullable|string',
-            'docker_images' => 'required|string',
+            'docker_images' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
             'force_outgoing_ip' => 'sometimes|boolean',
             'file_denylist' => 'array',
             'startup' => 'required|string',
diff --git a/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php b/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
index f618de3705..a104a91bcf 100644
--- a/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
@@ -24,7 +24,7 @@ public function rules(): array
         Assert::isInstanceOf($server, Server::class);
 
         return [
-            'docker_image' => ['required', 'string', Rule::in(array_values($server->egg->docker_images))],
+            'docker_image' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/', Rule::in(array_values($server->egg->docker_images))],
         ];
     }
 }
diff --git a/app/Models/Egg.php b/app/Models/Egg.php
index 31c3e34200..40c2e33266 100644
--- a/app/Models/Egg.php
+++ b/app/Models/Egg.php
@@ -123,7 +123,7 @@ class Egg extends Model
         'file_denylist' => 'array|nullable',
         'file_denylist.*' => 'string',
         'docker_images' => 'required|array|min:1',
-        'docker_images.*' => 'required|string',
+        'docker_images.*' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
         'startup' => 'required|nullable|string',
         'config_from' => 'sometimes|bail|nullable|numeric|exists:eggs,id',
         'config_stop' => 'required_without:config_from|nullable|string|max:191',
diff --git a/app/Models/Server.php b/app/Models/Server.php
index d53af3038c..ecc137f5db 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -163,7 +163,7 @@ class Server extends Model
         'egg_id' => 'required|exists:eggs,id',
         'startup' => 'required|string',
         'skip_scripts' => 'sometimes|boolean',
-        'image' => 'required|string|max:191',
+        'image' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
         'database_limit' => 'present|nullable|integer|min:0',
         'allocation_limit' => 'sometimes|nullable|integer|min:0',
         'backup_limit' => 'present|nullable|integer|min:0',

From 319ca683f849e9476a55eefab49321b18ce5deea Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Wed, 10 Apr 2024 17:38:09 -0600
Subject: [PATCH 2/9] api(remote): ensure requesting node is checked

---
 .../Remote/Backups/BackupRemoteUploadController.php   |  9 ++++++++-
 .../Api/Remote/Backups/BackupStatusController.php     | 11 +++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
index 7d92e0b1aa..c3bf726622 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
@@ -32,6 +32,10 @@ public function __construct(private BackupManager $backupManager)
      */
     public function __invoke(Request $request, string $backup): JsonResponse
     {
+        // Get the node associated with the request.
+        /** @var \Pterodactyl\Models\Node $node */
+        $node = $request->attributes->get('node');
+
         // Get the size query parameter.
         $size = (int) $request->query('size');
         if (empty($size)) {
@@ -39,7 +43,10 @@ public function __invoke(Request $request, string $backup): JsonResponse
         }
 
         /** @var \Pterodactyl\Models\Backup $backup */
-        $backup = Backup::query()->where('uuid', $backup)->firstOrFail();
+        $backup = Backup::query()
+            ->where('node_id', $node->id)
+            ->where('uuid', $backup)
+            ->firstOrFail();
 
         // Prevent backups that have already been completed from trying to
         // be uploaded again.
diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
index f9c2a7932e..042fbd0506 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -30,8 +30,15 @@ public function __construct(private BackupManager $backupManager)
      */
     public function index(ReportBackupCompleteRequest $request, string $backup): JsonResponse
     {
-        /** @var \Pterodactyl\Models\Backup $model */
-        $model = Backup::query()->where('uuid', $backup)->firstOrFail();
+        // Get the node associated with the request.
+        /** @var \Pterodactyl\Models\Node $node */
+        $node = $request->attributes->get('node');
+
+        /** @var \Pterodactyl\Models\Backup $backup */
+        $backup = Backup::query()
+            ->where('node_id', $node->id)
+            ->where('uuid', $backup)
+            ->firstOrFail();
 
         if ($model->is_successful) {
             throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.');

From f671046947e4695b5e1c647df79305c1cefdf817 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Wed, 10 Apr 2024 17:39:26 -0600
Subject: [PATCH 3/9] admin: tweaks to validation and rendering

---
 app/Http/Controllers/Admin/Nests/EggVariableController.php    | 4 ++--
 app/Http/Controllers/Admin/Nests/NestController.php           | 2 +-
 app/Http/Controllers/Admin/NodesController.php                | 2 +-
 app/Http/Requests/Admin/Egg/EggFormRequest.php                | 2 +-
 app/Http/Requests/Admin/Nest/StoreNestFormRequest.php         | 2 +-
 .../Api/Client/Servers/Settings/SetDockerImageRequest.php     | 2 +-
 app/Models/Egg.php                                            | 2 +-
 app/Models/Server.php                                         | 2 +-
 public/themes/pterodactyl/js/admin/new-server.js              | 2 +-
 resources/views/admin/servers/view/startup.blade.php          | 2 +-
 10 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/app/Http/Controllers/Admin/Nests/EggVariableController.php b/app/Http/Controllers/Admin/Nests/EggVariableController.php
index 40274b3239..2b84e8b022 100644
--- a/app/Http/Controllers/Admin/Nests/EggVariableController.php
+++ b/app/Http/Controllers/Admin/Nests/EggVariableController.php
@@ -69,7 +69,7 @@ public function update(EggVariableFormRequest $request, Egg $egg, EggVariable $v
     {
         $this->updateService->handle($variable, $request->normalize());
         $this->alert->success(trans('admin/nests.variables.notices.variable_updated', [
-            'variable' => $variable->name,
+            'variable' => htmlspecialchars($variable->name),
         ]))->flash();
 
         return redirect()->route('admin.nests.egg.variables', $egg->id);
@@ -82,7 +82,7 @@ public function destroy(int $egg, EggVariable $variable): RedirectResponse
     {
         $this->variableRepository->delete($variable->id);
         $this->alert->success(trans('admin/nests.variables.notices.variable_deleted', [
-            'variable' => $variable->name,
+            'variable' => htmlspecialchars($variable->name),
         ]))->flash();
 
         return redirect()->route('admin.nests.egg.variables', $egg);
diff --git a/app/Http/Controllers/Admin/Nests/NestController.php b/app/Http/Controllers/Admin/Nests/NestController.php
index 037dd09430..311a5df28b 100644
--- a/app/Http/Controllers/Admin/Nests/NestController.php
+++ b/app/Http/Controllers/Admin/Nests/NestController.php
@@ -56,7 +56,7 @@ public function create(): View
     public function store(StoreNestFormRequest $request): RedirectResponse
     {
         $nest = $this->nestCreationService->handle($request->normalize());
-        $this->alert->success(trans('admin/nests.notices.created', ['name' => $nest->name]))->flash();
+        $this->alert->success(trans('admin/nests.notices.created', ['name' => htmlspecialchars($nest->name)]))->flash();
 
         return redirect()->route('admin.nests.view', $nest->id);
     }
diff --git a/app/Http/Controllers/Admin/NodesController.php b/app/Http/Controllers/Admin/NodesController.php
index 573a1d9f8d..71094a5175 100644
--- a/app/Http/Controllers/Admin/NodesController.php
+++ b/app/Http/Controllers/Admin/NodesController.php
@@ -131,7 +131,7 @@ public function allocationRemoveBlock(Request $request, int $node): RedirectResp
             ['ip', '=', $request->input('ip')],
         ]);
 
-        $this->alert->success(trans('admin/node.notices.unallocated_deleted', ['ip' => $request->input('ip')]))
+        $this->alert->success(trans('admin/node.notices.unallocated_deleted', ['ip' => htmlspecialchars($request->input('ip'))]))
             ->flash();
 
         return redirect()->route('admin.nodes.view.allocation', $node);
diff --git a/app/Http/Requests/Admin/Egg/EggFormRequest.php b/app/Http/Requests/Admin/Egg/EggFormRequest.php
index a41ac4eba9..0a88f5a74c 100644
--- a/app/Http/Requests/Admin/Egg/EggFormRequest.php
+++ b/app/Http/Requests/Admin/Egg/EggFormRequest.php
@@ -11,7 +11,7 @@ public function rules(): array
         $rules = [
             'name' => 'required|string|max:191',
             'description' => 'nullable|string',
-            'docker_images' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
+            'docker_images' => ['required', 'string', 'regex:/^[\w#\.\/\- ]*\|*[\w\.\/\-:@ ]*$/im'],
             'force_outgoing_ip' => 'sometimes|boolean',
             'file_denylist' => 'array',
             'startup' => 'required|string',
diff --git a/app/Http/Requests/Admin/Nest/StoreNestFormRequest.php b/app/Http/Requests/Admin/Nest/StoreNestFormRequest.php
index 193f8676c8..81505de154 100644
--- a/app/Http/Requests/Admin/Nest/StoreNestFormRequest.php
+++ b/app/Http/Requests/Admin/Nest/StoreNestFormRequest.php
@@ -9,7 +9,7 @@ class StoreNestFormRequest extends AdminFormRequest
     public function rules(): array
     {
         return [
-            'name' => 'required|string|min:1|max:191',
+            'name' => 'required|string|min:1|max:191|regex:/^[\w\- ]+$/',
             'description' => 'string|nullable',
         ];
     }
diff --git a/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php b/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
index a104a91bcf..231fec81b9 100644
--- a/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/Settings/SetDockerImageRequest.php
@@ -24,7 +24,7 @@ public function rules(): array
         Assert::isInstanceOf($server, Server::class);
 
         return [
-            'docker_image' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/', Rule::in(array_values($server->egg->docker_images))],
+            'docker_image' => ['required', 'string', 'max:191', 'regex:/^[\w#\.\/\- ]*\|*[\w\.\/\-:@ ]*$/', Rule::in(array_values($server->egg->docker_images))],
         ];
     }
 }
diff --git a/app/Models/Egg.php b/app/Models/Egg.php
index 40c2e33266..f0e668b27e 100644
--- a/app/Models/Egg.php
+++ b/app/Models/Egg.php
@@ -123,7 +123,7 @@ class Egg extends Model
         'file_denylist' => 'array|nullable',
         'file_denylist.*' => 'string',
         'docker_images' => 'required|array|min:1',
-        'docker_images.*' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
+        'docker_images.*' => ['required', 'string', 'max:191', 'regex:/^[\w#\.\/\- ]*\|*[\w\.\/\-:@ ]*$/'],
         'startup' => 'required|nullable|string',
         'config_from' => 'sometimes|bail|nullable|numeric|exists:eggs,id',
         'config_stop' => 'required_without:config_from|nullable|string|max:191',
diff --git a/app/Models/Server.php b/app/Models/Server.php
index ecc137f5db..f95e1deefc 100644
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@@ -163,7 +163,7 @@ class Server extends Model
         'egg_id' => 'required|exists:eggs,id',
         'startup' => 'required|string',
         'skip_scripts' => 'sometimes|boolean',
-        'image' => ['required', 'string', 'max:191', 'regex:/^([a-zA-Z0-9 .#_\/\-]*)(\|*)([a-zA-Z0-9 .\/:@]*)$/'],
+        'image' => ['required', 'string', 'max:191', 'regex:/^[\w\.\/\-:@ ]*$/'],
         'database_limit' => 'present|nullable|integer|min:0',
         'allocation_limit' => 'sometimes|nullable|integer|min:0',
         'backup_limit' => 'present|nullable|integer|min:0',
diff --git a/public/themes/pterodactyl/js/admin/new-server.js b/public/themes/pterodactyl/js/admin/new-server.js
index db138cbde5..1fd80a9218 100644
--- a/public/themes/pterodactyl/js/admin/new-server.js
+++ b/public/themes/pterodactyl/js/admin/new-server.js
@@ -88,7 +88,7 @@ $('#pEggId').on('change', function (event) {
     for (let i = 0; i < keys.length; i++) {
         let opt = document.createElement('option');
         opt.value = images[keys[i]];
-        opt.innerHTML = keys[i] + " (" + images[keys[i]] + ")";
+        opt.innerText = keys[i] + " (" + images[keys[i]] + ")";
         $('#pDefaultContainer').append(opt);
     }
 
diff --git a/resources/views/admin/servers/view/startup.blade.php b/resources/views/admin/servers/view/startup.blade.php
index 05330298e8..c2d6dc11ea 100644
--- a/resources/views/admin/servers/view/startup.blade.php
+++ b/resources/views/admin/servers/view/startup.blade.php
@@ -119,7 +119,7 @@
             for (let i = 0; i < keys.length; i++) {
                 let opt = document.createElement('option');
                 opt.value = images[keys[i]];
-                opt.innerHTML = keys[i] + " (" + images[keys[i]] + ")";
+                opt.innerText = keys[i] + " (" + images[keys[i]] + ")";
                 if (objectChain.id === parseInt(Pterodactyl.server.egg_id) && Pterodactyl.server.image == opt.value) {
                     opt.selected = true
                 }

From b1fa3927c17b7c34c3b12aa6e8825a3de1a81d04 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Thu, 11 Apr 2024 10:42:18 -0600
Subject: [PATCH 4/9] api(remote): fix oops in BackupStatusController

---
 .../Controllers/Api/Remote/Backups/BackupStatusController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
index 042fbd0506..75f039d285 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -34,8 +34,8 @@ public function index(ReportBackupCompleteRequest $request, string $backup): Jso
         /** @var \Pterodactyl\Models\Node $node */
         $node = $request->attributes->get('node');
 
-        /** @var \Pterodactyl\Models\Backup $backup */
-        $backup = Backup::query()
+        /** @var \Pterodactyl\Models\Backup $model */
+        $model = Backup::query()
             ->where('node_id', $node->id)
             ->where('uuid', $backup)
             ->firstOrFail();

From 0dad4c5a488661f9adc27dd311542516d9bfa0f2 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Thu, 11 Apr 2024 10:47:00 -0600
Subject: [PATCH 5/9] ui(admin): better handling of manual HTML rendering

---
 public/themes/pterodactyl/js/admin/new-server.js | 16 +++++++++++-----
 resources/views/admin/nodes/view/index.blade.php | 10 ++++++++--
 .../views/admin/servers/view/startup.blade.php   | 16 +++++++++++-----
 3 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/public/themes/pterodactyl/js/admin/new-server.js b/public/themes/pterodactyl/js/admin/new-server.js
index 1fd80a9218..1437c04e2a 100644
--- a/public/themes/pterodactyl/js/admin/new-server.js
+++ b/public/themes/pterodactyl/js/admin/new-server.js
@@ -109,6 +109,12 @@ $('#pEggId').on('change', function (event) {
         ),
     });
 
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     const variableIds = {};
     $('#appendVariablesTo').html('');
     $.each(_.get(objectChain, 'variables', []), function (i, item) {
@@ -117,11 +123,11 @@ $('#pEggId').on('change', function (event) {
         let isRequired = (item.required === 1) ? '<span class="label label-danger">Required</span> ' : '';
         let dataAppend = ' \
             <div class="form-group col-sm-6"> \
-                <label for="var_ref_' + item.id + '" class="control-label">' + isRequired + item.name + '</label> \
-                <input type="text" id="var_ref_' + item.id + '" autocomplete="off" name="environment[' + item.env_variable + ']" class="form-control" value="' + item.default_value + '" /> \
-                <p class="text-muted small">' + item.description + '<br /> \
-                <strong>Access in Startup:</strong> <code>{{' + item.env_variable + '}}</code><br /> \
-                <strong>Validation Rules:</strong> <code>' + item.rules + '</code></small></p> \
+                <label for="var_ref_' + escapeHtml(item.id) + '" class="control-label">' + isRequired + escapeHtml(item.name) + '</label> \
+                <input type="text" id="var_ref_' + escapeHtml(item.id) + '" autocomplete="off" name="environment[' + escapeHtml(item.env_variable) + ']" class="form-control" value="' + escapeHtml(item.default_value) + '" /> \
+                <p class="text-muted small">' + escapeHtml(item.description) + '<br /> \
+                <strong>Access in Startup:</strong> <code>{{' + escapeHtml(item.env_variable) + '}}</code><br /> \
+                <strong>Validation Rules:</strong> <code>' + escapeHtml(item.rules) + '</code></small></p> \
             </div> \
         ';
         $('#appendVariablesTo').append(dataAppend);
diff --git a/resources/views/admin/nodes/view/index.blade.php b/resources/views/admin/nodes/view/index.blade.php
index 2d0bb32874..defa0d366e 100644
--- a/resources/views/admin/nodes/view/index.blade.php
+++ b/resources/views/admin/nodes/view/index.blade.php
@@ -145,14 +145,20 @@
 @section('footer-scripts')
     @parent
     <script>
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     (function getInformation() {
         $.ajax({
             method: 'GET',
             url: '/admin/nodes/view/{{ $node->id }}/system-information',
             timeout: 5000,
         }).done(function (data) {
-            $('[data-attr="info-version"]').html(data.version);
-            $('[data-attr="info-system"]').html(data.system.type + ' (' + data.system.arch + ') <code>' + data.system.release + '</code>');
+            $('[data-attr="info-version"]').html(escapeHtml(data.version));
+            $('[data-attr="info-system"]').html(escapeHtml(data.system.type) + ' (' + escapeHtml(data.system.arch) + ') <code>' + escapeHtml(data.system.release) + '</code>');
             $('[data-attr="info-cpus"]').html(data.system.cpus);
         }).fail(function (jqXHR) {
 
diff --git a/resources/views/admin/servers/view/startup.blade.php b/resources/views/admin/servers/view/startup.blade.php
index c2d6dc11ea..f213b194aa 100644
--- a/resources/views/admin/servers/view/startup.blade.php
+++ b/resources/views/admin/servers/view/startup.blade.php
@@ -107,6 +107,12 @@
     @parent
     {!! Theme::js('vendor/lodash/lodash.js') !!}
     <script>
+    function escapeHtml(str) {
+        var div = document.createElement('div');
+        div.appendChild(document.createTextNode(str));
+        return div.innerHTML;
+    }
+
     $(document).ready(function () {
         $('#pEggId').select2({placeholder: 'Select a Nest Egg'}).on('change', function () {
             var selectedEgg = _.isNull($(this).val()) ? $(this).find('option').first().val() : $(this).val();
@@ -149,15 +155,15 @@
                     <div class="col-xs-12"> \
                         <div class="box"> \
                             <div class="box-header with-border"> \
-                                <h3 class="box-title">' + isRequired + item.name + '</h3> \
+                                <h3 class="box-title">' + isRequired + escapeHtml(item.name) + '</h3> \
                             </div> \
                             <div class="box-body"> \
-                                <input name="environment[' + item.env_variable + ']" class="form-control" type="text" id="egg_variable_' + item.env_variable + '" /> \
-                                <p class="no-margin small text-muted">' + item.description + '</p> \
+                                <input name="environment[' + escapeHtml(item.env_variable) + ']" class="form-control" type="text" id="egg_variable_' + escapeHtml(item.env_variable) + '" /> \
+                                <p class="no-margin small text-muted">' + escapeHtml(item.description) + '</p> \
                             </div> \
                             <div class="box-footer"> \
-                                <p class="no-margin text-muted small"><strong>Startup Command Variable:</strong> <code>' + item.env_variable + '</code></p> \
-                                <p class="no-margin text-muted small"><strong>Input Rules:</strong> <code>' + item.rules + '</code></p> \
+                                <p class="no-margin text-muted small"><strong>Startup Command Variable:</strong> <code>' + escapeHtml(item.env_variable) + '</code></p> \
+                                <p class="no-margin text-muted small"><strong>Input Rules:</strong> <code>' + escapeHtml(item.rules) + '</code></p> \
                             </div> \
                         </div> \
                     </div>';

From 6dc85c731ea3d1130c771861cab282b32ce77db7 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Tue, 16 Apr 2024 15:17:36 -0600
Subject: [PATCH 6/9] chore: update `SECURITY.md`

ref; https://github.com/pterodactyl/panel/pull/5074 which targets the
wrong branch
---
 SECURITY.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index e5a9eb0fa6..96c0684741 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,7 +6,6 @@ The following versions of Pterodactyl are receiving active support and maintenan
 
 | Panel  | Daemon       | Supported          |
 |--------|--------------|--------------------|
-| 1.10.x | wings@1.7.x  | :white_check_mark: |
 | 1.11.x | wings@1.11.x | :white_check_mark: |
 | 0.7.x  | daemon@0.6.x | :x:                |
 

From 96e6c660407947a18d762e0c9c5ebe50e5e8a596 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Thu, 2 May 2024 13:22:31 -0600
Subject: [PATCH 7/9] Update README.md

---
 README.md | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 068755ecc1..d0041a47e3 100644
--- a/README.md
+++ b/README.md
@@ -27,14 +27,15 @@ Stop settling for less. Make game servers a first class citizen on your platform
 I would like to extend my sincere thanks to the following sponsors for helping fund Pterodactyl's development.
 [Interested in becoming a sponsor?](https://github.com/sponsors/matthewpi)
 
-| Company                                                   | About                                                                                                                                                                                                                                           |
-|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand.                                                                                                 |
-| [**BisectHosting**](https://www.bisecthosting.com/)       | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012.                                                                                                 |
-| [**MineStrator**](https://minestrator.com/)               | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try!                                                                                                 |
-| [**VibeGAMES**](https://vibegames.net/)                   | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa.                                           |
-| [**HostEZ**](https://hostez.io)                           | US & EU Rust & Minecraft Hosting. DDoS Protected bare metal, VPS and colocation with low latency, high uptime and maximum availability. EZ!                                                                                                     |
-| [**Blueprint**](https://blueprint.zip/?pterodactyl=true)  | Create and install Pterodactyl addons and themes with the growing Blueprint framework - the package-manager for Pterodactyl. Use multiple modifications at once without worrying about conflicts and make use of the large extension ecosystem. |
+| Company                                                      | About                                                                                                                                                                                                                                           |
+|--------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [**Aussie Server Hosts**](https://aussieserverhosts.com/)    | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand.                                                                                                 |
+| [**BisectHosting**](https://www.bisecthosting.com/)          | BisectHosting provides Minecraft, Valheim and other server hosting services with the highest reliability and lightning fast support since 2012.                                                                                                 |
+| [**MineStrator**](https://minestrator.com/)                  | Looking for the most highend French hosting company for your minecraft server? More than 24,000 members on our discord trust us. Give us a try!                                                                                                 |
+| [**VibeGAMES**](https://vibegames.net/)                      | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa.                                           |
+| [**HostEZ**](https://hostez.io)                              | US & EU Rust & Minecraft Hosting. DDoS Protected bare metal, VPS and colocation with low latency, high uptime and maximum availability. EZ!                                                                                                     |
+| [**Blueprint**](https://blueprint.zip/?pterodactyl=true)     | Create and install Pterodactyl addons and themes with the growing Blueprint framework - the package-manager for Pterodactyl. Use multiple modifications at once without worrying about conflicts and make use of the large extension ecosystem. |
+| [**indifferent broccoli**](https://indifferentbroccoli.com/) | indifferent broccoli is a game server hosting and rental company. With us, you get top-notch computer power for your gaming sessions. We destroy lag, latency, and complexity--letting you focus on the fun stuff.                              |
 
 ### Supported Games
 

From b7b2413f3d9e41ec2242fd390df11edcc61c1b11 Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Thu, 2 May 2024 13:29:25 -0600
Subject: [PATCH 8/9] Update CHANGELOG.md

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3e9e805eb8..d9a687281a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,17 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v1.11.6
+
+### Changed
+
+* Better node ownership checks for internal backup endpoints
+* Improved validation rules on `docker_image` fields to prevent invalid inputs
+
+### Fixed
+
+* Multiple XSS vulnerabilities in the admin area ([GHSA-384w-wffr-x63q](https://github.com/pterodactyl/panel/security/advisories/GHSA-384w-wffr-x63q))
+
 ## v1.11.5
 ### Fixed
 * Rust egg using the wrong Docker image, breaking Rust modding frameworks.

From 7bfc265a7ef0b7f8f55b69edb12a8552bfd50a8c Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Sat, 4 May 2024 16:06:13 -0600
Subject: [PATCH 9/9] api(remote): fix use of missing `node_id` field

Fixes #5088
---
 .../Backups/BackupRemoteUploadController.php  | 19 +++++++++++++------
 .../Remote/Backups/BackupStatusController.php |  9 ++++++++-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
index c3bf726622..15fe8d9bd1 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
@@ -42,15 +42,22 @@ public function __invoke(Request $request, string $backup): JsonResponse
             throw new BadRequestHttpException('A non-empty "size" query parameter must be provided.');
         }
 
-        /** @var \Pterodactyl\Models\Backup $backup */
-        $backup = Backup::query()
-            ->where('node_id', $node->id)
+        /** @var \Pterodactyl\Models\Backup $model */
+        $model = Backup::query()
             ->where('uuid', $backup)
             ->firstOrFail();
 
+        // Check that the backup is "owned" by the node making the request. This avoids other nodes
+        // from messing with backups that they don't own.
+        /** @var \Pterodactyl\Models\Server $server */
+        $server = $model->server;
+        if ($server->node_id !== $node->id) {
+            throw new HttpForbiddenException('You do not have permission to access that backup.');
+        }
+
         // Prevent backups that have already been completed from trying to
         // be uploaded again.
-        if (!is_null($backup->completed_at)) {
+        if (!is_null($model->completed_at)) {
             throw new ConflictHttpException('This backup is already in a completed state.');
         }
 
@@ -61,7 +68,7 @@ public function __invoke(Request $request, string $backup): JsonResponse
         }
 
         // The path where backup will be uploaded to
-        $path = sprintf('%s/%s.tar.gz', $backup->server->uuid, $backup->uuid);
+        $path = sprintf('%s/%s.tar.gz', $model->server->uuid, $model->uuid);
 
         // Get the S3 client
         $client = $adapter->getClient();
@@ -99,7 +106,7 @@ public function __invoke(Request $request, string $backup): JsonResponse
         }
 
         // Set the upload_id on the backup in the database.
-        $backup->update(['upload_id' => $params['UploadId']]);
+        $model->update(['upload_id' => $params['UploadId']]);
 
         return new JsonResponse([
             'parts' => $parts,
diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
index 75f039d285..7b30e07582 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -36,10 +36,17 @@ public function index(ReportBackupCompleteRequest $request, string $backup): Jso
 
         /** @var \Pterodactyl\Models\Backup $model */
         $model = Backup::query()
-            ->where('node_id', $node->id)
             ->where('uuid', $backup)
             ->firstOrFail();
 
+        // Check that the backup is "owned" by the node making the request. This avoids other nodes
+        // from messing with backups that they don't own.
+        /** @var \Pterodactyl\Models\Server $server */
+        $server = $model->server;
+        if ($server->node_id !== $node->id) {
+            throw new HttpForbiddenException('You do not have permission to access that backup.');
+        }
+
         if ($model->is_successful) {
             throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.');
         }