Affected by GO-2022-0919 and 6 other vulnerabilities

GO-2022-0919: Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings in github.com/pterodactyl/wings

GO-2023-1542: Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following in github.com/pterodactyl/wings

GO-2023-1555: Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system in github.com/pterodactyl/wings

GO-2023-1768: Wings vulnerable to escape to host from installation container in github.com/pterodactyl/wings

GO-2024-2642: Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings

GO-2024-2814: Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings

GO-2024-2815: Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings

websocket

package

v1.1.2 Latest Latest Go to latest Published: Nov 15, 2020 License: MIT Imports: 18 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pterodactyl/wings

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func IsJwtError(err error) bool
func NewTokenPayload(token []byte) (*tokens.WebsocketPayload, error)
type Handler
- func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Handler, error)
type Message

Constants ¶

View Source

const (
	AuthenticationSuccessEvent = "auth success"
	TokenExpiringEvent         = "token expiring"
	TokenExpiredEvent          = "token expired"
	AuthenticationEvent        = "auth"
	SetStateEvent              = "set state"
	SendServerLogsEvent        = "send logs"
	SendCommandEvent           = "send command"
	SendStatsEvent             = "send stats"
	ErrorEvent                 = "daemon error"
	JwtErrorEvent              = "jwt error"
)

View Source

const (
	PermissionConnect          = "websocket.connect"
	PermissionSendCommand      = "control.console"
	PermissionSendPowerStart   = "control.start"
	PermissionSendPowerStop    = "control.stop"
	PermissionSendPowerRestart = "control.restart"
	PermissionReceiveErrors    = "admin.websocket.errors"
	PermissionReceiveInstall   = "admin.websocket.install"
	PermissionReceiveBackups   = "backup.read"
)

Variables ¶

View Source

var (
	ErrJwtNotPresent    = errors.Sentinel("jwt: no jwt present")
	ErrJwtNoConnectPerm = errors.Sentinel("jwt: missing connect permission")
	ErrJwtUuidMismatch  = errors.Sentinel("jwt: server uuid mismatch")
	ErrJwtOnDenylist    = errors.Sentinel("jwt: created too far in past (denylist)")
)

Functions ¶

func IsJwtError ¶

func IsJwtError(err error) bool

func NewTokenPayload ¶

func NewTokenPayload(token []byte) (*tokens.WebsocketPayload, error)

Parses a JWT into a websocket token payload.

Types ¶

type Handler ¶

type Handler struct {
	sync.RWMutex

	Connection *websocket.Conn
	// contains filtered or unexported fields
}

func GetHandler ¶

func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Handler, error)

Returns a new websocket handler using the context provided.

func (*Handler) GetErrorMessage ¶

func (h *Handler) GetErrorMessage(msg string) (string, uuid.UUID)

Converts an error message into a more readable representation and returns a UUID that can be cross-referenced to find the specific error that triggered.

func (*Handler) GetJwt ¶

func (h *Handler) GetJwt() *tokens.WebsocketPayload

func (*Handler) HandleInbound ¶

func (h *Handler) HandleInbound(m Message) error

Handle the inbound socket request and route it to the proper server action.

func (*Handler) ListenForExpiration ¶

func (h *Handler) ListenForExpiration(ctx context.Context)

Checks the time to expiration on the JWT every 30 seconds until the token has expired. If we are within 3 minutes of the token expiring, send a notice over the socket that it is expiring soon. If it has expired, send that notice as well.

func (*Handler) ListenForServerEvents ¶

func (h *Handler) ListenForServerEvents(ctx context.Context)

Listens for different events happening on a server and sends them along to the connected websocket.

func (*Handler) SendErrorJson ¶

func (h *Handler) SendErrorJson(msg Message, err error, shouldLog ...bool) error

Sends an error back to the connected websocket instance by checking the permissions of the token. If the user has the "receive-errors" grant we will send back the actual error message, otherwise we just send back a standard error message.

func (*Handler) SendJson ¶

func (h *Handler) SendJson(v *Message) error

func (*Handler) TokenValid ¶

func (h *Handler) TokenValid() error

Checks if the JWT is still valid.

func (*Handler) Uuid ¶

func (h *Handler) Uuid() uuid.UUID

type Message ¶

type Message struct {
	// The event to perform.
	Event string `json:"event"`

	// The data to pass along, only used by power/command currently. Other requests
	// should either omit the field or pass an empty value as it is ignored.
	Args []string `json:"args,omitempty"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL