Remove developer terminal completely and more.

Make Blueprint more secure, restore blueprint.sh if upgrading fails, fix problems with the BlueprintAdminFormRequest resulting in errors.

app/Http/Controllers/Admin/Extensions/Blueprint/BlueprintExtensionController.php

@@ -14,7 +14,6 @@
 use Pterodactyl\Services\Helpers\BlueprintPlaceholderService;
 use Pterodactyl\Contracts\Repository\SettingsRepositoryInterface;
 use Illuminate\Contracts\Config\Repository as ConfigRepository;
-use BlueprintSettingsFormRequest;
 use Illuminate\Http\RedirectResponse;
 use Pterodactyl\Http\Requests\Admin\AdminFormRequest;
 
@@ -44,11 +43,6 @@ public function __construct(
    */
   public function index(): View
   {
-    if($this->bp->dbGet('developer:cmd') != "") {
-      $this->bplib->notify("Execute arguments sent to Blueprint.");
-      $this->bp->dbSet('developer:log', $this->bp->exec($this->bp->dbGet('developer:cmd')));
-    };
-
     if ($this->settings->get('blueprint::panel:id') == "" || $this->bp->version() != $this->settings->get('blueprint::version:cache')) {
       $this->settings->set('blueprint::panel:id', uniqid(rand())."@".$this->bp->version());
       $this->settings->set('blueprint::version:cache', $this->bp->version());
@@ -71,7 +65,7 @@ public function index(): View
    * @throws \Pterodactyl\Exceptions\Model\DataValidationException
    * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
    */
-  public function update(BlueprintSettingsFormRequest $request): RedirectResponse
+  public function update(BlueprintAdminFormRequest $request): RedirectResponse
   {
     foreach ($request->normalize() as $key => $value) {
       $this->settings->set('blueprint::' . $key, $value);
@@ -82,7 +76,7 @@ public function update(BlueprintSettingsFormRequest $request): RedirectResponse
   }
 }
 
-class BlueprintSettingsFormRequest extends AdminFormRequest
+class BlueprintAdminFormRequest extends AdminFormRequest
 {
   public function rules(): array {
     return [

app/Services/Helpers/BlueprintExtensionLibrary.php

@@ -45,13 +45,13 @@ public function dbSet($table, $record, $value) {
   */
   public function notify($text) {
     $this->dbSet("blueprint", "notification:text", $text);
-    shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo \"".escapeshellarg($text)."\" > .blueprint/data/internal/db/notification;");
+    shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo ".escapeshellarg($text)." > .blueprint/data/internal/db/notification;");
     return;
   }
 
   public function notifyAfter($delay, $text) {
     $this->dbSet("blueprint", "notification:text", $text);
-    shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo \"".escapeshellarg($text)."\" > .blueprint/data/internal/db/notification;");
+    shell_exec("cd /var/www/".escapeshellarg($this->placeholder->folder()).";echo ".escapeshellarg($text)." > .blueprint/data/internal/db/notification;");
     header("Refresh:$delay");
     return;
   }

blueprint.sh

@@ -56,13 +56,19 @@ source .blueprint/lib/telemetry.sh;
 # -exec
 if [[ "$1" == "-exec" ]]; then
 
+  # Quoteless arguments.
+  # There should be an easier way to do this and will be added in the future.
+  ql1=$(echo "$1" | tr -d "'\\\n\r;");ql2=$(echo "$2" | tr -d "'\\\n\r;");ql3=$(echo "$3" | tr -d "'\\\n\r;");ql4=$(echo "$4" | tr -d "'\\\n\r;");ql5=$(echo "$5" | tr -d "'\\\n\r;");
+
   # Update the telemetry id to argument.
-  if [[ $2 == "key" ]]; then
-    z=true;
-    echo "$3" > .blueprint/data/internal/db/telemetry_id;
+  if [[ $ql2 == "key" ]]; then
+    echo "$ql3" > .blueprint/data/internal/db/telemetry_id;
+    echo Command executed.;
+    exit 1;
   fi;
 
-  if [[ $z == false ]]; then echo "Command not found."; else; echo " "; fi; exit 1;
+  echo Command not found.;
+  exit 1;
 fi;
 
 # Function that exits the script after logging a "red" message.
@@ -499,6 +505,7 @@ if [[ $2 == "-upgrade" ]]; then
   if [[ $YN3 != "continue" ]]; then log_bright "[INFO] Upgrade cancelled.";exit 1;fi;
 
   log_bright "[INFO] Blueprint is upgrading.. Please do not turn off your machine.";
+  cp blueprint.sh .blueprint.sh.bak;
   if [[ $3 == "dev" ]]; then
     bash tools/update.sh /var/www/$FOLDER dev
   else
@@ -530,8 +537,17 @@ if [[ $2 == "-upgrade" ]]; then
   if [[ $score == 1 ]]; then
     log_green "[SUCCESS] Blueprint has upgraded successfully.";
   elif [[ $score == 0 ]]; then
+    log_yellow "[WARNING] All checks have failed, attempting automatic repair.";
+    rm blueprint.sh;
+    cp .blueprint.sh.bak blueprint.sh;
+    log_bright "[INFO] blueprint.sh has been rolled back.";
     log_red "[FATAL] Upgrading has failed."
   else
-    log_yellow "[WARNING] Some post-upgrade checks have failed."
+    log_yellow "[WARNING] Some post-upgrade checks have failed, attempting automatic repair.";
+    rm blueprint.sh;
+    cp .blueprint.sh.bak blueprint.sh;
+    log_bright "[INFO] blueprint.sh has been rolled back.";
+    log_red "[FATAL] Upgrading has failed."
   fi;
+  rm .blueprint.sh.bak;
 fi;

resources/views/admin/extensions/blueprint/index.blade.php

@@ -29,32 +29,6 @@
                 </div>
             </div>
 
-            <!-- Terminal -->
-            @if($bp->dbGet('developer') == "true")
-                <div class="box">
-                    <div class="box-header with-border">
-                        <h3 class="box-title"><i class='bx bxs-terminal' style='margin-right:5px;'></i>Terminal</h3>
-                    </div>
-                    <div class="box-body">
-                        <form action="" method="POST">
-                            <div class="col-xs-12" style="padding-top:5px;">
-                                <input type="text" required name="developer:cmd" id="developer:cmd" value="{{ $bp->dbGet('developer:cmd') }}" class="form-control" style="height:40px;width:100%;"/>
-                                <p class="text-muted small">Run a execute command on blueprint.sh, but you'll probably never use this anyways.</p>
-                                {{ csrf_field() }}
-                                <button type="submit" name="_method" value="PATCH" class="btn btn-gray-alt btn-sm pull-right" style="display:none;">Send</button>
-                            </div>
-                            <div class="col-xs-12" style="padding-top:10px;">
-                                @if($bp->dbGet('developer:log') != "")
-                                    <code>{{ $bp->dbGet('developer:log') }}</code>
-                                @endif
-                            </div>
-                        </form>
-                    </div>
-                </div>
-                {{ $bp->dbSet('developer:log', '') }}
-                {{ $bp->dbSet('developer:cmd', '') }}
-            @endif
-
         </div>
         <div class="col-xs-9">
             <form action="" method="POST">