From 3924c934943811d3668a64b0f914b94da52cc489 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=82=B6=E3=82=AB=E3=83=AA=E3=82=A2=E3=82=B9=E3=83=BB?=
 =?UTF-8?q?=E3=82=A6=E3=82=A3=E3=83=AA=E3=82=A2=E3=83=A0=E3=83=BB=E3=83=9D?=
 =?UTF-8?q?=E3=83=BC=E3=82=B8=E3=83=BC?=
 <26689019-pancakes1234@users.noreply.gitlab.com>
Date: Thu, 29 May 2025 00:34:32 +0900
Subject: [PATCH] Edit index.php

---
 API/index.php | 320 ++++++++++++++++++++++++++++----------------------
 1 file changed, 179 insertions(+), 141 deletions(-)

diff --git a/API/index.php b/API/index.php
index 706d4ce..e45c86f 100644
--- a/API/index.php
+++ b/API/index.php
@@ -1,21 +1,50 @@
 <?php
+// Improved Discord Bot Admin API
+
+// Error reporting (disable on production)
+error_reporting(E_ALL);
+ini_set('display_errors', 1);
+
+// Configure secure session parameters:
+session_set_cookie_params([
+    'httponly' => true,
+    'secure'   => true, // Ensure HTTPS is used in production
+    'samesite' => 'Strict'
+]);
 session_start();
 
-// === Login & Authentication ===
-// Only proceed if the current session is authenticated.
-// If not, show a login form.
-if (!isset($_SESSION['logged_in'])) {
-    if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['username'], $_POST['password'])) {
-        $user_env = getenv('user'); // environment variable "user"
-        $pass_env = getenv('pass'); // environment variable "pass"
-        if ($_POST['username'] === $user_env && $_POST['password'] === $pass_env) {
-            $_SESSION['logged_in'] = true;
-            header("Location: index.php");
-            exit;
+// --- CSRF Utility Functions ---
+function getCsrfToken() {
+    if (empty($_SESSION['csrf_token'])) {
+        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+    }
+    return $_SESSION['csrf_token'];
+}
+
+function validateCsrfToken($token) {
+    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
+}
+
+// --- Login and Authentication ---
+if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
+    if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['username'], $_POST['password'], $_POST['csrf_token'])) {
+        if (!validateCsrfToken($_POST['csrf_token'])) {
+            $error = "Invalid CSRF token.";
         } else {
-            $error = "Invalid credentials.";
+            $envUser = getenv('user');
+            $envPass = getenv('pass');
+            // Using hash_equals for timing attack prevention
+            if (hash_equals($_POST['username'], $envUser) && hash_equals($_POST['password'], $envPass)) {
+                $_SESSION['logged_in'] = true;
+                session_regenerate_id(true);
+                header("Location: " . $_SERVER['PHP_SELF']);
+                exit;
+            } else {
+                $error = "Invalid credentials.";
+            }
         }
     }
+    $loginToken = getCsrfToken();
     ?>
     <!DOCTYPE html>
     <html>
@@ -64,8 +93,9 @@ if (!isset($_SESSION['logged_in'])) {
     <body>
         <div class="login-container">
             <h2>Login</h2>
-            <?php if(isset($error)) echo "<p class='error'>{$error}</p>"; ?>
-            <form method="POST">
+            <?php if(isset($error)) { echo "<p class='error'>" . htmlspecialchars($error) . "</p>"; } ?>
+            <form method="POST" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
+                <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($loginToken); ?>">
                 <label>Username</label>
                 <input type="text" name="username" required>
                 <label>Password</label>
@@ -76,65 +106,76 @@ if (!isset($_SESSION['logged_in'])) {
     </body>
     </html>
     <?php
-    exit; // Do not execute the rest until logged in.
+    exit;
 }
 
-// === End Authentication ===
+// --- Action Handlers ---
+$output = "";
 
-// Determine which action to do.
-$action = "";
-if (isset($_GET['action'])) {
-    $action = $_GET['action'];
-} elseif (isset($_POST['action'])) {
-    $action = $_POST['action'];
+function handleVersionAction() {
+    $botDir = '/home/server/wdiscordbotserver';
+    if (is_dir($botDir)) {
+        $cmd = 'cd ' . escapeshellarg($botDir) . ' && git rev-parse HEAD 2>&1';
+        return trim(shell_exec($cmd));
+    }
+    return "Directory not found.";
 }
 
-$output = ""; // To hold any output from actions
+function handleUpdateAction() {
+    // Only allow updates using a POST request with a valid CSRF token.
+    if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['csrf_token']) || !validateCsrfToken($_POST['csrf_token'])) {
+        return "Unauthorized update request.";
+    }
+    $botDir = '/home/server/wdiscordbotserver';
+    $result = "";
+    if (is_dir($botDir)) {
+        $rmCmd = 'rm -rf ' . escapeshellarg($botDir) . ' 2>&1';
+        $result .= shell_exec($rmCmd);
+    }
+    $cloneCmd = 'git clone https://gitlab.com/pancakes1234/wdiscordbotserver.git ' . escapeshellarg($botDir) . ' 2>&1';
+    $result .= shell_exec($cloneCmd);
+    return $result;
+}
 
-// Handle the different actions.
-switch ($action) {
-    case "version":
-        // Gets the current commit from /home/server/wdiscordbotserver.
-        $botDir = '/home/server/wdiscordbotserver';
-        if (is_dir($botDir)) {
-            $cmd = 'cd ' . escapeshellarg($botDir) . ' && git rev-parse HEAD 2>&1';
-            $output = shell_exec($cmd);
+function handleDataAction() {
+    $baseDir = realpath('/home/server');
+    $file = $_GET['file'] ?? null;
+    $response = "";
+    if ($file) {
+        $realFile = realpath($file);
+        if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
+            $response = "Invalid file.";
         } else {
-            $output = "Directory not found.";
-        }
-        break;
-
-    case "update":
-        // Removes the folder and clones the repository anew.
-        $botDir = '/home/server/wdiscordbotserver';
-        if (is_dir($botDir)) {
-            $rmCmd = 'rm -rf ' . escapeshellarg($botDir) . ' 2>&1';
-            $output .= shell_exec($rmCmd);
-        }
-        $cloneCmd = 'git clone https://gitlab.com/pancakes1234/wdiscordbotserver.git ' . escapeshellarg($botDir) . ' 2>&1';
-        $output .= shell_exec($cloneCmd);
-        break;
-
-    case "data":
-        // If editing a file, process its content.
-        if (isset($_GET['file'])) {
-            $file = $_GET['file'];
-            $baseDir = realpath('/home/server');
-            $realFile = realpath($file);
-            if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
-                $output = "Invalid file.";
-            } else {
-                if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'])) {
-                    file_put_contents($realFile, $_POST['content']);
-                    $output = "File updated successfully.";
+            if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['content'], $_POST['csrf_token'])) {
+                if (!validateCsrfToken($_POST['csrf_token'])) {
+                    $response = "Invalid CSRF token.";
+                } else {
+                    if (file_put_contents($realFile, $_POST['content']) !== false) {
+                        $response = "File updated successfully.";
+                    } else {
+                        $response = "Failed to update file.";
+                    }
                 }
             }
         }
-        break;
+    }
+    return $response;
+}
 
-    // Other actions (such as terminal) will be handled in the UI below.
+// --- Process Request Actions ---
+$action = $_GET['action'] ?? ($_POST['action'] ?? "");
+switch ($action) {
+    case "version":
+        $output = handleVersionAction();
+        break;
+    case "update":
+        $output = handleUpdateAction();
+        break;
+    case "data":
+        $output = handleDataAction();
+        break;
+    // Additional action cases (e.g., "terminal") can be handled below.
     default:
-        // No action or unrecognized action.
         break;
 }
 ?>
@@ -143,7 +184,6 @@ switch ($action) {
 <head>
     <title>Discord Bot Admin API</title>
     <style>
-        /* General styling */
         body {
             font-family: Arial, sans-serif;
             background: #e9e9e9;
@@ -160,7 +200,7 @@ switch ($action) {
         header {
             margin-bottom: 20px;
         }
-        header button {
+        header button, header form button {
             padding: 10px 20px;
             margin-right: 10px;
             border: none;
@@ -169,7 +209,7 @@ switch ($action) {
             cursor: pointer;
             border-radius: 3px;
         }
-        header button:hover {
+        header button:hover, header form button:hover {
             background: #0056b3;
         }
         .output {
@@ -211,7 +251,7 @@ switch ($action) {
         }
     </style>
     <script>
-        // For Version and Update actions we can use fetch to load the result via AJAX.
+        // For Version and Update actions we can use AJAX.
         function doAction(action) {
             if (action === "data" || action === "terminal") {
                 window.location.href = "?action=" + action;
@@ -220,116 +260,114 @@ switch ($action) {
                     .then(response => response.text())
                     .then(data => {
                         document.getElementById("output").innerText = data;
+                    })
+                    .catch(err => {
+                        document.getElementById("output").innerText = "Error: " + err;
                     });
             }
         }
         // SSH Connect functionality using the "ssh://" protocol.
         function doSSH() {
-            var sshUser = "<?php echo getenv('user'); ?>"; // SSH username from the env.
-            var sshHost = window.location.hostname; // use current hostname.
+            var sshUser = "<?php echo htmlspecialchars(getenv('user')); ?>";
+            var sshHost = window.location.hostname;
             window.location.href = "ssh://" + sshUser + "@" + sshHost;
         }
+        function showTab(tab) {
+            document.getElementById('wetty').style.display = (tab === 'wetty') ? 'block' : 'none';
+            document.getElementById('xterm').style.display = (tab === 'xterm') ? 'block' : 'none';
+        }
+        window.addEventListener('load', function() {
+            if(document.getElementById('xterm-container')) {
+                const terminal = new Terminal();
+                terminal.open(document.getElementById('xterm-container'));
+                
+                const socket = new WebSocket('ws://' + window.location.hostname + ':3001');
+                socket.onopen = function() {
+                    terminal.write("Connected to shell\r\n");
+                };
+                terminal.onData(function(data) {
+                    socket.send(data);
+                });
+                socket.onmessage = function(event) {
+                    terminal.write(event.data);
+                };
+                socket.onerror = function() {
+                    terminal.write("\r\nError connecting to shell.\r\n");
+                };
+                socket.onclose = function() {
+                    terminal.write("\r\nConnection closed.\r\n");
+                };
+            }
+        });
     </script>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/xterm/css/xterm.css" />
+    <script src="https://cdn.jsdelivr.net/npm/xterm/lib/xterm.js"></script>
 </head>
 <body>
     <div class="container">
         <header>
             <h1>Discord Bot Admin API</h1>
             <button onclick="doAction('version')">Version</button>
-            <button onclick="doAction('update')">Update</button>
+            <!-- Update action now uses a form (POST with CSRF token) to improve safety -->
+            <form style="display:inline;" method="POST" action="?action=update" onsubmit="return confirm('Are you sure you want to update the bot?');">
+                <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars(getCsrfToken()); ?>">
+                <button type="submit">Update</button>
+            </form>
             <button onclick="window.location.href='?action=data'">Data</button>
             <button onclick="doSSH()">SSH Connect</button>
             <button onclick="window.location.href='?action=terminal'">Terminal</button>
         </header>
-        <!-- Output area for AJAX-returned actions -->
+        <!-- AJAX Output Area -->
         <div id="output" class="output"><?php echo htmlspecialchars($output); ?></div>
 
-        <?php
-        // === Data Section ===
-        if ($action === "data") {
-            if (!isset($_GET['file'])) {
-                $baseDir = '/home/server';
-                echo "<h2>Files in {$baseDir}</h2>";
-                echo "<ul class='file-list'>";
-                $iterator = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator($baseDir, RecursiveDirectoryIterator::SKIP_DOTS)
-                );
-                foreach ($iterator as $fileInfo) {
-                    $filePath = $fileInfo->getPathname();
-                    echo "<li><a href='?action=data&file=" . urlencode($filePath) . "'>" . htmlspecialchars($filePath) . "</a></li>";
+        <?php if ($action === "data"): 
+            $baseDir = realpath('/home/server');
+            if (!isset($_GET['file'])): ?>
+                <h2>Files in <?php echo htmlspecialchars($baseDir); ?></h2>
+                <ul class="file-list">
+                <?php
+                try {
+                    $iterator = new RecursiveIteratorIterator(
+                        new RecursiveDirectoryIterator($baseDir, RecursiveDirectoryIterator::SKIP_DOTS)
+                    );
+                    foreach ($iterator as $fileInfo) {
+                        $filePath = $fileInfo->getPathname();
+                        echo "<li><a href='?action=data&file=" . urlencode($filePath) . "'>" . htmlspecialchars($filePath) . "</a></li>";
+                    }
+                } catch (Exception $e) {
+                    echo "<li>Error reading files: " . htmlspecialchars($e->getMessage()) . "</li>";
                 }
-                echo "</ul>";
-            } else {
+                ?>
+                </ul>
+            <?php else:
                 $file = $_GET['file'];
-                $baseDir = realpath('/home/server');
                 $realFile = realpath($file);
-                if ($realFile === false || strpos($realFile, $baseDir) !== 0) {
-                    echo "<p>Invalid file.</p>";
-                } else {
-                    echo "<h2>Editing: " . htmlspecialchars($realFile) . "</h2>";
-                    echo "<form method='POST' action='?action=data&file=" . urlencode($realFile) . "'>";
-                    echo "<textarea name='content'>" . htmlspecialchars(file_get_contents($realFile)) . "</textarea><br>";
-                    echo "<input type='hidden' name='action' value='data'>";
-                    echo "<input type='submit' value='Save' style='padding:10px 20px; margin-top:10px;'>";
-                    echo "</form>";
-                }
-            }
-        }
-        // === Terminal Section ===
-        elseif ($action === "terminal") :
-            // This section provides two terminal options:
-            // 1. Wetty Terminal via an iframe (assumes Wetty is running on port 3000)
-            // 2. A direct integration of xterm.js (which connects via WebSocket to a Node.js pty server on port 3001)
-        ?>
+                if ($realFile === false || strpos($realFile, $baseDir) !== 0): ?>
+                    <p>Invalid file.</p>
+                <?php else: ?>
+                    <h2>Editing: <?php echo htmlspecialchars($realFile); ?></h2>
+                    <form method="POST" action="?action=data&file=<?php echo urlencode($realFile); ?>">
+                        <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars(getCsrfToken()); ?>">
+                        <textarea name="content"><?php echo htmlspecialchars(file_get_contents($realFile)); ?></textarea><br>
+                        <input type="hidden" name="action" value="data">
+                        <input type="submit" value="Save" style="padding:10px 20px; margin-top:10px;">
+                    </form>
+                <?php endif;
+            endif;
+        elseif ($action === "terminal"): ?>
             <div id="terminal-tabs" style="margin-bottom:10px;">
                 <button onclick="showTab('wetty')">Wetty Terminal</button>
                 <button onclick="showTab('xterm')">Xterm Terminal</button>
             </div>
             <div id="wetty" class="terminal-tab" style="display:block;">
                 <h2>Wetty Terminal</h2>
-                <iframe src="http://<?php echo $_SERVER['HTTP_HOST']; ?>:3000" width="100%" height="500px" frameborder="0"></iframe>
+                <iframe src="http://<?php echo htmlspecialchars($_SERVER['HTTP_HOST']); ?>:3000" width="100%" height="500px" frameborder="0"></iframe>
             </div>
             <div id="xterm" class="terminal-tab" style="display:none;">
                 <h2>Xterm Terminal</h2>
                 <div id="xterm-container" style="width: 100%; height: 500px;"></div>
             </div>
-            <!-- Load xterm.js resources -->
-            <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/xterm/css/xterm.css" />
-            <script src="https://cdn.jsdelivr.net/npm/xterm/lib/xterm.js"></script>
-            <script>
-                function showTab(tab) {
-                    document.getElementById('wetty').style.display = (tab === 'wetty') ? 'block' : 'none';
-                    document.getElementById('xterm').style.display = (tab === 'xterm') ? 'block' : 'none';
-                }
-                // Initialize xterm.js for the Xterm Terminal.
-                // NOTE: You MUST run a WebSocket Node.js server (for example, using node-pty and ws)
-                // listening on port 3001 to support this connection.
-                window.addEventListener('load', function() {
-                    // Initialize the terminal only once.
-                    const terminal = new Terminal();
-                    terminal.open(document.getElementById('xterm-container'));
-                    
-                    const socket = new WebSocket('ws://<?php echo $_SERVER['HTTP_HOST']; ?>:3001');
-                    socket.onopen = function() {
-                        terminal.write("Connected to shell\r\n");
-                    };
-                    terminal.onData(function(data) {
-                        socket.send(data);
-                    });
-                    socket.onmessage = function(event) {
-                        terminal.write(event.data);
-                    };
-                    socket.onerror = function() {
-                        terminal.write("\r\nError connecting to shell.\r\n");
-                    };
-                    socket.onclose = function() {
-                        terminal.write("\r\nConnection closed.\r\n");
-                    };
-                });
-            </script>
-        <?php
-        endif;
-        ?>
+        <?php endif; ?>
     </div>
 </body>
 </html>