Skip to content

feat: import eggs from URLs or URIs whatever #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: import eggs from URLs or URIs whatever #361

wants to merge 3 commits into from

Conversation

imeesa
Copy link
Contributor

@imeesa imeesa commented Sep 22, 2025

this probably has a ton of bugs. i tested and added validation for everything i can think of
this also introduces a new environment variable, ALLOWED_EGG_HOSTS, which is a comma-seperated list of hostnames to allow downloading eggs from. if not provided, it defaults to raw.githubusercontent.com.

@scanash00
Copy link
Contributor

isn't raw.githubusercontent.com allowing every egg though

@scanash00
Copy link
Contributor

I recommend pyro to do an approved egg directory on yolks.pyro.host!

@imeesa
Copy link
Contributor Author

imeesa commented Sep 22, 2025

isn't raw.githubusercontent.com allowing every egg though

wdym

the point of ALLOWED_EGG_HOSTS is avoiding ssrf or backend ip leaks, not to limit the eggs that can be uploaded

@scanash00
Copy link
Contributor

isn't raw.githubusercontent.com allowing every egg though

wdym

the point of ALLOWED_EGG_HOSTS is avoiding ssrf or backend ip leaks, not to limit the eggs that can be uploaded

There are dangerous eggs out there.

@imeesa
Copy link
Contributor Author

imeesa commented Sep 22, 2025

isn't raw.githubusercontent.com allowing every egg though

wdym
the point of ALLOWED_EGG_HOSTS is avoiding ssrf or backend ip leaks, not to limit the eggs that can be uploaded

There are dangerous eggs out there.

This functionality is only for users who would have had the ability to upload eggs anyways.

@ChecksumDev
Copy link
Member

I don't believe this functionality would be used properly, e.g. the average user of Pyrodactyl would likely see this as meaning everything from gist is safe. If we do have a block list it should probably be implemented on the settings page, but seeing as server administrators, ideally people who should know what they are doing are the ones importing eggs into the panel, I see this as a nonissue.

If the goal is to spread awareness, there should be some warning, maybe about the eggs author, maybe a way to trust them, but seeing as there is no current system in place for validating if the author actually wrote the egg I see this as a pointless addition.

We are actually looking into spinning up a repository for eggs of our own, but until that exists I think we should drop the environment variable to avoid confusion / misinterpretation of the risks.

Also, we shouldn't just not trust from a link, who's to say if they just downloaded a malicious egg from somewhere and decided to upload it, it would make the whole check / prompt useless while basically being the same thing.

@imeesa
Copy link
Contributor Author

imeesa commented Sep 22, 2025

I added the environment variable to avoid SSRF or leaking the IP of the panel if it's, for example, behind Cloudflare or a similar service. (This is also why I made it an environment variable, someone being admin on a panel probably shouldn't be able to make GET requests potentially into the internal network of the machine running the panel just because of that.)

Since admins can upload eggs anyways, I don't think this opens a new surface for uploading malicious eggs.
I do think removing the default allow for githubusercontent.com makes sense, I'll change that.

@naterfute
Copy link
Collaborator

naterfute commented Sep 22, 2025
edited
Loading

I don't believe this functionality would be used properly, e.g. the average user of Pyrodactyl would likely see this as meaning everything from gist is safe. If we do have a block list it should probably be implemented on the settings page, but seeing as server administrators, ideally people who should know what they are doing are the ones importing eggs into the panel, I see this as a nonissue.

If the goal is to spread awareness, there should be some warning, maybe about the eggs author, maybe a way to trust them, but seeing as there is no current system in place for validating if the author actually wrote the egg I see this as a pointless addition.

We are actually looking into spinning up a repository for eggs of our own, but until that exists I think we should drop the environment variable to avoid confusion / misinterpretation of the risks.

Also, we shouldn't just not trust from a link, who's to say if they just downloaded a malicious egg from somewhere and decided to upload it, it would make the whole check / prompt useless while basically being the same thing.

Whoah. You can't just tell them what my plans for the panel are 😭 Making my reveal less... reveally??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@imeesa @scanash00 @ChecksumDev @naterfute