Merge pull request TheGameSpider#34 from ZandercraftGames/master

Add Fabric Support (+ Fix Security Issues and Code Cleanup)

.github/workflows/codacy.yml

@@ -0,0 +1,68 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, performs a Codacy security scan
+# and integrates the results with the
+# GitHub Advanced Security code scanning feature.  For more information on
+# the Codacy security scan action usage and parameters, see
+# https://github.com/codacy/codacy-analysis-cli-action.
+# For more information on Codacy Analysis CLI in general, see
+# https://github.com/codacy/codacy-analysis-cli.
+
+name: Codacy Security Scan
+
+on:
+  push:
+    branches: [ "master", "Dev" ]
+    paths-ignore:
+      - 'docs/**'
+      - 'resources/**'
+      - 'resources/bootstrap/**'
+      - 'resources/default/**'
+      - 'resources/js/**'
+      - '.github/ISSUE_TEMPLATE/**'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master", "Dev" ]
+  schedule:
+    - cron: '31 15 * * 0'
+
+permissions:
+  contents: read
+
+jobs:
+  codacy-security-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+    name: Codacy Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+      - name: Run Codacy Analysis CLI
+        uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
+        with:
+          # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+          # You can also omit the token and run the tools that support default configurations
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          verbose: true
+          output: results.sarif
+          format: sarif
+          # Adjust severity of non-security issues
+          gh-code-scanning-compat: true
+          # Force 0 exit code to allow SARIF file generation
+          # This will handover control about PR rejection to the GitHub side
+          max-allowed-issues: 2147483647
+
+      # Upload the SARIF file generated in the previous step
+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -3,3 +3,7 @@ forges/
 others/
 test.toml
 functions/config.php
+functions/cache.json
+
+# IntelliJ
+.idea/

403.html

@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html>
+<html lang="en">
 <head>
 	<title>Solder.cf - Error</title>
 	<link href="https://fonts.googleapis.com/css?family=Josefin+Sans:100,300,400" rel="stylesheet">
@@ -23,11 +23,9 @@
 	</style>
 </head>
 <body>
-	<center>
-		<div>
-			<h1><b>Sorry!</b> Access is denied...</h1>
-			<h2>Error 403 - Forbidden.</h2>
-		</div>
-	</center>
+	<div style="margin-left: auto; margin-right: auto; text-align: center">
+		<h1><strong>Sorry!</strong> Access is denied...</h1>
+		<h2>Error 403 - Forbidden.</h2>
+	</div>
 </body>
 </html>

README.md

@@ -29,7 +29,7 @@ sudo su -
 This command installs what's known as a LAMP Stack, which includes Apache2, MariaDB, and PHP. Very useful!
 ```bash
 apt update
-apt -y install apache2 php libapache2-mod-php mariadb-server php-mysql php-dev zlib1g-dev libzip4 libzip-dev php-zip
+apt -y install apache2 php7.2 libapache2-mod-php mariadb-server php7.2-mysql php7.2-dev zlib1g-dev libzip4 libzip-dev php7.2-zip
 ```
 The above command can take a while to complete. Once done, restart apache.<br />
 
@@ -58,64 +58,80 @@ You probably want to remove this file after this test because it could actually
 ```bash
 rm /var/www/html/index.php
 ```
-**5. Enable RewriteEngine**<br />
+**5. Enable RewriteEngine and Configure Apache**<br />
 ```bash
 a2enmod rewrite
-nano /etc/apache2/sites-enabled/000-default.conf
+cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/TechnicSolder.conf
+a2ensite TechnicSolder
+nano /etc/apache2/sites-enabled/TechnicSolder.conf
 ```
+
+Add the following above the `DocumentRoot` line:
+```
+ServerName <yourSolderDomainHere>
+```
+
+Change the `DocumentRoot` line to:
+```
+DocumentRoot /var/www/TechnicSolder
+```
+
 Add this before `</VirtualHost>` close tag:
 ```
     DirectoryIndex index.php index.html
-    <Directory /var/www/html>
+    <Directory /var/www/TechnicSolder>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride All
         Require all granted
     </Directory>
 ```
-Save and close the file
+Save and close the file and restart Apache:
+```
+service apache2 restart
+```
 ## Cloning TechnicSolder repository
 **6. Clone TechnicSolder repository** 
 ```bash
 cd /var/www/
-git clone https://github.com/TheGameSpider/TechnicSolder.git html
-```
-Installation is complete. Now you need to confige TechnicSolder before using it.
-# If you are using nginx:
-*there is an example for nginx configuration"*
-```nginx
-	location / {
-        try_files   $uri $uri/ /index.php?$query_string;
-        }
-
-	location /api/ {
-        try_files   $uri $uri/ /api/index.php?$query_string;
-        }
-
-    location ~* \.php$ {
-            fastcgi_pass                    unix:/run/php/php7.2-fpm.sock;
-            fastcgi_index                   index.php;
-            fastcgi_split_path_info         ^(.+\.php)(.*)$;
-            include                         fcgi.conf;
-            fastcgi_param PATH_INFO         $fastcgi_path_info;
-            fastcgi_param SCRIPT_FILENAME   $document_root$fastcgi_script_name;
-    }
-
-    location ~ /\.ht {
-            deny all;
-    }
-
-    location ~ .*/\. {
-            return 403;
-    }
-
-    error_page 403 /403.html;
-    
-    location ~* \.(?:ico|css|js|jpe?g|JPG|png|svg|woff)$ {
-            expires 365d;
-	}
-```
+git clone https://github.com/TheGameSpider/TechnicSolder.git TechnicSolder
+```
+Installation is complete. Now you need to configure TechnicSolder before using it.
+> **If you are using nginx:**  
+> *here is an example for nginx configuration*
+> ```nginx
+> 	location / {
+>         try_files   $uri $uri/ /index.php?$query_string;
+>         }
+>
+> 	location /api/ {
+>         try_files   $uri $uri/ /api/index.php?$query_string;
+>         }
+>
+>     location ~* \.php$ {
+>             fastcgi_pass                    unix:/run/php/php7.2-fpm.sock;
+>             fastcgi_index                   index.php;
+>             fastcgi_split_path_info         ^(.+\.php)(.*)$;
+>             include                         fcgi.conf;
+>             fastcgi_param PATH_INFO         $fastcgi_path_info;
+>             fastcgi_param SCRIPT_FILENAME   $document_root$fastcgi_script_name;
+>     }
+>
+>     location ~ /\.ht {
+>             deny all;
+>     }
+>
+>     location ~ .*/\. {
+>             return 403;
+>     }
+>
+>     error_page 403 /403.html;
+>     
+>     location ~* \.(?:ico|css|js|jpe?g|JPG|png|svg|woff)$ {
+>             expires 365d;
+> 	}
+> ```
 # Configuration
-**configure MySQL**
+**Configure MySQL**
 ```bash
 mysql
 ```
@@ -134,7 +150,7 @@ Create database solder and grant user *solder* access to it.
 CREATE DATABASE solder;
 GRANT ALL ON solder.* TO 'solder'@'localhost';
 FLUSH PRIVILEGES;
-exit
+EXIT;
 ```
 
 **Configure TechnicSolder** <br />

SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+The below table shows which versions of TheGameSpider/TechnicSolder (Solder.cf) are supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| v1.3.2-master | :white_check_mark: |
+| v1.3.2-dev | :white_check_mark: |
+| < v1.3.2-master | :x: |
+| < v1.3.2-dev | :x: |
+
+## Reporting a Vulnerability
+
+To report security vulnerabilities, please DM TheGameSpider through his Discord server at [https://discord.gg/gksfNSHTP3](https://discord.gg/gksfNSHTP3) or through the support chat at [https://solder.cf](https://solder.cf)
+
+If the security vulnerability can be verified, an update will be released that fixes the issue as soon as possible.