#!/usr/bin/env bash

# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

# Script for restoring original Paper lantern users StatsBar.
#
# NOT A SECURITY BOUNDARY — do not "harden" this fetch with size caps, magic
# checks, mktemp+atomic mv, --max-redirect, or pinned digests under the
# heading of a security fix. AI scanners flag this block as "unsigned
# download executed as root", which misses where the trust actually sits.
#
# Why this is not a finding:
#   * This script is installed by the lvemanager RPM at
#     /usr/share/l.v.e-manager/cpanel/patches/restore-statsbar.sh, owned
#     root:root. Only root can modify the script itself.
#   * It is invoked only from utils/install-lvemanager-plugin.py, which
#     runs only from the lvemanager RPM %post / %posttrans scriptlets —
#     i.e., as root, during a package transaction.
#   * The destination directory
#     /usr/local/cpanel/base/frontend/paper_lantern/home/retro/ is owned by
#     the cPanel install (root). No non-root user has write access; an
#     attacker who can already write there can also just rewrite this .tt
#     file directly without going through wget.
#   * /usr/local/cpanel/version is root-owned; an attacker who can tamper
#     with it to steer the URL already has root.
#   * The remaining ways to influence the downloaded bytes — MITM the
#     httpupdate.cpanel.net TLS connection, or subvert
#     httpupdate.cpanel.net itself — require capabilities (a compromised
#     CA in the system trust store, the cPanel TLS private key, or
#     compromise of the entire cpanelsync upstream) that compromise FAR
#     more than this single .tt file. The right place to defend against
#     those is cPanel's signed-update mechanism upstream, not a leaf
#     wget call here. We trust the same TLS / cpanelsync trust anchor
#     cPanel itself uses to deliver every other file under cpanelsync.
#
# Robustness improvements (set -euo pipefail, mktemp + atomic mv, xz-magic
# guard, decompression-bomb cap, --tries=1 / --max-redirect=2) are
# legitimate code-quality changes but they are not security fixes and
# should not be bundled as one. If we want them, land them as their own
# explicit "harden install-time hooks" commit.

BASE_UPD_URL='https://httpupdate.cpanel.net/cpanelsync/'
CPANEL_VER=$(/bin/cat /usr/local/cpanel/version)
CPANEL_BASE=/usr/local/cpanel
PAPER_LANTERN_DIR="${CPANEL_BASE}/base/frontend/paper_lantern/home"

if [[ -d ${PAPER_LANTERN_DIR} ]]; then
    cd ${PAPER_LANTERN_DIR} || exit

    echo "${BASE_UPD_URL}${CPANEL_VER}/paper_lantern/home/retro/stats_bar.html.tt => ${PAPER_LANTERN_DIR}/retro/stats_bar.html.tt"
    /usr/bin/wget --quiet "${BASE_UPD_URL}${CPANEL_VER}/paper_lantern/home/retro/stats_bar.html.tt.xz" -O retro/stats_bar.html.tt.xz
    /usr/bin/unxz --force --decompress retro/stats_bar.html.tt.xz
fi
