Recipe Reloading should no longer duplicate recipes (#65)

* Remove potential RCE only exploitable by Moulberry himself, i still want my cape tho * no more recipe dupes
author: Roman / Nea <roman.graef@gmail.com> 2022-01-17 16:15:53 +0100
committer: GitHub <noreply@github.com> 2022-01-17 16:15:53 +0100
commit: 6107995ad7892807bf6ba098548754fea439cee4 (patch)
tree: 6cd2cdd24951bc432f4036e6ea1b9d664c8c6380
parent: c81b6a34ae7bbb70a11f23f49422f2fceffa689c (diff)
download: NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.gz
NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.bz2
NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.zip
2 files changed, 35 insertions, 10 deletions
diff --git a/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java b/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java
index e5497cd0..614884d9 100644
--- a/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java
+++ b/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java
@@ -3,6 +3,7 @@ package io.github.moulberry.notenoughupdates;
 import com.google.gson.*;
 import io.github.moulberry.notenoughupdates.auction.APIManager;
 import io.github.moulberry.notenoughupdates.miscgui.GuiItemRecipe;
+import io.github.moulberry.notenoughupdates.options.NEUConfig;
 import io.github.moulberry.notenoughupdates.recipes.CraftingOverlay;
 import io.github.moulberry.notenoughupdates.recipes.CraftingRecipe;
 import io.github.moulberry.notenoughupdates.recipes.Ingredient;
@@ -1034,6 +1035,9 @@ public class NEUManager {
                     File newFile = new File(destDir + File.separator + fileName);
                     //create directories for sub directories in zip
                     new File(newFile.getParent()).mkdirs();
+                    if (!isInTree(dir, newFile)) {
+                        throw new RuntimeException("Not Enough Updates detected an invalid zip file. This is a potential security risk, please report this in the Moulberry discord.");
+                    }
                     FileOutputStream fos = new FileOutputStream(newFile);
                     int len;
                     while ((len = zis.read(buffer)) > 0) {
@@ -1054,6 +1058,16 @@ public class NEUManager {
         }
     }
 
+    private static boolean isInTree(File rootDirectory, File file) throws IOException {
+        file = file.getCanonicalFile();
+        rootDirectory = rootDirectory.getCanonicalFile();
+        while (file != null) {
+            if (file.equals(rootDirectory)) return true;
+            file = file.getParentFile();
+        }
+        return false;
+    }
+
     /**
      * Modified from https://www.journaldev.com/960/java-unzip-file-example
      */
@@ -1067,6 +1081,9 @@ public class NEUManager {
                 if (!ze.isDirectory()) {
                     String fileName = ze.getName();
                     File newFile = new File(dest, fileName);
+                    if (!isInTree(dest, newFile)) {
+                        throw new RuntimeException("Not Enough Updates detected an invalid zip file. This is a potential security risk, please report this in the Moulberry discord.");
+                    }
                     //create directories for sub directories in zip
                     new File(newFile.getParent()).mkdirs();
                     FileOutputStream fos = new FileOutputStream(newFile);
@@ -1438,4 +1455,21 @@ public class NEUManager {
             return stack;
         }
     }
+
+    public void reloadRepository() {
+        File items = new File(repoLocation, "items");
+        if (items.exists()) {
+            recipes.clear();
+            recipesMap.clear();
+            usagesMap.clear();
+
+            File[] itemFiles = new File(repoLocation, "items").listFiles();
+            if (itemFiles != null) {
+                for (File f : itemFiles) {
+                    String internalname = f.getName().substring(0, f.getName().length() - 5);
+                    loadItem(internalname);
+                }
+            }
+        }
+    }
 }
diff --git a/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java b/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java
index 37fe5f63..d3fd7e0c 100644
--- a/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java
+++ b/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java
@@ -362,16 +362,7 @@ public class Commands {
 
     SimpleCommand reloadRepoCommand = new SimpleCommand("neureloadrepo", new SimpleCommand.ProcessCommandRunnable() {
         public void processCommand(ICommandSender sender, String[] args) {
-            File items = new File(NotEnoughUpdates.INSTANCE.manager.repoLocation, "items");
-            if (items.exists()) {
-                File[] itemFiles = new File(NotEnoughUpdates.INSTANCE.manager.repoLocation, "items").listFiles();
-                if (itemFiles != null) {
-                    for (File f : itemFiles) {
-                        String internalname = f.getName().substring(0, f.getName().length() - 5);
-                        NotEnoughUpdates.INSTANCE.manager.loadItem(internalname);
-                    }
-                }
-            }
+            NotEnoughUpdates.INSTANCE.manager.reloadRepository();
             Constants.reload();
 
             NotEnoughUpdates.INSTANCE.newConfigFile();
author	Roman / Nea <roman.graef@gmail.com>	2022-01-17 16:15:53 +0100
committer	GitHub <noreply@github.com>	2022-01-17 16:15:53 +0100
commit	6107995ad7892807bf6ba098548754fea439cee4 (patch)
tree	6cd2cdd24951bc432f4036e6ea1b9d664c8c6380
parent	c81b6a34ae7bbb70a11f23f49422f2fceffa689c (diff)
download	NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.gz NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.bz2 NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.zip