diff options
author | Roman / Nea <roman.graef@gmail.com> | 2022-01-17 16:15:53 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-17 16:15:53 +0100 |
commit | 6107995ad7892807bf6ba098548754fea439cee4 (patch) | |
tree | 6cd2cdd24951bc432f4036e6ea1b9d664c8c6380 /src/main/java | |
parent | c81b6a34ae7bbb70a11f23f49422f2fceffa689c (diff) | |
download | NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.gz NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.tar.bz2 NotEnoughUpdates-6107995ad7892807bf6ba098548754fea439cee4.zip |
Recipe Reloading should no longer duplicate recipes (#65)
* Remove potential RCE only exploitable by Moulberry himself, i still want my cape tho
* no more recipe dupes
Diffstat (limited to 'src/main/java')
-rw-r--r-- | src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java | 34 | ||||
-rw-r--r-- | src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java | 11 |
2 files changed, 35 insertions, 10 deletions
diff --git a/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java b/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java index e5497cd0..614884d9 100644 --- a/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java +++ b/src/main/java/io/github/moulberry/notenoughupdates/NEUManager.java @@ -3,6 +3,7 @@ package io.github.moulberry.notenoughupdates; import com.google.gson.*; import io.github.moulberry.notenoughupdates.auction.APIManager; import io.github.moulberry.notenoughupdates.miscgui.GuiItemRecipe; +import io.github.moulberry.notenoughupdates.options.NEUConfig; import io.github.moulberry.notenoughupdates.recipes.CraftingOverlay; import io.github.moulberry.notenoughupdates.recipes.CraftingRecipe; import io.github.moulberry.notenoughupdates.recipes.Ingredient; @@ -1034,6 +1035,9 @@ public class NEUManager { File newFile = new File(destDir + File.separator + fileName); //create directories for sub directories in zip new File(newFile.getParent()).mkdirs(); + if (!isInTree(dir, newFile)) { + throw new RuntimeException("Not Enough Updates detected an invalid zip file. This is a potential security risk, please report this in the Moulberry discord."); + } FileOutputStream fos = new FileOutputStream(newFile); int len; while ((len = zis.read(buffer)) > 0) { @@ -1054,6 +1058,16 @@ public class NEUManager { } } + private static boolean isInTree(File rootDirectory, File file) throws IOException { + file = file.getCanonicalFile(); + rootDirectory = rootDirectory.getCanonicalFile(); + while (file != null) { + if (file.equals(rootDirectory)) return true; + file = file.getParentFile(); + } + return false; + } + /** * Modified from https://www.journaldev.com/960/java-unzip-file-example */ @@ -1067,6 +1081,9 @@ public class NEUManager { if (!ze.isDirectory()) { String fileName = ze.getName(); File newFile = new File(dest, fileName); + if (!isInTree(dest, newFile)) { + throw new RuntimeException("Not Enough Updates detected an invalid zip file. This is a potential security risk, please report this in the Moulberry discord."); + } //create directories for sub directories in zip new File(newFile.getParent()).mkdirs(); FileOutputStream fos = new FileOutputStream(newFile); @@ -1438,4 +1455,21 @@ public class NEUManager { return stack; } } + + public void reloadRepository() { + File items = new File(repoLocation, "items"); + if (items.exists()) { + recipes.clear(); + recipesMap.clear(); + usagesMap.clear(); + + File[] itemFiles = new File(repoLocation, "items").listFiles(); + if (itemFiles != null) { + for (File f : itemFiles) { + String internalname = f.getName().substring(0, f.getName().length() - 5); + loadItem(internalname); + } + } + } + } } diff --git a/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java b/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java index 37fe5f63..d3fd7e0c 100644 --- a/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java +++ b/src/main/java/io/github/moulberry/notenoughupdates/commands/Commands.java @@ -362,16 +362,7 @@ public class Commands { SimpleCommand reloadRepoCommand = new SimpleCommand("neureloadrepo", new SimpleCommand.ProcessCommandRunnable() { public void processCommand(ICommandSender sender, String[] args) { - File items = new File(NotEnoughUpdates.INSTANCE.manager.repoLocation, "items"); - if (items.exists()) { - File[] itemFiles = new File(NotEnoughUpdates.INSTANCE.manager.repoLocation, "items").listFiles(); - if (itemFiles != null) { - for (File f : itemFiles) { - String internalname = f.getName().substring(0, f.getName().length() - 5); - NotEnoughUpdates.INSTANCE.manager.loadItem(internalname); - } - } - } + NotEnoughUpdates.INSTANCE.manager.reloadRepository(); Constants.reload(); NotEnoughUpdates.INSTANCE.newConfigFile(); |