add a file path limit to the config

plugin/src/main/java/com/denizenscript/denizen/Settings.java

@@ -53,6 +53,7 @@ public static void refillCache() {
         cache_allowServerRestart = config.getBoolean("Commands.Restart.Allow server restart", true);
         cache_allowLogging = config.getBoolean("Commands.Log.Allow logging", true);
         cache_allowStrangeYAMLSaves = config.getBoolean("Commands.Yaml.Allow saving outside folder", false);
+        cache_limitPath = config.getString("Commands.Yaml.Limit path", "none");
         cache_chatMultipleTargetsFormat = config.getString("Commands.Chat.Options.Multiple targets format", "%target%, %target%, %target%, and others");
         cache_chatBystandersRange = config.getDouble("Commands.Chat.Options.Range for bystanders", 5.0);
         cache_chatNoTargetFormat = config.getString("Commands.Chat.Formats.No target", "[<[talker].name>]: <[message]>");
@@ -91,7 +92,7 @@ public static void refillCache() {
     private static String cache_getAlternateScriptPath, cache_scriptQueueSpeed, cache_healthTraitRespawnDelay,
             cache_engageTimeoutInSeconds, cache_chatMultipleTargetsFormat, cache_chatNoTargetFormat,
             cache_chatToTargetFormat, cache_chatWithTargetToBystandersFormat, cache_chatWithTargetsToBystandersFormat,
-            cache_chatToNpcFormat, cache_chatToNpcOverheardFormat, cache_interactQueueSpeed;
+            cache_chatToNpcFormat, cache_chatToNpcOverheardFormat, cache_interactQueueSpeed, cache_limitPath;
 
     private static int cache_consoleWidth = 128, cache_trimLength = 1024, cache_whileMaxLoops, cache_blockTagsMaxBlocks,
             cache_chatHistoryMaxMessages, cache_tagTimeout;
@@ -299,6 +300,10 @@ public static boolean allowStrangeYAMLSaves() {
         return cache_allowStrangeYAMLSaves;
     }
 
+    public static String fileLimitPath() {
+        return cache_limitPath;
+    }
+
     public static String chatMultipleTargetsFormat() {
         return cache_chatMultipleTargetsFormat;
     }

plugin/src/main/java/com/denizenscript/denizen/utilities/Utilities.java

@@ -93,6 +93,9 @@ public static boolean canWriteToFile(File f) {
                     !f.getCanonicalPath().startsWith(new File(".").getCanonicalPath())) {
                 return false;
             }
+            if (!CoreUtilities.toLowerCase(Settings.fileLimitPath()).equals("none")
+                    && !f.getCanonicalPath().startsWith(new File("./" + Settings.fileLimitPath()).getCanonicalPath())) {
+            }
             return isFileCanonicalStringSafeToWrite(lown) && isFileCanonicalStringSafeToWrite(lown + "/");
         }
         catch (Exception ex) {

plugin/src/main/resources/config.yml

@@ -139,6 +139,10 @@ Commands:
         # Whether the YAML command (or any other file-alteration command) is allowed to save outside the minecraft server folder.
         # Set to 'false' if you're worried about security.
         Allow saving outside folder: false
+        # Optionally: set a limited path, where all edits must be contained to.
+        # A good path to use for extra security is: plugins/Denizen/data/
+        # Leave at "none" to disable this optional protection.
+        Limit path: none
   Webget:
         # Whether to allow scripts to read arbitrary data from the web, which can also potentially enable tracking of your private server data.
         # Generally this is safe, but set to 'false' if you want very strict security.