From fa6bded519daf3bf858ebf58b36e66614c2e95d8 Mon Sep 17 00:00:00 2001 From: mcmonkey4eva Date: Thu, 11 May 2017 14:09:54 -0700 Subject: [PATCH] FileCopy + Directories, security fix --- .../scripts/commands/core/FileCopyCommand.java | 14 +++++++++++++- .../denizen/scripts/commands/core/YamlCommand.java | 4 ++++ .../aufdemrand/denizen/tags/core/ServerTags.java | 9 +++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/FileCopyCommand.java b/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/FileCopyCommand.java index 6b0a726b9e..6ce5d05a90 100644 --- a/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/FileCopyCommand.java +++ b/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/FileCopyCommand.java @@ -78,6 +78,13 @@ public void execute(final ScriptEntry scriptEntry) throws CommandExecutionExcept scriptEntry.addObject("success", new Element("false")); return; } + + if (!Utilities.isSafeFile(o)) { + dB.echoError(scriptEntry.getResidingQueue(), "Can't copy files from there!"); + scriptEntry.addObject("success", new Element("false")); + return; + } + if (!Utilities.isSafeFile(d)) { dB.echoError(scriptEntry.getResidingQueue(), "Can't copy files to there!"); scriptEntry.addObject("success", new Element("false")); @@ -93,7 +100,12 @@ public void execute(final ScriptEntry scriptEntry) throws CommandExecutionExcept if (dexists && !disdir) { d.delete(); } - FileUtils.copyFile(o, d); + if (o.isDirectory()) { + FileUtils.copyDirectory(o, d); + } + else { + FileUtils.copyFile(o, d); + } scriptEntry.addObject("success", new Element("true")); } catch (Exception e) { diff --git a/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/YamlCommand.java b/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/YamlCommand.java index e78e7c12fc..bc85f2c4f3 100644 --- a/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/YamlCommand.java +++ b/plugin/src/main/java/net/aufdemrand/denizen/scripts/commands/core/YamlCommand.java @@ -252,6 +252,10 @@ public void execute(final ScriptEntry scriptEntry) throws CommandExecutionExcept dB.echoError("File cannot be found!"); return; } + if (!Utilities.isSafeFile(file)) { + dB.echoError(scriptEntry.getResidingQueue(), "Cannot load that file!"); + return; + } try { FileInputStream fis = new FileInputStream(file); String str = ScriptHelper.convertStreamToString(fis); diff --git a/plugin/src/main/java/net/aufdemrand/denizen/tags/core/ServerTags.java b/plugin/src/main/java/net/aufdemrand/denizen/tags/core/ServerTags.java index c31453f640..0051531ee0 100644 --- a/plugin/src/main/java/net/aufdemrand/denizen/tags/core/ServerTags.java +++ b/plugin/src/main/java/net/aufdemrand/denizen/tags/core/ServerTags.java @@ -16,6 +16,7 @@ import net.aufdemrand.denizen.scripts.containers.core.AssignmentScriptContainer; import net.aufdemrand.denizen.tags.BukkitTagContext; import net.aufdemrand.denizen.utilities.DenizenAPI; +import net.aufdemrand.denizen.utilities.Utilities; import net.aufdemrand.denizen.utilities.debugging.dB; import net.aufdemrand.denizen.utilities.depends.Depends; import net.aufdemrand.denizencore.DenizenCore; @@ -447,6 +448,10 @@ public void serverTag(ReplaceableTagEvent event) { dB.echoError(e); return; } + if (!Utilities.isSafeFile(f)) { + dB.echoError("Invalid path specified. Invalid paths have been denied by the server administrator."); + return; + } event.setReplaced(new Element(f.exists()).getAttribute(attribute.fulfill(1))); return; } @@ -473,6 +478,10 @@ public void serverTag(ReplaceableTagEvent event) { dB.echoError(e); return; } + if (!Utilities.isSafeFile(folder)) { + dB.echoError("Invalid path specified. Invalid paths have been denied by the server administrator."); + return; + } File[] files = folder.listFiles(); if (files == null) { return;