Hotfix for path traversal vulnerability

Speedy11CZ · Jan 15, 2024 · 02ca6d1 · 02ca6d1
1 parent 020a6ad
commit 02ca6d1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
@@ -99,6 +99,11 @@ public static void extractZip(File file, File destDirectory, ExtractTaskListener
             int elementCount = 0;
             while (zipEntries.hasMoreElements()) {
                 ZipEntry zipEntry = zipEntries.nextElement();
+                if (zipEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + zipEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 try {
                     listener.onMessage("Extracting " + zipEntry.getName());
                     try (InputStream entryInputStream = zipFile.getInputStream(zipEntry)) {
@@ -141,6 +146,11 @@ public static void extractMinecraft(File file, File destDirectory, ExtractTaskLi
             int elementCount = 0;
             while (jarEntries.hasMoreElements()) {
                 JarEntry jarEntry = jarEntries.nextElement();
+                if (jarEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + jarEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 if (jarEntry.getName().startsWith("assets/") && !jarEntry.isDirectory()) {
                     listener.onMessage("Extracting " + jarEntry.getName());
                     try (InputStream entryInputStream = jarFile.getInputStream(jarEntry)) {

diff --git a/gradle.properties b/gradle.properties
@@ -1,6 +1,6 @@
 # Project properties
-projectDescription=Core library for plugins used by ketchup plugins, developed by Rajce.pro.
-projectVersion=1.4.0
+projectDescription=MCRPX is a tool to extract files from Minecraft: Java Edition resource packs into selected directory. It can also bypass corrupted resource packs, used by servers to protect their resource packs.
+projectVersion=1.4.1
 # Gradle properties
 org.gradle.daemon=true
 org.gradle.configureondemand=true