From 02ca6d1fd851567560046766ac9d04d20db35b8e Mon Sep 17 00:00:00 2001
From: Speedy11CZ <michalspisak53@gmail.com>
Date: Mon, 15 Jan 2024 10:06:53 +0100
Subject: [PATCH] Hotfix for path traversal vulnerability

---
 .../java/cz/speedy11/mcrpx/common/util/ZipUtil.java    | 10 ++++++++++
 gradle.properties                                      |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
index 057ed1e..2c0cb52 100644
--- a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
+++ b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
@@ -99,6 +99,11 @@ public static void extractZip(File file, File destDirectory, ExtractTaskListener
             int elementCount = 0;
             while (zipEntries.hasMoreElements()) {
                 ZipEntry zipEntry = zipEntries.nextElement();
+                if (zipEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + zipEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 try {
                     listener.onMessage("Extracting " + zipEntry.getName());
                     try (InputStream entryInputStream = zipFile.getInputStream(zipEntry)) {
@@ -141,6 +146,11 @@ public static void extractMinecraft(File file, File destDirectory, ExtractTaskLi
             int elementCount = 0;
             while (jarEntries.hasMoreElements()) {
                 JarEntry jarEntry = jarEntries.nextElement();
+                if (jarEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + jarEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 if (jarEntry.getName().startsWith("assets/") && !jarEntry.isDirectory()) {
                     listener.onMessage("Extracting " + jarEntry.getName());
                     try (InputStream entryInputStream = jarFile.getInputStream(jarEntry)) {
diff --git a/gradle.properties b/gradle.properties
index 871c6ee..b259587 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,6 +1,6 @@
 # Project properties
-projectDescription=Core library for plugins used by ketchup plugins, developed by Rajce.pro.
-projectVersion=1.4.0
+projectDescription=MCRPX is a tool to extract files from Minecraft: Java Edition resource packs into selected directory. It can also bypass corrupted resource packs, used by servers to protect their resource packs.
+projectVersion=1.4.1
 # Gradle properties
 org.gradle.daemon=true
 org.gradle.configureondemand=true