Restrict file reads to the plugin's folder

Plugin/src/main/java/com/gmail/filoghost/holographicdisplays/commands/main/subs/ReadimageCommand.java

@@ -75,7 +75,6 @@ public class ReadimageCommand extends HologramSubCommand {
 		boolean isUrl = false;
 		
 		try {
-			
 			String fileName = args[1];
 			BufferedImage image = null;
 			
@@ -88,7 +87,11 @@ public class ReadimageCommand extends HologramSubCommand {
 					Strings.sendWarning(sender, "The image path seems to be an URL. If so, please use http:// or https:// in the path.");
 				}
 				
-				image = FileUtils.readImage(new File(HolographicDisplays.getInstance().getDataFolder(), fileName));
+				File targetImage = new File(HolographicDisplays.getInstance().getDataFolder(), fileName);
+				CommandValidator.isTrue(FileUtils.isParentFolder(HolographicDisplays.getInstance().getDataFolder(), targetImage), "The image must be inside HolographicDisplays' folder.");
+				CommandValidator.isTrue(!FileUtils.isConfigFile(targetImage), "Cannot read default configuration files.");
+				
+				image = FileUtils.readImage(targetImage);
 			}
 			
 			if (!append) {
@@ -117,6 +120,8 @@ public class ReadimageCommand extends HologramSubCommand {
 			}
 			Bukkit.getPluginManager().callEvent(new NamedHologramEditedEvent(hologram));
 			
+		} catch (CommandException e) {
+			throw e;
 		} catch (MalformedURLException e) {
 			throw new CommandException("The provided URL was not valid.");
 		} catch (TooWideException e) {

Plugin/src/main/java/com/gmail/filoghost/holographicdisplays/commands/main/subs/ReadtextCommand.java

@@ -46,7 +46,12 @@ public class ReadtextCommand extends HologramSubCommand {
 		CommandValidator.notNull(hologram, Strings.noSuchHologram(args[0].toLowerCase()));
 		
 		try {
-			List<String> lines = FileUtils.readLines(new File(HolographicDisplays.getInstance().getDataFolder(), args[1]));
+			String fileName = args[1];
+			File targetFile = new File(HolographicDisplays.getInstance().getDataFolder(), fileName);
+			CommandValidator.isTrue(FileUtils.isParentFolder(HolographicDisplays.getInstance().getDataFolder(), targetFile), "The file must be inside HolographicDisplays' folder.");
+			CommandValidator.isTrue(!FileUtils.isConfigFile(targetFile), "Cannot read default configuration files.");
+			
+			List<String> lines = FileUtils.readLines(targetFile);
 			hologram.clearLines();
 			
 			int linesAmount = lines.size();
@@ -73,6 +78,8 @@ public class ReadtextCommand extends HologramSubCommand {
 			sender.sendMessage(Colors.PRIMARY + "The lines were pasted into the hologram!");
 			Bukkit.getPluginManager().callEvent(new NamedHologramEditedEvent(hologram));
 			
+		} catch (CommandException e) {
+			throw e;
 		} catch (FileNotFoundException e) {
 			throw new CommandException("A file named '" + args[1] + "' doesn't exist in the plugin's folder.");
 		} catch (IOException e) {
@@ -104,4 +111,5 @@ public class ReadtextCommand extends HologramSubCommand {
 	private boolean isImageExtension(String input) {
 		return Arrays.asList("jpg", "png", "jpeg", "gif").contains(input.toLowerCase());
 	}
+	
 }

Plugin/src/main/java/com/gmail/filoghost/holographicdisplays/util/FileUtils.java

@@ -12,6 +12,7 @@ import java.util.List;
 
 import javax.imageio.ImageIO;
 
+import com.gmail.filoghost.holographicdisplays.HolographicDisplays;
 import com.gmail.filoghost.holographicdisplays.exception.UnreadableImageException;
 
 
@@ -77,4 +78,20 @@ public class FileUtils {
 			
 		return image;
 	}
+	
+	public static boolean isParentFolder(File folder, File file) throws IOException {
+		File iteratorFile = file.getCanonicalFile();
+		folder = folder.getCanonicalFile();
+		while ((iteratorFile = iteratorFile.getParentFile()) != null) {
+			if (iteratorFile.equals(folder)) {
+				return true;
+			}
+		}
+		
+		return false;
+	}
+	
+	public static boolean isConfigFile(File file) {
+		return file.getName().toLowerCase().endsWith(".yml") && HolographicDisplays.getInstance().getResource(file.getName()) != null;
+	}
 }