From 76517374a2e1f46ed60c0adb58d48d7ff26c613e Mon Sep 17 00:00:00 2001
From: Luck <git@lucko.me>
Date: Sun, 2 Sep 2018 22:20:29 +0100
Subject: [PATCH] Only allow import and export commands to interact with files
 in the data directory (#1193)

---
 .../luckperms/common/commands/misc/ExportCommand.java    | 9 ++++++++-
 .../luckperms/common/commands/misc/ImportCommand.java    | 9 ++++++++-
 .../lucko/luckperms/common/locale/message/Message.java   | 1 +
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/common/src/main/java/me/lucko/luckperms/common/commands/misc/ExportCommand.java b/common/src/main/java/me/lucko/luckperms/common/commands/misc/ExportCommand.java
index 83be3bb04..b0a49a991 100644
--- a/common/src/main/java/me/lucko/luckperms/common/commands/misc/ExportCommand.java
+++ b/common/src/main/java/me/lucko/luckperms/common/commands/misc/ExportCommand.java
@@ -56,7 +56,14 @@ public class ExportCommand extends SingleCommand {
             return CommandResult.STATE_ERROR;
         }
 
-        Path path = plugin.getBootstrap().getDataDirectory().resolve(args.get(0));
+        Path dataDirectory = plugin.getBootstrap().getDataDirectory();
+        Path path = dataDirectory.resolve(args.get(0));
+
+        if (!path.getParent().equals(dataDirectory) || path.getFileName().toString().equals("config.yml")) {
+            Message.FILE_NOT_WITHIN_DIRECTORY.send(sender, path.toString());
+            return CommandResult.INVALID_ARGS;
+        }
+
         boolean includeUsers = !args.remove("--without-users");
 
         if (Files.exists(path)) {
diff --git a/common/src/main/java/me/lucko/luckperms/common/commands/misc/ImportCommand.java b/common/src/main/java/me/lucko/luckperms/common/commands/misc/ImportCommand.java
index daa39c18e..77b0b80d5 100644
--- a/common/src/main/java/me/lucko/luckperms/common/commands/misc/ImportCommand.java
+++ b/common/src/main/java/me/lucko/luckperms/common/commands/misc/ImportCommand.java
@@ -57,7 +57,14 @@ public class ImportCommand extends SingleCommand {
             return CommandResult.STATE_ERROR;
         }
 
-        Path path = plugin.getBootstrap().getDataDirectory().resolve(args.get(0));
+        Path dataDirectory = plugin.getBootstrap().getDataDirectory();
+        Path path = dataDirectory.resolve(args.get(0));
+
+        if (!path.getParent().equals(dataDirectory) || path.getFileName().toString().equals("config.yml")) {
+            Message.FILE_NOT_WITHIN_DIRECTORY.send(sender, path.toString());
+            return CommandResult.INVALID_ARGS;
+        }
+
         if (!Files.exists(path)) {
             Message.IMPORT_LOG_DOESNT_EXIST.send(sender, path.toString());
             return CommandResult.INVALID_ARGS;
diff --git a/common/src/main/java/me/lucko/luckperms/common/locale/message/Message.java b/common/src/main/java/me/lucko/luckperms/common/locale/message/Message.java
index e09299bb8..9ef0cc21c 100644
--- a/common/src/main/java/me/lucko/luckperms/common/locale/message/Message.java
+++ b/common/src/main/java/me/lucko/luckperms/common/locale/message/Message.java
@@ -449,6 +449,7 @@ public enum Message {
 
     IMPORT_ALREADY_RUNNING("&cAnother import process is already running. Please wait for it to finish and try again.", true),
     EXPORT_ALREADY_RUNNING("&cAnother export process is already running. Please wait for it to finish and try again.", true),
+    FILE_NOT_WITHIN_DIRECTORY("&cError: File &4{}&c must be a direct child of the data directory.", true),
     IMPORT_LOG_DOESNT_EXIST("&cError: File &4{}&c does not exist.", true),
     IMPORT_LOG_NOT_READABLE("&cError: File &4{}&c is not readable.", true),
     IMPORT_LOG_FAILURE("&cAn unexpected error occured whilst reading from the log file.", true),