Upstream/LuckPerms
1
0
Fork 0
mirror of https://github.com/LuckPerms/LuckPerms.git synced 2025-01-04 07:28:13 +01:00
Code Issues Projects Releases Wiki Activity

Only allow import and export commands to interact with files in the data directory (#1193)

Browse Source
This commit is contained in:
Luck 2018-09-02 22:20:29 +01:00
parent 2da027f3b5
commit 76517374a2
No known key found for this signature in database
GPG Key ID: EFA9B3EC5FD90F8B
3 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
common/src/main/java/me/lucko/luckperms/common/commands/misc/ExportCommand.java
View File

@ -56,7 +56,14 @@ public class ExportCommand extends SingleCommand {
return CommandResult.STATE_ERROR; return CommandResult.STATE_ERROR;
} }
Path path = plugin.getBootstrap().getDataDirectory().resolve(args.get(0)); Path dataDirectory = plugin.getBootstrap().getDataDirectory();
Path path = dataDirectory.resolve(args.get(0));
if (!path.getParent().equals(dataDirectory) || path.getFileName().toString().equals("config.yml")) {
Message.FILE_NOT_WITHIN_DIRECTORY.send(sender, path.toString());
return CommandResult.INVALID_ARGS;
}
boolean includeUsers = !args.remove("--without-users"); boolean includeUsers = !args.remove("--without-users");
if (Files.exists(path)) { if (Files.exists(path)) {

9
common/src/main/java/me/lucko/luckperms/common/commands/misc/ImportCommand.java
View File

@ -57,7 +57,14 @@ public class ImportCommand extends SingleCommand {
return CommandResult.STATE_ERROR; return CommandResult.STATE_ERROR;
} }
Path path = plugin.getBootstrap().getDataDirectory().resolve(args.get(0)); Path dataDirectory = plugin.getBootstrap().getDataDirectory();
Path path = dataDirectory.resolve(args.get(0));
if (!path.getParent().equals(dataDirectory) || path.getFileName().toString().equals("config.yml")) {
Message.FILE_NOT_WITHIN_DIRECTORY.send(sender, path.toString());
return CommandResult.INVALID_ARGS;
}
if (!Files.exists(path)) { if (!Files.exists(path)) {
Message.IMPORT_LOG_DOESNT_EXIST.send(sender, path.toString()); Message.IMPORT_LOG_DOESNT_EXIST.send(sender, path.toString());
return CommandResult.INVALID_ARGS; return CommandResult.INVALID_ARGS;

1
common/src/main/java/me/lucko/luckperms/common/locale/message/Message.java
View File

@ -449,6 +449,7 @@ public enum Message {
IMPORT_ALREADY_RUNNING("&cAnother import process is already running. Please wait for it to finish and try again.", true), IMPORT_ALREADY_RUNNING("&cAnother import process is already running. Please wait for it to finish and try again.", true),
EXPORT_ALREADY_RUNNING("&cAnother export process is already running. Please wait for it to finish and try again.", true), EXPORT_ALREADY_RUNNING("&cAnother export process is already running. Please wait for it to finish and try again.", true),
FILE_NOT_WITHIN_DIRECTORY("&cError: File &4{}&c must be a direct child of the data directory.", true),
IMPORT_LOG_DOESNT_EXIST("&cError: File &4{}&c does not exist.", true), IMPORT_LOG_DOESNT_EXIST("&cError: File &4{}&c does not exist.", true),
IMPORT_LOG_NOT_READABLE("&cError: File &4{}&c is not readable.", true), IMPORT_LOG_NOT_READABLE("&cError: File &4{}&c is not readable.", true),
IMPORT_LOG_FAILURE("&cAn unexpected error occured whilst reading from the log file.", true), IMPORT_LOG_FAILURE("&cAn unexpected error occured whilst reading from the log file.", true),