From dc42f51168bd8dc7787d843eea85a9d6c9413b08 Mon Sep 17 00:00:00 2001
From: tastybento <tastybento@users.noreply.github.com>
Date: Sun, 10 Mar 2024 11:46:44 -0700
Subject: [PATCH] Uses path normalization to prevent directory traversal
 attacks.

---
 .../bentobox/managers/BlueprintClipboardManager.java       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/main/java/world/bentobox/bentobox/managers/BlueprintClipboardManager.java b/src/main/java/world/bentobox/bentobox/managers/BlueprintClipboardManager.java
index 8afb589fc..4a5e66c33 100644
--- a/src/main/java/world/bentobox/bentobox/managers/BlueprintClipboardManager.java
+++ b/src/main/java/world/bentobox/bentobox/managers/BlueprintClipboardManager.java
@@ -214,8 +214,11 @@ public class BlueprintClipboardManager {
     }
 
     private void unzipFiles(final ZipInputStream zipInputStream, final Path unzipFilePath) throws IOException {
-        if (!unzipFilePath.toFile().getCanonicalPath().startsWith(blueprintFolder.getCanonicalPath())) {
-            throw new IOException("Entry is outside of the target directory");
+        // Prevent directory traversal attacks by normalizing the path
+        if (!unzipFilePath.startsWith(blueprintFolder.getCanonicalFile().toPath().normalize())) {
+            throw new IOException(
+                    "Blueprint file is trying to write outside of the target directory! Blocked attempt to write to "
+                            + unzipFilePath.toString());
         }
         try (BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(unzipFilePath.toFile().getCanonicalPath()))) {
             byte[] bytesIn = new byte[1024];