From be35000c0d725b768a1391a1eeeb7369e6f30b20 Mon Sep 17 00:00:00 2001
From: Speedy11CZ <michalspisak53@gmail.com>
Date: Mon, 15 Jan 2024 10:05:05 +0100
Subject: [PATCH] Hotfix for path traversal vulnerability

---
 .../java/cz/speedy11/mcrpx/common/util/ZipUtil.java    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
index 057ed1e..2c0cb52 100644
--- a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
+++ b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java
@@ -99,6 +99,11 @@ public static void extractZip(File file, File destDirectory, ExtractTaskListener
             int elementCount = 0;
             while (zipEntries.hasMoreElements()) {
                 ZipEntry zipEntry = zipEntries.nextElement();
+                if (zipEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + zipEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 try {
                     listener.onMessage("Extracting " + zipEntry.getName());
                     try (InputStream entryInputStream = zipFile.getInputStream(zipEntry)) {
@@ -141,6 +146,11 @@ public static void extractMinecraft(File file, File destDirectory, ExtractTaskLi
             int elementCount = 0;
             while (jarEntries.hasMoreElements()) {
                 JarEntry jarEntry = jarEntries.nextElement();
+                if (jarEntry.getName().contains("..")) {
+                    listener.onMessage("Skipping " + jarEntry.getName() + ": Invalid path");
+                    continue;
+                }
+
                 if (jarEntry.getName().startsWith("assets/") && !jarEntry.isDirectory()) {
                     listener.onMessage("Extracting " + jarEntry.getName());
                     try (InputStream entryInputStream = jarFile.getInputStream(jarEntry)) {