Add restriction to .txt files only

serversigns · Feb 13, 2021 · 6b39158 · 6b39158
1 parent a694830
commit 6b39158
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 4 deletions.
diff --git a/src/main/java/de/czymm/serversigns/commands/SubCommandImport.java b/src/main/java/de/czymm/serversigns/commands/SubCommandImport.java
@@ -24,6 +24,7 @@
 import de.czymm.serversigns.translations.Message;
 
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 
 public class SubCommandImport extends SubCommand {
@@ -45,11 +46,20 @@ public void execute(boolean verbose) {
         }
 
         String path = loopArgs(0);
-        if (!Files.exists(Paths.get(path))) {
+        final Path fullPath = Paths.get(plugin.getDataFolder().getAbsolutePath()).resolve(path);
+
+        // Check if file exists and is not a folder
+        if (!Files.exists(fullPath) || fullPath.toFile().isDirectory()) {
             if (verbose) msg(Message.IMPORT_FILE_NOT_FOUND);
             return;
         }
 
+        // Check the path is not outside of plugin data folder (plugins/ServerSigns/)
+        if (!path.endsWith(".txt") || !fullPath.toAbsolutePath().normalize().startsWith(plugin.getDataFolder().getAbsolutePath())) {
+            if (verbose) msg(Message.INVALID_FILE_PATH);
+            return;
+        }
+
         if (verbose) msg(Message.IMPORT_SELECT_SIGN);
         applyMeta(SVSMetaKey.IMPORT, new SVSMetaValue(path));
     }

diff --git a/src/main/java/de/czymm/serversigns/translations/Message.java b/src/main/java/de/czymm/serversigns/translations/Message.java
@@ -126,6 +126,7 @@ public enum Message {
     OPTION_LABEL_UNIQUE("option_label_unique"),
     UNABLE_TO_EXECUTE_CMD("unable_to_execute_cmd"),
     IMPORT_FILE_NOT_FOUND("import_file_not_found"),
+    INVALID_FILE_PATH("invalid_file_path"),
     IMPORT_SUCCESS("import_success"),
     IMPORT_SELECT_SIGN("import_select_sign"),
     OPTION_LABEL_DESC_SEPARATOR("option_label_desc_separator"),

diff --git a/src/main/resources/de_default.yml b/src/main/resources/de_default.yml
@@ -108,7 +108,8 @@ option_invalid_answer: '&cThat is not a valid answer! Please try again, or type
 option_set: 'Sucessfully applied the specified option to the ServerSign'
 option_label_unique: 'Option answer labels must be unique!'
 unable_to_execute_cmd: '&cUnable to execute "<string>" as no matching commands were found.'
-import_file_not_found: 'File not found at that path from the server root directory'
+import_file_not_found: 'Datei konnte nicht im ServerSigns-Verzeichnis gefunden werden'
+invalid_file_path: 'Ungültiger Pfad, die Datei muss sich im ServerSigns-Verzeichnis mit der Erweiterung .txt befinden'
 import_success: 'Successfully imported the file "<string>"'
 import_select_sign: 'Right-click an existing ServerSign to import the commands to'
 xp_cost_removed: 'Successfully removed the EXP cost from this ServerSign'

diff --git a/src/main/resources/en_default.yml b/src/main/resources/en_default.yml
@@ -104,7 +104,8 @@ option_invalid_answer: '&cThat is not a valid answer! Please try again, or type
 option_set: 'Sucessfully applied the specified option to the ServerSign'
 option_label_unique: 'Option answer labels must be unique!'
 unable_to_execute_cmd: '&cUnable to execute "<string>" as no matching commands were found.'
-import_file_not_found: 'File not found at that path from the server root directory'
+import_file_not_found: 'File could not be found inside the ServerSigns directory'
+invalid_file_path: 'Invalid path, the file has to be located inside the ServerSigns directory with .txt extension'
 import_success: 'Successfully imported the file "<string>"'
 import_select_sign: 'Right-click an existing ServerSign to import the commands to'
 option_label_desc_separator: ' - '

diff --git a/src/main/resources/fr_default.yml b/src/main/resources/fr_default.yml
@@ -106,7 +106,8 @@ option_invalid_answer: '&cCe n''est pas une réponse valide ! Essaye encore, ou
 option_set: 'Option bien appliquée au ServerSign'
 option_label_unique: 'Le label des options de réponses doit être unique'
 unable_to_execute_cmd: 'Impossible d''exécuter "<string>", aucune commande correspondante trouvée'
-import_file_not_found: 'Fichier non trouvé à cette adresse depuis la racine du serveur'
+import_file_not_found: 'Fichier non trouvé dans le dossier ServerSigns'
+invalid_file_path: 'Chemin invalide, le fichier doit être situé dans le répertoire ServerSigns avec l''extension .txt'
 import_success: 'Le fichier "<string>" a bien été importé'
 import_select_sign: 'Clique droit sur un ServerSign pour y importer les commandes'
 option_label_desc_separator: ' - '