[Security][Bugfix] Fix directory traversal exploit (Grasscutters#1907)

* [Security][Bugfix] Fix directory traversal exploit 1.The first slash will act as root path when resolving local path, so directory traversal is possible 2.Filter the illegal payload to prevent directory traversal 3.This also fix the bug about not loading the files in data folder when querying `/hk4e/announcement/` * Fix formatting * Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
Birdulon · Oct 29, 2022 · 55928d9 · 55928d9
1 parent 6219902
commit 55928d9
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java b/src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
@@ -14,6 +14,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Objects;
+import java.util.StringJoiner;
 
 /**
  * Handles requests related to the announcements page.
@@ -72,7 +73,17 @@ private static void getAnnouncement(Context ctx) {
     }
 
     private static void getPageResources(Context ctx) {
-        try (InputStream filestream = DataLoader.load(ctx.path())) {
+        // Re-process the path - remove the first slash and prevent directory traversal
+        // (the first slash will act as root path when resolving local path)
+        String[] path = ctx.path().split("/");
+        StringJoiner stringJoiner = new StringJoiner("/");
+        for (String pathName : path) {
+            // Filter the illegal payload to prevent directory traversal
+            if (!pathName.isEmpty() && !pathName.equals("..") && !pathName.contains("\\")) {
+                stringJoiner.add(pathName);
+            }
+        }
+        try (InputStream filestream = DataLoader.load(stringJoiner.toString())) {
             String possibleFilename = ctx.path();
 
             ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1));