From f624754f0cb51fc8a46e5508d2afb42de2396ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Mr=C3=A1zek?= Date: Thu, 2 Feb 2023 20:51:23 +0100 Subject: [PATCH] NOISSUE Improve path parsing for modrinth packs --- launcher/InstanceImportTask.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/launcher/InstanceImportTask.cpp b/launcher/InstanceImportTask.cpp index 1cdcb4a6..e1553f06 100644 --- a/launcher/InstanceImportTask.cpp +++ b/launcher/InstanceImportTask.cpp @@ -311,7 +311,13 @@ void InstanceImportTask::processModrinth() { auto jsonFiles = Json::requireIsArrayOf(obj, "files", "modrinth.index.json"); for(auto & obj: jsonFiles) { Modrinth::File file; - file.path = Json::requireString(obj, "path"); + auto dirtyPath = Json::requireString(obj, "path"); + dirtyPath.replace('\\', '/'); + auto simplifiedPath = QDir::cleanPath(dirtyPath); + QFileInfo fileInfo (simplifiedPath); + if(simplifiedPath.startsWith("../") || simplifiedPath.contains("/../") || fileInfo.isAbsolute()) { + throw JSONValidationError("Invalid path found in modpack files:\n\n" + simplifiedPath); + } // env doesn't have to be present, in that case mod is required auto env = Json::ensureObject(obj, "env");