eightequal/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

fix(app-lib): stricter override file path validation (#4681)

Browse Source
This commit is contained in:
Alejandro González
2025-10-30 22:19:23 +01:00
committed by GitHub
parent af33950bbe
commit 5000c4067b
2 changed files with 306 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/app-lib/src/api/pack/install_mrpack.rs
+82 -81
View File
@@ -12,6 +12,8 @@ use crate::util::fetch::{fetch_mirrors, write};
use crate::util::io;
use crate::{State, profile};
use async_zip::base::read::seek::ZipFileReader;
use futures::StreamExt;
use path_util::SafeRelativeUtf8UnixPathBuf;
use super::install_from::{
CreatePack, CreatePackLocation, PackFormat, generate_pack_from_file,
@@ -19,7 +21,6 @@ use super::install_from::{
};
use crate::data::ProjectType;
use std::io::{Cursor, ErrorKind};
use std::path::PathBuf;
/// Install a pack
/// Wrapper around install_pack_files that generates a pack creation description, and
@@ -93,12 +94,16 @@ pub async fn install_zipped_mrpack_files(
})?;
// Extract index of modrinth.index.json
let zip_index_option = zip_reader.file().entries().iter().position(|f| {
f.filename().as_str().unwrap_or_default() == "modrinth.index.json"
});
if let Some(zip_index) = zip_index_option {
let Some(manifest_idx) = zip_reader.file().entries().iter().position(|f| {
matches!(f.filename().as_str(), Ok("modrinth.index.json"))
}) else {
return Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)));
};
let mut manifest = String::new();
let mut reader = zip_reader.reader_with_entry(zip_index).await?;
let mut reader = zip_reader.reader_with_entry(manifest_idx).await?;
reader.read_to_string_checked(&mut manifest).await?;
let pack: PackFormat = serde_json::from_str(&manifest)?;
@@ -136,7 +141,6 @@ pub async fn install_zipped_mrpack_files(
.await?;
let num_files = pack.files.len();
use futures::StreamExt;
loading_try_for_each_concurrent(
futures::stream::iter(pack.files.into_iter())
.map(Ok::<PackFile, crate::Error>),
@@ -193,51 +197,49 @@ pub async fn install_zipped_mrpack_files(
emit_loading(&loading_bar, 0.0, Some("Extracting overrides"))?;
let mut total_len = 0;
for index in 0..zip_reader.file().entries().len() {
let file = zip_reader.file().entries().get(index).unwrap();
let override_file_entries = zip_reader
.file()
.entries()
.iter()
.enumerate()
.filter_map(|(index, file)| {
let filename = file.filename().as_str().unwrap_or_default();
((filename.starts_with("overrides/")
|| filename.starts_with("client-overrides/"))
&& !filename.ends_with('/'))
.then(|| (index, file.clone()))
})
.collect::<Vec<_>>();
let override_file_entries_count = override_file_entries.len();
if (filename.starts_with("overrides")
|| filename.starts_with("client-overrides"))
&& !filename.ends_with('/')
{
total_len += 1;
}
}
for (i, (index, file)) in override_file_entries.into_iter().enumerate() {
let relative_override_file_path =
SafeRelativeUtf8UnixPathBuf::try_from(
file.filename().as_str().unwrap().to_string(),
)?;
let relative_override_file_path = relative_override_file_path
.strip_prefix("overrides")
.or_else(|_| relative_override_file_path.strip_prefix("client-overrides"))
.map_err(|_| {
crate::Error::from(crate::ErrorKind::OtherError(
format!("Failed to strip override prefix from override file path: {relative_override_file_path}")
))
})?;
for index in 0..zip_reader.file().entries().len() {
let file = zip_reader.file().entries().get(index).unwrap();
let filename = file.filename().as_str().unwrap_or_default();
let file_path = PathBuf::from(filename);
if (filename.starts_with("overrides")
|| filename.starts_with("client-overrides"))
&& !filename.ends_with('/')
{
// Reads the file into the 'content' variable
let mut content = Vec::new();
let mut file_bytes = vec![];
let mut reader = zip_reader.reader_with_entry(index).await?;
reader.read_to_end_checked(&mut content).await?;
reader.read_to_end_checked(&mut file_bytes).await?;
let mut new_path = PathBuf::new();
let components = file_path.components().skip(1);
for component in components {
new_path.push(component);
}
if new_path.file_name().is_some() {
let bytes = bytes::Bytes::from(content);
let file_bytes = bytes::Bytes::from(file_bytes);
cache_file_hash(
bytes.clone(),
file_bytes.clone(),
&profile_path,
&new_path.to_string_lossy(),
relative_override_file_path.as_str(),
None,
ProjectType::get_from_parent_folder(&new_path),
ProjectType::get_from_parent_folder(
relative_override_file_path.as_str(),
),
&state.pool,
)
.await?;
@@ -245,20 +247,21 @@ pub async fn install_zipped_mrpack_files(
write(
&profile::get_full_path(&profile_path)
.await?
.join(new_path),
&bytes,
.join(relative_override_file_path.as_str()),
&file_bytes,
&state.io_semaphore,
)
.await?;
}
emit_loading(
&loading_bar,
30.0 / total_len as f64,
Some(&format!("Extracting override {index}/{total_len}")),
30.0 / override_file_entries_count as f64,
Some(&format!(
"Extracting override {}/{override_file_entries_count}",
i + 1
)),
)?;
}
}
// If the icon doesn't exist, we expect icon.png to be a potential icon.
// If it doesn't exist, and an override to icon.png exists, cache and use that
@@ -279,11 +282,6 @@ pub async fn install_zipped_mrpack_files(
}
Ok::<String, crate::Error>(profile_path.clone())
} else {
Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)))
}
}
#[tracing::instrument(skip(mrpack_file))]
@@ -303,13 +301,17 @@ pub async fn remove_all_related_files(
})?;
// Extract index of modrinth.index.json
let zip_index_option = zip_reader.file().entries().iter().position(|f| {
f.filename().as_str().unwrap_or_default() == "modrinth.index.json"
});
if let Some(zip_index) = zip_index_option {
let Some(manifest_idx) = zip_reader.file().entries().iter().position(|f| {
matches!(f.filename().as_str(), Ok("modrinth.index.json"))
}) else {
return Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)));
};
let mut manifest = String::new();
let mut reader = zip_reader.reader_with_entry(zip_index).await?;
let mut reader = zip_reader.reader_with_entry(manifest_idx).await?;
reader.read_to_string_checked(&mut manifest).await?;
let pack: PackFormat = serde_json::from_str(&manifest)?;
@@ -379,8 +381,7 @@ pub async fn remove_all_related_files(
// Iterate over all Modrinth project file paths in the json, and remove them
// (There should be few, but this removes any files the .mrpack intended as Modrinth projects but were unrecognized)
for file in pack.files {
match io::remove_file(profile_full_path.join(file.path.as_str()))
.await
match io::remove_file(profile_full_path.join(file.path.as_str())).await
{
Ok(_) => (),
Err(err) if err.kind() == ErrorKind::NotFound => (),
@@ -389,28 +390,33 @@ pub async fn remove_all_related_files(
}
// Iterate over each 'overrides' file and remove it
for index in 0..zip_reader.file().entries().len() {
let file = zip_reader.file().entries().get(index).unwrap();
let override_file_entries =
zip_reader.file().entries().iter().filter(|file| {
let filename = file.filename().as_str().unwrap_or_default();
let file_path = PathBuf::from(filename);
if (filename.starts_with("overrides")
|| filename.starts_with("client-overrides"))
(filename.starts_with("overrides/")
|| filename.starts_with("client-overrides/"))
&& !filename.ends_with('/')
{
let mut new_path = PathBuf::new();
let components = file_path.components().skip(1);
});
for component in components {
new_path.push(component);
}
for file in override_file_entries {
let relative_override_file_path =
SafeRelativeUtf8UnixPathBuf::try_from(
file.filename().as_str().unwrap().to_string(),
)?;
let relative_override_file_path = relative_override_file_path
.strip_prefix("overrides")
.or_else(|_| relative_override_file_path.strip_prefix("client-overrides"))
.map_err(|_| {
crate::Error::from(crate::ErrorKind::OtherError(
format!("Failed to strip override prefix from override file path: {relative_override_file_path}")
))
})?;
// Remove this file if a corresponding one exists in the filesystem
match io::remove_file(
profile::get_full_path(&profile_path)
.await?
.join(&new_path),
.join(relative_override_file_path.as_str()),
)
.await
{
@@ -419,11 +425,6 @@ pub async fn remove_all_related_files(
Err(err) => return Err(err.into()),
}
}
}
Ok(())
} else {
Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)))
}
}
packages/app-lib/src/state/profiles.rs
+8 -4
View File
@@ -225,10 +225,14 @@ impl ProjectType {
}
}
pub fn get_from_parent_folder(path: &Path) -> Option<Self> {
// Get parent folder
let path = path.parent()?.file_name()?;
match path.to_str()? {
pub fn get_from_parent_folder(path: impl AsRef<Path>) -> Option<Self> {
match path
.as_ref()
.parent()?
.file_name()?
.to_str()
.unwrap_or_default()
{
"mods" => Some(ProjectType::Mod),
"datapacks" => Some(ProjectType::DataPack),
"resourcepacks" => Some(ProjectType::ResourcePack),