fix(app-lib, labrinth): stricter mrpack file path validation (#4482)

* fix(app-lib, labrinth): stricter mrpack file path validation

* chore: run `cargo fmt`

* tweak: reject reserved Windows device names in mrpacks too

apps/app/Cargo.toml

@@ -11,6 +11,7 @@ tauri-build = { workspace = true, features = ["codegen"] }
 
 [dependencies]
 theseus = { workspace = true, features = ["tauri"] }
+path-util.workspace = true
 
 serde_json.workspace = true
 serde = { workspace = true, features = ["derive"] }

apps/app/src/api/profile.rs

@@ -1,5 +1,6 @@
 use crate::api::Result;
 use dashmap::DashMap;
+use path_util::SafeRelativeUtf8UnixPathBuf;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::{Path, PathBuf};
@@ -239,7 +240,7 @@ pub async fn profile_export_mrpack(
 #[tauri::command]
 pub async fn profile_get_pack_export_candidates(
     profile_path: &str,
-) -> Result<Vec<String>> {
+) -> Result<Vec<SafeRelativeUtf8UnixPathBuf>> {
     let candidates = profile::get_pack_export_candidates(profile_path).await?;
     Ok(candidates)
 }

apps/labrinth/Cargo.toml

@@ -133,6 +133,7 @@ rusty-money.workspace = true
 json-patch.workspace = true
 
 ariadne.workspace = true
+path-util.workspace = true
 
 clap = { workspace = true, features = ["derive"] }
 

apps/labrinth/src/models/v3/pack.rs

@@ -1,6 +1,7 @@
 use crate::{
     models::v2::projects::LegacySideType, util::env::parse_strings_from_var,
 };
+use path_util::SafeRelativeUtf8UnixPathBuf;
 use serde::{Deserialize, Serialize};
 use validator::Validate;
 
@@ -23,7 +24,7 @@ pub struct PackFormat {
 #[derive(Serialize, Deserialize, Validate, Eq, PartialEq, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct PackFile {
-    pub path: String,
+    pub path: SafeRelativeUtf8UnixPathBuf,
     pub hashes: std::collections::HashMap<PackFileHash, String>,
     pub env: Option<std::collections::HashMap<EnvType, LegacySideType>>, // TODO: Should this use LegacySideType? Will probably require a overhaul of mrpack format to change this
     #[validate(custom(function = "validate_download_url"))]

apps/labrinth/src/queue/moderation.rs

@@ -304,7 +304,7 @@ impl AutomatedModerationQueue {
                                             let hash = x.hashes.get(&PackFileHash::Sha1);
 
                                             if let Some(hash) = hash {
-                                                let path = x.path.clone();
+                                                let path = x.path.to_string();
                                                 Some((hash.clone(), Some(x), path, None))
                                             } else {
                                                 None

apps/labrinth/src/validate/modpack.rs

@@ -4,7 +4,6 @@ use crate::validate::{
     SupportedGameVersions, ValidationError, ValidationResult,
 };
 use std::io::{Cursor, Read};
-use std::path::Component;
 use validator::Validate;
 use zip::ZipArchive;
 
@@ -72,24 +71,6 @@ impl super::Validator for ModpackValidator {
                     "All pack files must provide a SHA512 hash!".into(),
                 ));
             }
-
-            let path = std::path::Path::new(&file.path)
-                .components()
-                .next()
-                .ok_or_else(|| {
-                    ValidationError::InvalidInput(
-                        "Invalid pack file path!".into(),
-                    )
-                })?;
-
-            match path {
-                Component::CurDir | Component::Normal(_) => {}
-                _ => {
-                    return Err(ValidationError::InvalidInput(
-                        "Invalid pack file path!".into(),
-                    ));
-                }
-            };
         }
 
         Ok(ValidationResult::PassWithPackDataAndFiles {