tomasalias/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

fix(app-lib): stricter override file path validation (#4681)

Browse Source
This commit is contained in:
Alejandro González
2025-10-30 22:19:23 +01:00
committed by GitHub
parent af33950bbe
commit 5000c4067b
2 changed files with 306 additions and 301 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
packages/app-lib/src/api/pack/install_mrpack.rs
View File

@@ -12,6 +12,8 @@ use crate::util::fetch::{fetch_mirrors, write};
use crate::util::io; use crate::util::io;
use crate::{State, profile}; use crate::{State, profile};
use async_zip::base::read::seek::ZipFileReader; use async_zip::base::read::seek::ZipFileReader;
use futures::StreamExt;
use path_util::SafeRelativeUtf8UnixPathBuf;
use super::install_from::{ use super::install_from::{
CreatePack, CreatePackLocation, PackFormat, generate_pack_from_file, CreatePack, CreatePackLocation, PackFormat, generate_pack_from_file,
@@ -19,7 +21,6 @@ use super::install_from::{
}; };
use crate::data::ProjectType; use crate::data::ProjectType;
use std::io::{Cursor, ErrorKind}; use std::io::{Cursor, ErrorKind};
use std::path::PathBuf;
/// Install a pack /// Install a pack
/// Wrapper around install_pack_files that generates a pack creation description, and /// Wrapper around install_pack_files that generates a pack creation description, and
@@ -93,12 +94,16 @@ pub async fn install_zipped_mrpack_files(
})?; })?;
// Extract index of modrinth.index.json // Extract index of modrinth.index.json
let zip_index_option = zip_reader.file().entries().iter().position(|f| { let Some(manifest_idx) = zip_reader.file().entries().iter().position(|f| {
f.filename().as_str().unwrap_or_default() == "modrinth.index.json" matches!(f.filename().as_str(), Ok("modrinth.index.json"))
}); }) else {
if let Some(zip_index) = zip_index_option { return Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)));
};
let mut manifest = String::new(); let mut manifest = String::new();
let mut reader = zip_reader.reader_with_entry(zip_index).await?; let mut reader = zip_reader.reader_with_entry(manifest_idx).await?;
reader.read_to_string_checked(&mut manifest).await?; reader.read_to_string_checked(&mut manifest).await?;
let pack: PackFormat = serde_json::from_str(&manifest)?; let pack: PackFormat = serde_json::from_str(&manifest)?;
@@ -136,7 +141,6 @@ pub async fn install_zipped_mrpack_files(
.await?; .await?;
let num_files = pack.files.len(); let num_files = pack.files.len();
use futures::StreamExt;
loading_try_for_each_concurrent( loading_try_for_each_concurrent(
futures::stream::iter(pack.files.into_iter()) futures::stream::iter(pack.files.into_iter())
.map(Ok::<PackFile, crate::Error>), .map(Ok::<PackFile, crate::Error>),
@@ -193,51 +197,49 @@ pub async fn install_zipped_mrpack_files(
emit_loading(&loading_bar, 0.0, Some("Extracting overrides"))?; emit_loading(&loading_bar, 0.0, Some("Extracting overrides"))?;
let mut total_len = 0; let override_file_entries = zip_reader
.file()
for index in 0..zip_reader.file().entries().len() { .entries()
let file = zip_reader.file().entries().get(index).unwrap(); .iter()
.enumerate()
.filter_map(|(index, file)| {
let filename = file.filename().as_str().unwrap_or_default(); let filename = file.filename().as_str().unwrap_or_default();
((filename.starts_with("overrides/")
|| filename.starts_with("client-overrides/"))
&& !filename.ends_with('/'))
.then(|| (index, file.clone()))
})
.collect::<Vec<_>>();
let override_file_entries_count = override_file_entries.len();
if (filename.starts_with("overrides") for (i, (index, file)) in override_file_entries.into_iter().enumerate() {
|| filename.starts_with("client-overrides")) let relative_override_file_path =
&& !filename.ends_with('/') SafeRelativeUtf8UnixPathBuf::try_from(
{ file.filename().as_str().unwrap().to_string(),
total_len += 1; )?;
} let relative_override_file_path = relative_override_file_path
} .strip_prefix("overrides")
.or_else(|_| relative_override_file_path.strip_prefix("client-overrides"))
.map_err(|_| {
crate::Error::from(crate::ErrorKind::OtherError(
format!("Failed to strip override prefix from override file path: {relative_override_file_path}")
))
})?;
for index in 0..zip_reader.file().entries().len() { let mut file_bytes = vec![];
let file = zip_reader.file().entries().get(index).unwrap();
let filename = file.filename().as_str().unwrap_or_default();
let file_path = PathBuf::from(filename);
if (filename.starts_with("overrides")
|| filename.starts_with("client-overrides"))
&& !filename.ends_with('/')
{
// Reads the file into the 'content' variable
let mut content = Vec::new();
let mut reader = zip_reader.reader_with_entry(index).await?; let mut reader = zip_reader.reader_with_entry(index).await?;
reader.read_to_end_checked(&mut content).await?; reader.read_to_end_checked(&mut file_bytes).await?;
let mut new_path = PathBuf::new(); let file_bytes = bytes::Bytes::from(file_bytes);
let components = file_path.components().skip(1);
for component in components {
new_path.push(component);
}
if new_path.file_name().is_some() {
let bytes = bytes::Bytes::from(content);
cache_file_hash( cache_file_hash(
bytes.clone(), file_bytes.clone(),
&profile_path, &profile_path,
&new_path.to_string_lossy(), relative_override_file_path.as_str(),
None, None,
ProjectType::get_from_parent_folder(&new_path), ProjectType::get_from_parent_folder(
relative_override_file_path.as_str(),
),
&state.pool, &state.pool,
) )
.await?; .await?;
@@ -245,20 +247,21 @@ pub async fn install_zipped_mrpack_files(
write( write(
&profile::get_full_path(&profile_path) &profile::get_full_path(&profile_path)
.await? .await?
.join(new_path), .join(relative_override_file_path.as_str()),
&bytes, &file_bytes,
&state.io_semaphore, &state.io_semaphore,
) )
.await?; .await?;
}
emit_loading( emit_loading(
&loading_bar, &loading_bar,
30.0 / total_len as f64, 30.0 / override_file_entries_count as f64,
Some(&format!("Extracting override {index}/{total_len}")), Some(&format!(
"Extracting override {}/{override_file_entries_count}",
i + 1
)),
)?; )?;
} }
}
// If the icon doesn't exist, we expect icon.png to be a potential icon. // If the icon doesn't exist, we expect icon.png to be a potential icon.
// If it doesn't exist, and an override to icon.png exists, cache and use that // If it doesn't exist, and an override to icon.png exists, cache and use that
@@ -279,11 +282,6 @@ pub async fn install_zipped_mrpack_files(
} }
Ok::<String, crate::Error>(profile_path.clone()) Ok::<String, crate::Error>(profile_path.clone())
} else {
Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)))
}
} }
#[tracing::instrument(skip(mrpack_file))] #[tracing::instrument(skip(mrpack_file))]
@@ -303,13 +301,17 @@ pub async fn remove_all_related_files(
})?; })?;
// Extract index of modrinth.index.json // Extract index of modrinth.index.json
let zip_index_option = zip_reader.file().entries().iter().position(|f| { let Some(manifest_idx) = zip_reader.file().entries().iter().position(|f| {
f.filename().as_str().unwrap_or_default() == "modrinth.index.json" matches!(f.filename().as_str(), Ok("modrinth.index.json"))
}); }) else {
if let Some(zip_index) = zip_index_option { return Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)));
};
let mut manifest = String::new(); let mut manifest = String::new();
let mut reader = zip_reader.reader_with_entry(zip_index).await?; let mut reader = zip_reader.reader_with_entry(manifest_idx).await?;
reader.read_to_string_checked(&mut manifest).await?; reader.read_to_string_checked(&mut manifest).await?;
let pack: PackFormat = serde_json::from_str(&manifest)?; let pack: PackFormat = serde_json::from_str(&manifest)?;
@@ -379,8 +381,7 @@ pub async fn remove_all_related_files(
// Iterate over all Modrinth project file paths in the json, and remove them // Iterate over all Modrinth project file paths in the json, and remove them
// (There should be few, but this removes any files the .mrpack intended as Modrinth projects but were unrecognized) // (There should be few, but this removes any files the .mrpack intended as Modrinth projects but were unrecognized)
for file in pack.files { for file in pack.files {
match io::remove_file(profile_full_path.join(file.path.as_str())) match io::remove_file(profile_full_path.join(file.path.as_str())).await
.await
{ {
Ok(_) => (), Ok(_) => (),
Err(err) if err.kind() == ErrorKind::NotFound => (), Err(err) if err.kind() == ErrorKind::NotFound => (),
@@ -389,28 +390,33 @@ pub async fn remove_all_related_files(
} }
// Iterate over each 'overrides' file and remove it // Iterate over each 'overrides' file and remove it
for index in 0..zip_reader.file().entries().len() { let override_file_entries =
let file = zip_reader.file().entries().get(index).unwrap(); zip_reader.file().entries().iter().filter(|file| {
let filename = file.filename().as_str().unwrap_or_default(); let filename = file.filename().as_str().unwrap_or_default();
(filename.starts_with("overrides/")
let file_path = PathBuf::from(filename); || filename.starts_with("client-overrides/"))
if (filename.starts_with("overrides")
|| filename.starts_with("client-overrides"))
&& !filename.ends_with('/') && !filename.ends_with('/')
{ });
let mut new_path = PathBuf::new();
let components = file_path.components().skip(1);
for component in components { for file in override_file_entries {
new_path.push(component); let relative_override_file_path =
} SafeRelativeUtf8UnixPathBuf::try_from(
file.filename().as_str().unwrap().to_string(),
)?;
let relative_override_file_path = relative_override_file_path
.strip_prefix("overrides")
.or_else(|_| relative_override_file_path.strip_prefix("client-overrides"))
.map_err(|_| {
crate::Error::from(crate::ErrorKind::OtherError(
format!("Failed to strip override prefix from override file path: {relative_override_file_path}")
))
})?;
// Remove this file if a corresponding one exists in the filesystem // Remove this file if a corresponding one exists in the filesystem
match io::remove_file( match io::remove_file(
profile::get_full_path(&profile_path) profile::get_full_path(&profile_path)
.await? .await?
.join(&new_path), .join(relative_override_file_path.as_str()),
) )
.await .await
{ {
@@ -419,11 +425,6 @@ pub async fn remove_all_related_files(
Err(err) => return Err(err.into()), Err(err) => return Err(err.into()),
} }
} }
}
Ok(()) Ok(())
} else {
Err(crate::Error::from(crate::ErrorKind::InputError(
"No pack manifest found in mrpack".to_string(),
)))
}
} }

12
packages/app-lib/src/state/profiles.rs
View File

@@ -225,10 +225,14 @@ impl ProjectType {
} }
} }
pub fn get_from_parent_folder(path: &Path) -> Option<Self> { pub fn get_from_parent_folder(path: impl AsRef<Path>) -> Option<Self> {
// Get parent folder match path
let path = path.parent()?.file_name()?; .as_ref()
match path.to_str()? { .parent()?
.file_name()?
.to_str()
.unwrap_or_default()
{
"mods" => Some(ProjectType::Mod), "mods" => Some(ProjectType::Mod),
"datapacks" => Some(ProjectType::DataPack), "datapacks" => Some(ProjectType::DataPack),
"resourcepacks" => Some(ProjectType::ResourcePack), "resourcepacks" => Some(ProjectType::ResourcePack),