fix(app-lib, labrinth): stricter mrpack file path validation (#4482)

* fix(app-lib, labrinth): stricter mrpack file path validation * chore: run `cargo fmt` * tweak: reject reserved Windows device names in mrpacks too
2025-10-04 12:35:30 +02:00
parent a13647b9e2
commit ab6e9dd5d7
16 changed files with 235 additions and 78 deletions
--- a/apps/labrinth/src/models/v3/pack.rs
+++ b/apps/labrinth/src/models/v3/pack.rs
@@ -1,6 +1,7 @@
 use crate::{
    models::v2::projects::LegacySideType, util::env::parse_strings_from_var,
 };
+use path_util::SafeRelativeUtf8UnixPathBuf;
 use serde::{Deserialize, Serialize};
 use validator::Validate;

@@ -23,7 +24,7 @@ pub struct PackFormat {
 #[derive(Serialize, Deserialize, Validate, Eq, PartialEq, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct PackFile {
-    pub path: String,
+    pub path: SafeRelativeUtf8UnixPathBuf,
    pub hashes: std::collections::HashMap<PackFileHash, String>,
    pub env: Option<std::collections::HashMap<EnvType, LegacySideType>>, // TODO: Should this use LegacySideType? Will probably require a overhaul of mrpack format to change this
    #[validate(custom(function = "validate_download_url"))]
--- a/apps/labrinth/src/queue/moderation.rs
+++ b/apps/labrinth/src/queue/moderation.rs
@@ -304,7 +304,7 @@ impl AutomatedModerationQueue {
                                            let hash = x.hashes.get(&PackFileHash::Sha1);

                                            if let Some(hash) = hash {
-                                                let path = x.path.clone();
+                                                let path = x.path.to_string();
                                                Some((hash.clone(), Some(x), path, None))
                                            } else {
                                                None
--- a/apps/labrinth/src/validate/modpack.rs
+++ b/apps/labrinth/src/validate/modpack.rs
@@ -4,7 +4,6 @@ use crate::validate::{
    SupportedGameVersions, ValidationError, ValidationResult,
 };
 use std::io::{Cursor, Read};
-use std::path::Component;
 use validator::Validate;
 use zip::ZipArchive;

@@ -72,24 +71,6 @@ impl super::Validator for ModpackValidator {
                    "All pack files must provide a SHA512 hash!".into(),
                ));
            }
-
-            let path = std::path::Path::new(&file.path)
-                .components()
-                .next()
-                .ok_or_else(|| {
-                    ValidationError::InvalidInput(
-                        "Invalid pack file path!".into(),
-                    )
-                })?;
-
-            match path {
-                Component::CurDir | Component::Normal(_) => {}
-                _ => {
-                    return Err(ValidationError::InvalidInput(
-                        "Invalid pack file path!".into(),
-                    ));
-                }
-            };
        }

        Ok(ValidationResult::PassWithPackDataAndFiles {