[Security][Bugfix] Fix directory traversal exploit (#1907)

* [Security][Bugfix] Fix directory traversal exploit 1.The first slash will act as root path when resolving local path, so directory traversal is possible 2.Filter the illegal payload to prevent directory traversal 3.This also fix the bug about not loading the files in data folder when querying `/hk4e/announcement/` * Fix formatting * Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java

[Security][Bugfix] Fix directory traversal exploit (#1907)
* [Security][Bugfix] Fix directory traversal exploit 1.The first slash will act as root path when resolving local path, so directory traversal is possible 2.Filter the illegal payload to prevent directory traversal 3.This also fix the bug about not loading the files in data folder when querying `/hk4e/announcement/` * Fix formatting * Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
55928d91 · sandtechnology · GitHub · 6219902e · 55928d91
Unverified Commit 55928d91 authored Oct 29, 2022 by sandtechnology Committed by GitHub Oct 29, 2022
--- a/src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
+++ b/src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
@@ -14,6 +14,7 @@ import static emu.grasscutter.config.Configuration.*;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Objects;
+import java.util.StringJoiner;

 /**
 * Handles requests related to the announcements page.
@@ -72,7 +73,17 @@ public final class AnnouncementsHandler implements Router {
    }

    private static void getPageResources(Context ctx) {
-        try (InputStream filestream = DataLoader.load(ctx.path())) {
+        // Re-process the path - remove the first slash and prevent directory traversal
+        // (the first slash will act as root path when resolving local path)
+        String[] path = ctx.path().split("/");
+        StringJoiner stringJoiner = new StringJoiner("/");
+        for (String pathName : path) {
+            // Filter the illegal payload to prevent directory traversal
+            if (!pathName.isEmpty() && !pathName.equals("..") && !pathName.contains("\\")) {
+                stringJoiner.add(pathName);
+            }
+        }
+        try (InputStream filestream = DataLoader.load(stringJoiner.toString())) {
            String possibleFilename = ctx.path();

            ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1));