From 2cf2e6622a6e070124b80e7a4859f833fe0a4d35 Mon Sep 17 00:00:00 2001
From: Slendy <josh@slendy.pw>
Date: Thu, 22 Sep 2022 17:11:17 -0500
Subject: [PATCH] Prevent directory traversal attacks

---
 .../Resources/ResourcesController.cs          |  6 ++++++
 .../Controllers/ResourcesController.cs        | 19 ++++++++++---------
 ProjectLighthouse/Files/FileHelper.cs         |  4 ++++
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs b/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
index 43ec1d48..d1caa841 100644
--- a/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
+++ b/ProjectLighthouse.Servers.GameServer/Controllers/Resources/ResourcesController.cs
@@ -56,6 +56,12 @@ public class ResourcesController : ControllerBase
 
         string path = FileHelper.GetResourcePath(hash);
 
+        string fullPath = Path.GetFullPath(path);
+        string basePath = Path.GetFullPath(FileHelper.ResourcePath);
+
+        // Prevent directory traversal attacks
+        if (!fullPath.StartsWith(basePath)) return this.BadRequest();
+
         if (FileHelper.ResourceExists(hash)) return this.File(IOFile.OpenRead(path), "application/octet-stream");
 
         return this.NotFound();
diff --git a/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs b/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
index 3edafd84..cdef6071 100644
--- a/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
+++ b/ProjectLighthouse.Servers.Website/Controllers/ResourcesController.cs
@@ -11,18 +11,19 @@ public class ResourcesController : ControllerBase
     [HttpGet("/gameAssets/{hash}")]
     public IActionResult GetGameImage(string hash)
     {
-        string path = Path.Combine("png", $"{hash}.png");
+        string path = FileHelper.GetImagePath($"{hash}.png");
 
-        if (IOFile.Exists(path))
-        {
-            return this.File(IOFile.OpenRead(path), "image/png");
-        }
+        string fullPath = Path.GetFullPath(path);
+        string basePath = Path.GetFullPath(FileHelper.ImagePath);
+
+        // Prevent directory traversal attacks
+        if (!fullPath.StartsWith(basePath)) return this.BadRequest();
+
+        if (IOFile.Exists(path)) return this.File(IOFile.OpenRead(path), "image/png");
 
         LbpFile? file = LbpFile.FromHash(hash);
-        if (file != null && FileHelper.LbpFileToPNG(file))
-        {
-            return this.File(IOFile.OpenRead(path), "image/png");
-        }
+        if (file != null && FileHelper.LbpFileToPNG(file)) return this.File(IOFile.OpenRead(path), "image/png");
+
         return this.NotFound();
     }
 }
\ No newline at end of file
diff --git a/ProjectLighthouse/Files/FileHelper.cs b/ProjectLighthouse/Files/FileHelper.cs
index b0906b51..9e2d9452 100644
--- a/ProjectLighthouse/Files/FileHelper.cs
+++ b/ProjectLighthouse/Files/FileHelper.cs
@@ -24,8 +24,12 @@ public static class FileHelper
 {
     public static readonly string ResourcePath = Path.Combine(Environment.CurrentDirectory, "r");
 
+    public static readonly string ImagePath = Path.Combine(Environment.CurrentDirectory, "png");
+
     public static string GetResourcePath(string hash) => Path.Combine(ResourcePath, hash);
 
+    public static string GetImagePath(string hash) => Path.Combine(ImagePath, hash);
+
     public static bool AreDependenciesSafe(LbpFile file)
     {
         // recursively check if dependencies are safe