From d43ef39b087365f2fa158a73dcb3d3220f83adb7 Mon Sep 17 00:00:00 2001 From: ChomeNS <95471003+ChomeNS@users.noreply.github.com> Date: Mon, 16 Oct 2023 09:05:23 +0700 Subject: [PATCH] fix exploit with `////` in music list --- .../chomens_bot/commands/MusicCommand.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/main/java/land/chipmunk/chayapak/chomens_bot/commands/MusicCommand.java b/src/main/java/land/chipmunk/chayapak/chomens_bot/commands/MusicCommand.java index e84b85f..b5847dd 100644 --- a/src/main/java/land/chipmunk/chayapak/chomens_bot/commands/MusicCommand.java +++ b/src/main/java/land/chipmunk/chayapak/chomens_bot/commands/MusicCommand.java @@ -368,12 +368,10 @@ public class MusicCommand extends Command { final String stringPathIfExists = context.getString(true, false); - final Path path = (stringPathIfExists.isEmpty()) ? - root : - Path.of( - root.toString(), - stringPathIfExists - ); + final Path path = Path.of( + root.toString(), + stringPathIfExists + ); if (!path.normalize().startsWith(root.toString())) throw new CommandException(Component.text("no")); @@ -395,7 +393,12 @@ public class MusicCommand extends Command { location = Paths.get(""); // wtf mabe } - final String joinedPath = stringPathIfExists.isEmpty() ? eachPath.getFileName().toString() : Paths.get(location.getFileName().toString(), eachPath.getFileName().toString()).toString(); + final String joinedPath = location.equals(root) ? + eachPath.getFileName().toString() : + Paths.get( + location.getFileName().toString(), + eachPath.getFileName().toString() + ).toString(); fullList.add( Component