diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/web/ResourceSvc.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/web/ResourceSvc.java index 54fb14e0c9..1df0476ad7 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/web/ResourceSvc.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/web/ResourceSvc.java @@ -175,6 +175,11 @@ public WebResource writeCustomized(String fileName, Supplier source byte[] bytes = original.asBytes(); OpenOption[] overwrite = {StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.WRITE}; Path to = resourceSettings.getCustomizationDirectory().resolve(fileName); + if (!to.startsWith(resourceSettings.getCustomizationDirectory())) { + throw new IllegalArgumentException( + "Absolute path was given for writing a customized file, " + + "writing outside customization directory is prevented for security reasons."); + } Path dir = to.getParent(); if (!Files.isSymbolicLink(dir)) Files.createDirectories(dir); Files.write(to, bytes, overwrite); diff --git a/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/event/JoinAddress.java b/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/event/JoinAddress.java index 0521700013..5b118e31a5 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/event/JoinAddress.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/gathering/domain/event/JoinAddress.java @@ -31,7 +31,11 @@ public JoinAddress(Supplier address) { } public String getAddress() { - return address.get(); + String joinAddress = address.get(); + if (joinAddress.contains("\u0000")) { + joinAddress = joinAddress.split("\u0000", 2)[0]; + } + return joinAddress; } @Override diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/QueryParameterSetter.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/QueryParameterSetter.java index c91de3f6d5..2fec50d54a 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/QueryParameterSetter.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/QueryParameterSetter.java @@ -21,6 +21,7 @@ import java.sql.PreparedStatement; import java.sql.SQLException; import java.sql.Types; +import java.util.Collection; import java.util.UUID; public class QueryParameterSetter { @@ -30,20 +31,36 @@ private QueryParameterSetter() {} public static void setParameters(PreparedStatement statement, Object... parameters) throws SQLException { int index = 1; for (Object parameter : parameters) { - setParameter(statement, index, parameter); - index++; + if (parameter instanceof Object[]) { + for (Object arrayParameter : (Object[]) parameter) { + setParameter(statement, index, arrayParameter); + index++; + } + } else if (parameter instanceof Collection) { + for (Object collectionParameter : (Collection) parameter) { + setParameter(statement, index, collectionParameter); + index++; + } + } else { + setParameter(statement, index, parameter); + index++; + } } } private static void setParameter(PreparedStatement statement, int index, Object parameter) throws SQLException { if (parameter == null) { statement.setNull(index, Types.VARCHAR); + } else if (parameter instanceof Boolean) { + statement.setBoolean(index, (Boolean) parameter); } else if (parameter instanceof Integer) { statement.setInt(index, (Integer) parameter); } else if (parameter instanceof Long) { statement.setLong(index, (Long) parameter); } else if (parameter instanceof Double) { statement.setDouble(index, (Double) parameter); + } else if (parameter instanceof Character) { + statement.setString(index, String.valueOf(parameter)); } else if (parameter instanceof Float) { statement.setFloat(index, (Float) parameter); } else if (parameter instanceof String) { diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/GeoInfoQueries.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/GeoInfoQueries.java index ffaf181fd7..ee3ea4de32 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/GeoInfoQueries.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/GeoInfoQueries.java @@ -21,6 +21,7 @@ import com.djrapitops.plan.storage.database.queries.Query; import com.djrapitops.plan.storage.database.queries.QueryAllStatement; import com.djrapitops.plan.storage.database.queries.RowExtractors; +import com.djrapitops.plan.storage.database.sql.building.Sql; import com.djrapitops.plan.storage.database.sql.tables.GeoInfoTable; import com.djrapitops.plan.storage.database.sql.tables.ServerTable; import com.djrapitops.plan.storage.database.sql.tables.UserInfoTable; @@ -171,9 +172,7 @@ public static Query> userIdsOfPlayersWithGeolocations(List FROM + GeoInfoTable.TABLE_NAME + " g" + INNER_JOIN + UsersTable.TABLE_NAME + " u on u.id=g." + GeoInfoTable.USER_ID + WHERE + GeoInfoTable.GEOLOCATION + - " IN ('" + - new TextStringBuilder().appendWithSeparators(selected, "','") + - "')"; - return db -> db.querySet(sql, RowExtractors.getInt(UsersTable.ID)); + " IN (" + Sql.nParameters(selected.size()) + ")"; + return db -> db.querySet(sql, RowExtractors.getInt(UsersTable.ID), selected); } } \ No newline at end of file diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/building/Sql.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/building/Sql.java index 6fa9b078e7..edfed27553 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/building/Sql.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/building/Sql.java @@ -16,10 +16,13 @@ */ package com.djrapitops.plan.storage.database.sql.building; +import org.apache.commons.text.TextStringBuilder; + import java.sql.PreparedStatement; import java.sql.SQLException; import java.sql.Types; import java.util.concurrent.TimeUnit; +import java.util.stream.IntStream; /** * Duplicate String reducing utility class for SQL language Strings. @@ -56,6 +59,12 @@ public abstract class Sql { private static final String MAX = "MAX("; private static final String VARCHAR = "varchar("; + public static String nParameters(int n) { + return new TextStringBuilder() + .appendWithSeparators(IntStream.range(0, n).mapToObj(i -> "?").iterator(), ",") + .toString(); + } + public static String varchar(int length) { return VARCHAR + length + ')'; } diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/file/PlanFiles.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/file/PlanFiles.java index b4fef6c15d..f52946f561 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/storage/file/PlanFiles.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/storage/file/PlanFiles.java @@ -161,6 +161,9 @@ public Optional attemptToFind(String resourceName) { Path dir = config.get().getResourceSettings().getCustomizationDirectory(); if (dir.toFile().exists() && dir.toFile().isDirectory()) { Path asPath = dir.resolve(resourceName); + if (!asPath.startsWith(dir)) { + return Optional.empty(); + } File found = asPath.toFile(); if (found.exists()) { return Optional.of(found);