[pull] development from Wynntils:development #21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
This fixes a Zip-Slip vulnerability.
This change does one of two things. This change either
1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Bug-tracker: JLLeitschuh/security-research#16
Co-authored-by: Moderne <team@moderne.io>
Co-authored-by: Moderne <team@moderne.io>
Co-authored-by: Magnus Ihse Bursie <mag@icus.se>
(cherry picked from commit 64645a3)
* Fix a rare crash that occurs in the skill point menu * Make it so it completly ignores crafteds * fix spacing * Remove useless check for `%]`. Noticed that every renamed item is automatically signed * Add `parseIntOr` to safely parse an int from a string, returns the default value if it fails. Add checks for SkillPointOverlay.java so you cant crash using crafted items now Co-authored-by: byBackfish <maik@bybackifsh.de> (cherry picked from commit 741e2ff)
* Fix Wynntils always automatically putting in the amount to sell for the user, even when they selected a custom amount I actually feel stupid for not seeing this earlier :/ * Add a config option to disable this feature Co-authored-by: byBackfish <maik@bybackifsh.de> (cherry picked from commit dfc9782)
Co-authored-by: HighCrit <35771251+HighCrit@users.noreply.github.com>
* Re-add duplicate cosmetic highlight Apparently stacking in-game was removed after 2.0 release * Fix totem highlighting and tracking (cherry picked from commit 3eda8c1)
remove fix (cherry picked from commit 2b8ad6b)
Add "Additional Comments" Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com> (cherry picked from commit ae058d2)
* feat: adds awakening progress bar * fix: fix AwakeningProgressBarOverlay being drawn in the same position as the BloodPoolBarOverlay * fix: rename from `Mask of Awakening` to `Mask of the Awakened` * fix: remove bar when switching class * fix: change code so it fits the reviews. Also fix the stuff in BloodPoolBarOverlay.java * fix: spacing after `||` Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com> (cherry picked from commit 6a7d857)
* Adds a component to every message, that on click copies that message content to the clipboard. Pressing `L_CONTROL` whilst clicking on the component copies the raw message, including the color codes * Switch to `TextFormatting` * Switch to `TextFormatting` in LootRunPage.java (my previous PR) Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com> (cherry picked from commit c26b811)
* fix: old waypoints being invalid as the `showBeaconBeam` field got implemented and couldn't be found. * fix: make upper bound of assert always the current format * fix: add spacing after `if` Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com> (cherry picked from commit 05d4b83)
* fix: Fix quick cast keys * fix: forgot the delay between spells * chore: temporarily disable totem highlights totem highlights and tracking is hitting other objects * fix: Replace missing message for spell cast cooldown * fix: Spamming spell cast keys may cause overlap with the current delay * chore: Amend comment for earliestCastable * chore: Rework queueSpell * chore: add cc regex method * feat: copy Artemis spell cast implementation * chore: register events for quick cast * chore: remove debug print, remove level check Different classes have different first spells (eg. mage unlocking meteor first vs warrior unlocking bash first) * chore: remove unnecessary spell number parameter * chore: remove commented code * chore: fix imports, separate queue tick delay number * chore: separate status check and message print, move enum down Co-authored-by: Incompleteusern <58920010+Incompleteusern@users.noreply.github.com> (cherry picked from commit ef10a7a)
(cherry picked from commit fb8b1ec)
Co-authored-by: Magnus Ihse Bursie <mag@icus.se>
Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Magnus Ihse Bursie <mag@icus.se> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com>
* feat: Adds 3 custom sell amount buttons to the trade market sell gui, pressing them will put the amount set in the config instantly in chat. Also remade most of the `TradeMarketOverlay`. Fixes various bugs * fix: add empty line before the custom sell amount info * fix: remove debug & set the item count to the correct amount (visually) * fix: save the parsed int instead of parsing it twice * fix: change the lore to fit the custom sell buttons better * make the custom buttons appear even if only 1 of the item in your inventory Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Magnus Ihse Bursie <mag@icus.se> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com>
* feat: add ability to scroll to navigate through ability tree * fix: add ability to invert controls * Fix formatting * Fix formatting again * fix: add `ABILITY_TREE_PATTERN` to properly check if the gui is the ability tree, fix order of the settings * fix: extract slot numbers, change config order to not have duplicates * fix: remove `/ 120` * fix: change to non-capturing regex group * fix: use `ScrollDirection` as type for the `abilityScrollDirection` config option * make the `shouldAbitlityScroll` config option default to true Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Magnus Ihse Bursie <mag@icus.se> Co-authored-by: Ryan <57310593+DonkeyBlaster@users.noreply.github.com>
* feat: add current mask overlay * fix: refactor, fix location * fix: mask not resetting correctly if only one mask ability is equipped * fix: add option to change display text for each mask individually * fix: implement reviews * fix: change the tabulation * fix: simplify mask detection * fix: add spaces after `ìf` * fix: save the current shaman mask in `CharacterData.java` instead of in `CurrentMaskOverlay.java` * fix: extract mask parsing from CurrentMaskOverlay to OverlayEvents * add empty line at the end of the file Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Magnus Ihse Bursie <mag@icus.se> Co-authored-by: Kristof Kovacs <49001742+kristofbolyai@users.noreply.github.com> Co-authored-by: Ryan <57310593+DonkeyBlaster@users.noreply.github.com>
* ci: update releases * ci: allow version update in stable to automatically be pushed to development (untested)
* fix: make the mythic detection work again, filter out the results of `/gu list` when wynntils runs it automatically * fix: fix imports * fix: simplify `AIR` check * fix: add comment describing the mythic found code Co-authored-by: byBackfish <maik@bybackifsh.de>
* feat: add corrupted bar * fix: change symbol, add hide default bar Co-authored-by: byBackfish <maik@bybackifsh.de> Co-authored-by: Magnus Ihse Bursie <mag@icus.se>
Co-authored-by: P0ke <alextodaro@rocketmailcom>
Co-authored-by: P0ke <alextodaro@rocketmailcom>
* fix: Fix party finder crash on housing island Fixes a bug where you will crash if you attempt to join a party in party finder, from your housing island. * Update src/main/java/com/wynntils/modules/richpresence/events/ClientEvents.java * Update src/main/java/com/wynntils/modules/richpresence/events/ClientEvents.java --------- Co-authored-by: Alex Todaro <3767283+P0keDev@users.noreply.github.com>
Co-authored-by: Ryan <57310593+DonkeyBlaster@users.noreply.github.com>
* feat: Add K and M to convertEmeraldPrice Did this in Artemis but didnt do it to Wynntils so here you go * Update StringUtils.java
* chore: Remove broken quest book * fix: Allow access to guides and lootruns --------- Co-authored-by: Magnus Ihse Bursie <mag@icus.se>
* chore: Remove broken quest book * fix: Allow access to guides and lootruns * feat: Export favorites via command --------- Co-authored-by: Magnus Ihse Bursie <mag@icus.se>
fix: Fixed TAB_EFFECT_PATTERN regex so that Saviour's Sacrifice shows up in status effects list
* fix: Fix Guild Map Crashing * fix: Fix Guild Map Crashing * fix: Make color loading faster * fix: Return random color if no valid color for guild * fix: Make random color better * fix: Generate random color only once, also optimize imports * refactor: use a much simpler data structure * Update src/main/java/com/wynntils/modules/map/overlays/objects/MapTerritory.java * 0 to 1 * CommonColors doesn't need any changes --------- Co-authored-by: DonkeyBlaster <57310593+DonkeyBlaster@users.noreply.github.com>
fix: Fixed chat crash bug that caused me to lose 50stx
* feat: Export favorites and waypoints from update available screen * Revert UpdateAvailableScreen, add ExportScreen and button, only force show on first launch * fix: Don't always open UpdateAvailableScreen * chore: Change button text and export message * chore: Change modrinth link and remove 1.20.2 mention
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )