fix: validate whitelisted download urls

2022-05-15 15:58:23 -03:00 · 2022-05-15 15:58:23 -03:00 · 7194bb1b81
commit 7194bb1b81
parent 78cf0c73c8
3 changed files with 26 additions and 3 deletions
--- a/launcher/InstanceImportTask.cpp
+++ b/launcher/InstanceImportTask.cpp
@ -545,7 +545,7 @@ void InstanceImportTask::processModrinth() {
                    file.hashAlgorithm = hashAlgorithm;
                    // Do not use requireUrl, which uses StrictMode, instead use QUrl's default TolerantMode (as Modrinth seems to incorrectly handle spaces)
                    file.download = Json::requireString(Json::ensureArray(obj, "downloads").first(), "Download URL for " + file.path);
-                    if (!file.download.isValid())
+                    if (!file.download.isValid() || !Modrinth::validadeDownloadUrl(file.download))
                    {
                        throw JSONValidationError("Download URL for " + file.path + " is not a correctly formatted URL");
                    }
--- a/launcher/modplatform/modrinth/ModrinthPackManifest.cpp
+++ b/launcher/modplatform/modrinth/ModrinthPackManifest.cpp
@ -93,6 +93,23 @@ void loadIndexedVersions(Modpack& pack, QJsonDocument& doc)
    pack.versionsLoaded = true;
 }

+auto validadeDownloadUrl(QUrl url) -> bool
+{
+    auto domain = url.host();
+    if(domain == "cdn.modrinth.com")
+        return true;
+    if(domain == "edge.forgecdn.net")
+        return true;
+    if(domain == "media.forgecdn.net")
+        return true;
+    if(domain == "github.com")
+        return true;
+    if(domain == "raw.githubusercontent.com")
+        return true;
+
+    return false;
+}
+
 auto loadIndexedVersion(QJsonObject &obj) -> ModpackVersion
 {
    ModpackVersion file;
@ -107,7 +124,6 @@ auto loadIndexedVersion(QJsonObject &obj) -> ModpackVersion

    auto files = Json::requireArray(obj, "files");

-    qWarning() << files;

    for (auto file_iter : files) {
        File indexed_file;
@ -121,7 +137,12 @@ auto loadIndexedVersion(QJsonObject &obj) -> ModpackVersion
                continue;
        }

-        file.download_url = Json::requireString(parent, "url");
+        auto url = Json::requireString(parent, "url");
+
+        if(!validadeDownloadUrl(url))
+            continue;
+
+        file.download_url = url;
        if(is_primary)
            break;
    }
--- a/launcher/modplatform/modrinth/ModrinthPackManifest.h
+++ b/launcher/modplatform/modrinth/ModrinthPackManifest.h
@ -99,6 +99,8 @@ void loadIndexedInfo(Modpack&, QJsonObject&);
 void loadIndexedVersions(Modpack&, QJsonDocument&);
 auto loadIndexedVersion(QJsonObject&) -> ModpackVersion;

+auto validadeDownloadUrl(QUrl) -> bool;
+
 }

 Q_DECLARE_METATYPE(Modrinth::Modpack)