From d3dc8cf77dd8f5fbf4d3402eb1fd8d5638601e23 Mon Sep 17 00:00:00 2001
From: Neo <neo@rayshift.io>
Date: Sat, 24 Oct 2020 05:06:35 +0100
Subject: [PATCH] Fix disk traversal issue

---
 KamihamaWeb/KamihamaWeb.csproj           |  1 +
 KamihamaWeb/Services/DiskCacheService.cs |  7 ++++---
 KamihamaWeb/Services/MasterService.cs    | 22 ++++++++++++++++------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/KamihamaWeb/KamihamaWeb.csproj b/KamihamaWeb/KamihamaWeb.csproj
index c364386..63dbd22 100644
--- a/KamihamaWeb/KamihamaWeb.csproj
+++ b/KamihamaWeb/KamihamaWeb.csproj
@@ -9,6 +9,7 @@
     <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="3.1.8" />
     <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="3.1.7" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="3.1.4" />
+    <PackageReference Include="Quartz.AspNetCore" Version="3.2.2" />
     <PackageReference Include="RestSharp" Version="106.11.5" />
     <PackageReference Include="Serilog.AspNetCore" Version="3.4.0" />
     <PackageReference Include="serilog.sinks.console" Version="3.1.1" />
diff --git a/KamihamaWeb/Services/DiskCacheService.cs b/KamihamaWeb/Services/DiskCacheService.cs
index adb42a0..a0dcd60 100644
--- a/KamihamaWeb/Services/DiskCacheService.cs
+++ b/KamihamaWeb/Services/DiskCacheService.cs
@@ -38,13 +38,13 @@ namespace KamihamaWeb.Services
 
         public async Task<DiskCacheItem> Get(string cacheItem, string versionMd5, bool forceOrigin = false)
         {
+            // Remember: don't allow directory traversal attacks...
             var filename = CryptUtil.CalculateSha256(cacheItem + "?" + versionMd5);
-
             var filePath = Path.Combine(CacheDirectory, filename);
 
             if (!forceOrigin && cacheItem.StartsWith("scenario/json/general"))
             {
-                var generalJson = Path.Combine(CacheDirectory, cacheItem + versionMd5);
+                var generalJson = Path.Combine(ScenarioCacheDirectory, filename);
                 if (File.Exists(generalJson))
                 {
                     return new DiskCacheItem()
@@ -110,7 +110,8 @@ namespace KamihamaWeb.Services
             {
                 case StoreType.ScenarioGeneral:
                     var md5 = CryptUtil.CalculateMd5Bytes(storeContents);
-                    storePath = Path.Combine(CacheDirectory, filepath + md5);
+                    var filename = CryptUtil.CalculateSha256(filepath + "?" + md5);
+                    storePath = Path.Combine(ScenarioCacheDirectory, filename);
                     await File.WriteAllBytesAsync(storePath, storeContents);
                     break;
                 default:
diff --git a/KamihamaWeb/Services/MasterService.cs b/KamihamaWeb/Services/MasterService.cs
index b38d24e..ae42aba 100644
--- a/KamihamaWeb/Services/MasterService.cs
+++ b/KamihamaWeb/Services/MasterService.cs
@@ -63,6 +63,8 @@ namespace KamihamaWeb.Services
         public async Task<bool> UpdateMasterLists()
         {
             Log.Information("Updating master lists.");
+            UpdateIsRunning = true;
+
             var workGamedataAssets = new Dictionary<string, List<GamedataAsset>>();
             foreach (var assetToMod in ModdedAssetLists)
             {
@@ -78,12 +80,10 @@ namespace KamihamaWeb.Services
                 workGamedataAssets.Add(assetToMod, masterJson);
             }
 
-            IsReady = false;
-            GamedataAssets.Clear();
-
             Log.Information("Configuring master list...");
 
             var postProcessingGeneralScenario = new Dictionary<string, GamedataAsset>();
+            var newGamedataAssets = new Dictionary<string, Dictionary<string, GamedataAsset>>();
 
             long counterReplace = 0;
             long counterSkip = 0;
@@ -123,7 +123,7 @@ namespace KamihamaWeb.Services
                         counterNew++;
                     }
                 }
-                GamedataAssets.Add(assetType.Key, readyAssets);
+                newGamedataAssets.Add(assetType.Key, readyAssets);
             }
             Log.Information($"Finished setting up. {counterReplace} replaced assets, {counterSkip} duplicate assets, {counterNew} new assets, {counterPost} assets for post processing.");
 
@@ -135,7 +135,7 @@ namespace KamihamaWeb.Services
                     var split = asset.Key.Split("/").Last();
                     var scenario = split[0..^5]; // Trim .json from end
                     //Log.Debug($"Adding script {scenario}.");
-                    GamedataAssets.Add($"asset_scenario_{scenario}", new Dictionary<string, GamedataAsset>()
+                    newGamedataAssets.Add($"asset_scenario_{scenario}", new Dictionary<string, GamedataAsset>()
                     {
                         {scenario,asset.Value}
                     });
@@ -147,9 +147,13 @@ namespace KamihamaWeb.Services
             {
                 var builtJson = await _builder.BuildScenarioGeneralJson(asset.Value, EnglishMasterAssets);
 
-                GamedataAssets["asset_main"].Add(builtJson.Path, builtJson);
+                newGamedataAssets["asset_main"].Add(builtJson.Path, builtJson);
             }
+
+            IsReady = false;
+            GamedataAssets = newGamedataAssets;
             IsReady = true;
+            UpdateIsRunning = false;
             return true;
         }
 
@@ -193,6 +197,7 @@ namespace KamihamaWeb.Services
         }
 
         public bool IsReady { get; set; } = false;
+        public bool UpdateIsRunning { get; set; } = false;
         public long AssetsCurrentVersion { get; set; }
         public Dictionary<string, GamedataAsset> EnglishMasterAssets { get; set; }
         public Dictionary<string, Dictionary<string, GamedataAsset>> GamedataAssets { get; set; }
@@ -210,6 +215,11 @@ namespace KamihamaWeb.Services
             }
         }
 
+        public async Task<bool> RunUpdate()
+        {
+            return true;
+        }
+
         public async Task<string> ProvideJson(string which)
         {
             if (which == "asset_config")