From f308b64aa73e184b9ba86402134cdb419fd97da4 Mon Sep 17 00:00:00 2001
From: Navoei <SuperNavoeiMC@gmail.com>
Date: Sun, 13 Nov 2022 19:06:05 -0600
Subject: [PATCH] Vulnerability Fix

This version patches a directory traversal vulerability.
---
 build.gradle                                                  | 2 +-
 gradle.properties                                             | 2 +-
 .../customdiscsplugin/command/SubCommands/CreateCommand.java  | 4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index abd312f..9104747 100644
--- a/build.gradle
+++ b/build.gradle
@@ -36,7 +36,7 @@ dependencies {
     implementation "io.papermc.paper:paper-api:${bukkit_version}"
     implementation "de.maxhenkel.voicechat:voicechat-api:${voicechat_api_version}"
 
-    implementation "com.comphenix.protocol:ProtocolLib:5.0.0-SNAPSHOT"
+    compileOnly group: "com.comphenix.protocol", name: "ProtocolLib", version: "4.8.0";
 
 }
 
diff --git a/gradle.properties b/gradle.properties
index 1888317..a5ccb70 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -11,6 +11,6 @@ mod_id=customdiscsplugin
 # Target an older API to make it compatible with older versions of Simple Voice Chat
 voicechat_api_version=2.3.3
 
-plugin_version=2.2.2
+plugin_version=2.2.3
 maven_group=me.Navoei.customdiscsplugin
 archives_base_name=custom-discs
\ No newline at end of file
diff --git a/src/main/java/me/Navoei/customdiscsplugin/command/SubCommands/CreateCommand.java b/src/main/java/me/Navoei/customdiscsplugin/command/SubCommands/CreateCommand.java
index 46302a6..84ea3b9 100644
--- a/src/main/java/me/Navoei/customdiscsplugin/command/SubCommands/CreateCommand.java
+++ b/src/main/java/me/Navoei/customdiscsplugin/command/SubCommands/CreateCommand.java
@@ -53,6 +53,10 @@ public class CreateCommand extends SubCommand {
                 //Find file, if file not there then say "file not there"
                 String songname = "";
                 String filename = args[1];
+                if (filename.contains("../")) {
+                    player.sendMessage(ChatColor.RED + "This is an invalid filename!");
+                    return;
+                }
 
                 if (customName(readQuotes(args)).equalsIgnoreCase("")) {
                     player.sendMessage(ChatColor.RED + "You must provide a name for your disc.");