Add path traversal protections across multiple modules

- Implemented path traversal checks in RoboRumbleAtHome, AutoExtract, JarExtractor, and RobotFileSystemManager.
- Ensured all file and directory operations validate paths against trusted directories or normalize paths.
- Enhanced error reporting for invalid paths and added safeguards during directory and file creation or renaming.

Author: flemming-n-larsen

gradle.properties

@@ -1,5 +1,5 @@
 # The version of Robocode
-version=1.10.1
+version=1.10.2
 
 # These are set to dummy values as they don't exist when run on GitHub actions
 ossrhUsername=dummy

robocode.host/src/main/java/net/sf/robocode/host/io/RobotFileSystemManager.java

@@ -295,7 +295,14 @@ private void updateDataFilesFromJar() throws IOException {
 				os = null;
 				try {
 					is = jarFile.getInputStream(jarEntry);
-					os = new FileOutputStream(new File(parent, filename));
+					File targetFile = new File(parent, filename);
+					File canonicalParent = parent.getCanonicalFile();
+					File canonicalTarget = targetFile.getCanonicalFile();
+					if (!canonicalTarget.getPath().startsWith(canonicalParent.getPath())) {
+						Logger.logError("Path traversal attempt detected: " + filename);
+						continue;
+					}
+					os = new FileOutputStream(canonicalTarget);
 					copyStream(is, os);
 				} finally {
 					FileUtil.cleanupStream(is);

robocode.host/src/main/java/net/sf/robocode/host/security/RobotThreadManager.java

@@ -103,7 +103,9 @@ public boolean waitForStop() {
 
 		Thread[] threads = new Thread[100];
 
-		runThreadGroup.enumerate(threads);
+		if (runThreadGroup != null) {
+			runThreadGroup.enumerate(threads);
+		}
 
 		for (Thread thread : threads) {
 			if (thread != null && thread != runThread && thread.isAlive()) {

robocode.installer/src/main/java/net/sf/robocode/installer/AutoExtract.java

@@ -255,7 +255,10 @@ private boolean extract(File installDir) {
                         }
 
                         File outputFile = new File(installDir, entryName);
-
+                        // Path traversal protection
+                        if (!outputFile.toPath().normalize().startsWith(installDir.toPath().normalize())) {
+                            throw new RuntimeException("Bad zip entry: " + entryName);
+                        }
                         File parentDirectory = new File(outputFile.getParent());
                         if (!parentDirectory.exists() && !parentDirectory.mkdirs()) {
                             System.err.println("Can't create dir: " + parentDirectory);
@@ -289,7 +292,7 @@ private boolean extract(File installDir) {
                         if (isShFile || isCommandFile) {
                             String filePath = outputFile.getAbsolutePath();
 
-                            // Remove ^M (MS DOS) characters, if they exists
+                            // Remove ^M (MS DOS) characters if they exist
                             dos2unix(filePath);
 
                             // Set file permissions for .sh and .command files under Unix and Mac OS X
@@ -426,25 +429,42 @@ private static boolean install(File suggestedDir) {
             // The .robotcache has been renamed to .data
             File robotsCacheDir = new File(installDir, "robots/.robotcache");
             File robotsDataDir = new File(installDir, "robots/.data");
-
+            // Path traversal protection for robotsCacheDir and robotsDataDir
+            if (!robotsCacheDir.toPath().normalize().startsWith(installDir.toPath().normalize()) ||
+                !robotsDataDir.toPath().normalize().startsWith(installDir.toPath().normalize())) {
+                throw new RuntimeException("Bad robots cache/data directory");
+            }
             if (robotsCacheDir.exists()) {
                 // Rename ".robotcache" into ".data"
-                robotsCacheDir.renameTo(robotsDataDir);
+                if (!robotsCacheDir.renameTo(robotsDataDir)) {
+                    System.err.println("Failed to rename .robotcache to .data");
+                }
             }
-
             // Fix problem with .data starting with a underscore dir by
             // renaming files containing ".data/_" into ".data"
             if (robotsDataDir.exists()) {
                 File underScoreDir = new File(robotsDataDir, "_");
+                // Path traversal protection for underScoreDir
+                if (!underScoreDir.toPath().normalize().startsWith(robotsDataDir.toPath().normalize())) {
+                    throw new RuntimeException("Bad underscore directory in .data");
+                }
                 String[] list = underScoreDir.list();
-
                 if (list != null) {
                     for (String fileName : list) {
                         File file = new File(underScoreDir, fileName);
-
-                        file.renameTo(new File(robotsDataDir, fileName));
+                        File targetFile = new File(robotsDataDir, fileName);
+                        // Path traversal protection for file and targetFile
+                        if (!file.toPath().normalize().startsWith(underScoreDir.toPath().normalize()) ||
+                            !targetFile.toPath().normalize().startsWith(robotsDataDir.toPath().normalize())) {
+                            throw new RuntimeException("Bad file in underscore directory: " + fileName);
+                        }
+                        if (!file.renameTo(targetFile)) {
+                            System.err.println("Failed to rename " + file.getAbsolutePath() + " to " + targetFile.getAbsolutePath());
+                        }
+                    }
+                    if (!underScoreDir.delete()) {
+                        System.err.println("Failed to delete underscore directory: " + underScoreDir.getAbsolutePath());
                     }
-                    underScoreDir.delete();
                 }
             }
 

robocode.repository/src/main/java/net/sf/robocode/repository/packager/JarExtractor.java

@@ -46,7 +46,12 @@ public static void extractJar(URL url) {
 			while (entry != null) {
 				if (entry.isDirectory()) {
 					File dir = new File(dest, entry.getName());
-
+					// Path traversal protection
+					if (!dir.toPath().normalize().startsWith(dest.toPath().normalize())) {
+						Logger.logError("Path traversal attempt detected in directory entry: " + entry.getName());
+						entry = jarIS.getNextJarEntry();
+						continue;
+					}
 					if (!dir.exists() && !dir.mkdirs()) {
 						Logger.logError("Cannot create dir: " + dir);
 					}
@@ -66,8 +71,12 @@ public static void extractJar(URL url) {
 
 	public static void extractFile(File dest, JarInputStream jarIS, JarEntry entry) throws IOException {
 		File out = new File(dest, entry.getName());
+		// Path traversal protection
+		if (!out.toPath().normalize().startsWith(dest.toPath().normalize())) {
+			Logger.logError("Path traversal attempt detected in file entry: " + entry.getName());
+			return;
+		}
 		File parentDirectory = new File(out.getParent());
-
 		if (!parentDirectory.exists() && !parentDirectory.mkdirs()) {
 			Logger.logError("Cannot create dir: " + parentDirectory);
 		}

robocode.roborumble/src/main/java/roborumble/RoboRumbleAtHome.java

@@ -16,7 +16,7 @@
 
 import static net.sf.robocode.roborumble.util.PropertiesUtil.getProperties;
 
-import java.util.Map;
+import java.nio.file.Paths;
 import java.util.Properties;
 
 
@@ -45,8 +45,12 @@ public static void main(String[] args) {
             System.out.println("No argument found specifying properties file. \"" + paramsFileName + "\" assumed.");
         }
 
+        // Define trusted directory
+        String trustedDir = "./roborumble";
+        // Validate paramsFileName is inside trustedDir
+        String safeParamsFilePath = getSafePath(paramsFileName, trustedDir);
         // Read parameters for running the app
-        Properties properties = getProperties(paramsFileName);
+        Properties properties = getProperties(safeParamsFilePath);
 
         String envUser = System.getenv("RUMBLE_USER");
         if (envUser != null) {
@@ -82,10 +86,12 @@ public static void main(String[] args) {
         boolean participantsdownloaded;
         String version = null;
         String game = paramsFileName;
-        while (game.indexOf("/") != -1) {
-            game = game.substring(game.indexOf("/") + 1);
+        // Path traversal protection: extract only the filename
+        String safeGame = Paths.get(game).getFileName().toString();
+        if (safeGame.contains("..") || safeGame.contains("/") || safeGame.contains("\\")) {
+            throw new RuntimeException("Invalid game filename: " + safeGame);
         }
-        game = game.substring(0, game.indexOf("."));
+        game = safeGame.substring(0, safeGame.indexOf("."));
 
         do {
             final BattlesRunner engine = new BattlesRunner(game, properties);
@@ -125,7 +131,7 @@ public static void main(String[] args) {
                 final boolean isMelee = melee.equals("YES");
 
                 boolean ready;
-                PrepareBattles battles = new PrepareBattles(paramsFileName);
+                PrepareBattles battles = new PrepareBattles(safeParamsFilePath);
 
                 if (isMelee) {
                     System.out.println("Preparing melee battles list ...");
@@ -179,4 +185,21 @@ public static void main(String[] args) {
         // With Java 5 this causes a IllegalThreadStateException, but not in Java 6
         // System.exit(0);
     }
+
+    private static String sanitizeFileName(String fileName) {
+        String safeName = Paths.get(fileName).getFileName().toString();
+        if (safeName.contains("..") || safeName.contains("/") || safeName.contains("\\")) {
+            throw new RuntimeException("Invalid file name: " + safeName);
+        }
+        return safeName;
+    }
+
+    private static String getSafePath(String fileName, String trustedDir) {
+        java.nio.file.Path trustedPath = Paths.get(trustedDir).toAbsolutePath().normalize();
+        java.nio.file.Path filePath = Paths.get(fileName).toAbsolutePath().normalize();
+        if (!filePath.startsWith(trustedPath)) {
+            throw new RuntimeException("Path traversal or access outside trusted directory: " + fileName);
+        }
+        return filePath.toString();
+    }
 }

versions.md

@@ -1,3 +1,9 @@
+## Version 1.10.2 (24-Dec-2025)
+
+### Bugfix
+
+- Fixing security issues (CWE-23)
+
 ## Version 1.10.1 (09-Dec-2025)
 
 ### Bugfix