fix: address download review feedback

Agent-Logs-Url: https://github.com/OpenLoco/ObjectEditor/sessions/8fca8cd2-b4dd-4d4e-928a-37cfb8017f82

Co-authored-by: LeftofZen <7483209+LeftofZen@users.noreply.github.com>

Author: Copilot

Gui/ViewModels/FolderTreeViewModel.cs

@@ -15,6 +15,9 @@
 using Gui.Models;
 using Gui.ViewModels.Filters;
 using Index;
+using MsBox.Avalonia;
+using MsBox.Avalonia.Dto;
+using MsBox.Avalonia.Enums;
 using ReactiveUI;
 using ReactiveUI.Fody.Helpers;
 using System;
@@ -824,8 +827,29 @@ async Task DownloadOnlinePackAsync(OnlineItemPackBrowseResult pack)
 		}
 
 		var safePackName = Path.GetInvalidFileNameChars().Aggregate(pack.Name, (current, c) => current.Replace(c, '_'));
-		var filename = Path.Combine(EditorContext.Settings.DownloadFolder, $"{safePackName}.zip");
-		await File.WriteAllBytesAsync(filename, fileBytes);
-		EditorContext.Logger.Info($"Downloaded pack \"{pack.Name}\" to \"{filename}\"");
+		var filename = Path.Combine(EditorContext.Settings.DownloadFolder, $"{safePackName}-{pack.Id}.zip");
+		try
+		{
+			await using var outputStream = new FileStream(filename, FileMode.CreateNew, FileAccess.Write, FileShare.None, 4096, useAsync: true);
+			await outputStream.WriteAsync(fileBytes);
+			EditorContext.Logger.Info($"Downloaded pack \"{pack.Name}\" to \"{filename}\"");
+		}
+		catch (IOException ex)
+		{
+			EditorContext.Logger.Error($"Failed to download pack \"{pack.Name}\" to \"{filename}\"", ex);
+			var box = MessageBoxManager.GetMessageBoxStandard(new MessageBoxStandardParams
+			{
+				ContentTitle = "Download failed",
+				ContentMessage = $"Could not create:\n{filename}\n\nA file may already exist or be locked by another process.",
+				ButtonDefinitions = ButtonEnum.Ok,
+				Icon = Icon.Warning,
+				WindowStartupLocation = WindowStartupLocation.CenterOwner,
+				Topmost = true,
+				ShowInCenter = true,
+				SizeToContent = SizeToContent.WidthAndHeight,
+				MinHeight = 170,
+			});
+			_ = await box.ShowAsync();
+		}
 	}
 }

ObjectService/RouteHandlers/RouteHelpers.cs

@@ -2,6 +2,42 @@ namespace ObjectService.RouteHandlers;
 
 public static class RouteHelpers
 {
+	static readonly char[] PathSeparators = [Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar];
+
 	public static string MakeNicePlural(string name)
 		=> $"{name.Replace("RouteHandler", string.Empty)}s";
+
+	public static bool TryGetSafeRelativePathUnderRoot(string rootPath, string? relativePath, out string fullPath, out string normalizedRelativePath)
+	{
+		fullPath = string.Empty;
+		normalizedRelativePath = string.Empty;
+
+		if (string.IsNullOrWhiteSpace(relativePath) || Path.IsPathRooted(relativePath))
+		{
+			return false;
+		}
+
+		var segments = relativePath.Split(PathSeparators, StringSplitOptions.None);
+		if (segments.Any(x => string.IsNullOrEmpty(x) || x is "." or ".."))
+		{
+			return false;
+		}
+
+		var rootFullPath = Path.GetFullPath(rootPath);
+		if (!rootFullPath.EndsWith(Path.DirectorySeparatorChar))
+		{
+			rootFullPath += Path.DirectorySeparatorChar;
+		}
+
+		var combinedPath = Path.Combine(rootFullPath, relativePath);
+		var candidateFullPath = Path.GetFullPath(combinedPath);
+		if (!candidateFullPath.StartsWith(rootFullPath, StringComparison.OrdinalIgnoreCase))
+		{
+			return false;
+		}
+
+		fullPath = candidateFullPath;
+		normalizedRelativePath = relativePath.Replace('\\', '/');
+		return true;
+	}
 }

ObjectService/RouteHandlers/TableHandlers/ObjectPackRouteHandler.cs

@@ -69,7 +69,14 @@ public static async Task<IResult> GetObjectPackFileAsync([FromRoute] UniqueObjec
 		}
 
 		var sfm = sp.GetRequiredService<ServerFolderManager>();
-		var zipStream = new MemoryStream();
+		var tempZipPath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.zip");
+		var zipStream = new FileStream(
+			tempZipPath,
+			FileMode.Create,
+			FileAccess.ReadWrite,
+			FileShare.None,
+			bufferSize: 4096,
+			options: FileOptions.Asynchronous | FileOptions.DeleteOnClose);
 
 		using (var archive = new ZipArchive(zipStream, ZipArchiveMode.Create, leaveOpen: true))
 		{
@@ -82,19 +89,25 @@ public static async Task<IResult> GetObjectPackFileAsync([FromRoute] UniqueObjec
 
 				foreach (var dat in obj.DatObjects)
 				{
-					if (!sfm.ObjectIndex.TryFind((dat.DatName, dat.DatChecksum), out var entry) || entry == null || string.IsNullOrEmpty(entry.FileName))
+					if (!sfm.ObjectIndex.TryFind((dat.DatName, dat.DatChecksum), out var entry) || entry == null)
 					{
 						continue;
 					}
 
-					var filePath = Path.Combine(sfm.ObjectsFolder, entry.FileName);
-					if (!File.Exists(filePath))
+					if (!RouteHelpers.TryGetSafeRelativePathUnderRoot(sfm.ObjectsFolder, entry.FileName, out var fullFilePath, out var entryName))
 					{
 						continue;
 					}
 
-					// Use the relative path from the objects folder as the entry name to avoid duplicate filename collisions
-					archive.CreateEntryFromFile(filePath, entry.FileName.Replace('\\', '/'));
+					if (!File.Exists(fullFilePath))
+					{
+						continue;
+					}
+
+					await using var fileStream = File.OpenRead(fullFilePath);
+					var zipEntry = archive.CreateEntry(entryName, CompressionLevel.Optimal);
+					await using var entryStream = zipEntry.Open();
+					await fileStream.CopyToAsync(entryStream);
 				}
 			}
 		}

ObjectService/RouteHandlers/TableHandlers/SC5FilePackRouteHandler.cs

@@ -67,20 +67,33 @@ public static async Task<IResult> GetSC5FilePackFileAsync([FromRoute] UniqueObje
 		}
 
 		var sfm = sp.GetRequiredService<ServerFolderManager>();
-		var zipStream = new MemoryStream();
+		var tempZipPath = Path.Combine(Path.GetTempPath(), $"{Guid.NewGuid():N}.zip");
+		var zipStream = new FileStream(
+			tempZipPath,
+			FileMode.Create,
+			FileAccess.ReadWrite,
+			FileShare.None,
+			bufferSize: 4096,
+			options: FileOptions.Asynchronous | FileOptions.DeleteOnClose);
 
 		using (var archive = new ZipArchive(zipStream, ZipArchiveMode.Create, leaveOpen: true))
 		{
 			foreach (var sc5File in pack.SC5Files)
 			{
-				var filePath = Path.Combine(sfm.ScenariosFolder, sc5File.Name);
-				if (!File.Exists(filePath))
+				if (!RouteHelpers.TryGetSafeRelativePathUnderRoot(sfm.ScenariosFolder, sc5File.Name, out var fullFilePath, out var entryName))
 				{
 					continue;
 				}
 
-				// Use the relative path as the entry name to avoid duplicate filename collisions
-				archive.CreateEntryFromFile(filePath, sc5File.Name.Replace('\\', '/'));
+				if (!File.Exists(fullFilePath))
+				{
+					continue;
+				}
+
+				await using var fileStream = File.OpenRead(fullFilePath);
+				var entry = archive.CreateEntry(entryName, CompressionLevel.Optimal);
+				await using var entryStream = entry.Open();
+				await fileStream.CopyToAsync(entryStream);
 			}
 		}
 

ObjectService/RouteHandlers/TableHandlers/ScenarioRouteHandler.cs

@@ -23,7 +23,9 @@ public static void MapAdditionalRoutes(IEndpointRouteBuilder parentRoute)
 	}
 
 	static string[] GetSortedScenarioFiles(string scenarioFolder)
-		=> [.. Directory.GetFiles(scenarioFolder, "*.SC5", SearchOption.AllDirectories).OrderBy(x => x)];
+		=> [.. Directory
+			.GetFiles(scenarioFolder, "*.SC5", SearchOption.AllDirectories)
+			.OrderBy(x => Path.GetRelativePath(scenarioFolder, x), StringComparer.Ordinal)];
 
 	static async Task<IResult> ListAsync([FromServices] IServiceProvider sp)
 		=> await Task.Run(() =>
@@ -36,21 +38,20 @@ static async Task<IResult> ListAsync([FromServices] IServiceProvider sp)
 			return Results.Ok(filenames.ToList());
 		});
 
-	static async Task<IResult> GetScenarioFileAsync([FromRoute] UniqueObjectId id, [FromServices] IServiceProvider sp)
-		=> await Task.Run(() =>
-		{
-			var sfm = sp.GetRequiredService<ServerFolderManager>();
-			var files = GetSortedScenarioFiles(sfm.ScenariosFolder);
+	static Task<IResult> GetScenarioFileAsync([FromRoute] UniqueObjectId id, [FromServices] IServiceProvider sp)
+	{
+		var sfm = sp.GetRequiredService<ServerFolderManager>();
+		var files = GetSortedScenarioFiles(sfm.ScenariosFolder);
 
-			if (id >= (ulong)files.Length)
-			{
-				return Results.NotFound();
-			}
+		if (id >= (ulong)files.Length)
+		{
+			return Task.FromResult<IResult>(Results.NotFound());
+		}
 
-			var path = files[(int)id];
-			const string contentType = "application/octet-stream";
-			return Results.File(path, contentType, Path.GetFileName(path));
-		});
+		var path = files[(int)id];
+		const string contentType = "application/octet-stream";
+		return Task.FromResult<IResult>(Results.File(path, contentType, Path.GetFileName(path)));
+	}
 
 	static async Task<IResult> CreateAsync(DtoScenarioEntry request)
 		=> await Task.Run(() => Results.Problem(statusCode: StatusCodes.Status501NotImplemented));

Tests/ObjectServiceIntegrationTests/DownloadRoutesTest.cs

@@ -0,0 +1,170 @@
+using Definitions;
+using Definitions.Database;
+using Definitions.ObjectModels.Types;
+using Definitions.Web;
+using Index;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using NUnit.Framework;
+using System.IO.Compression;
+
+namespace ObjectService.Tests.Integration;
+
+[TestFixture]
+public class DownloadRoutesTest
+{
+	HttpClient? httpClient;
+	TestWebApplicationFactory<Program>? testWebAppFactory;
+
+	[SetUp]
+	public void SetUp()
+	{
+		testWebAppFactory = new TestWebApplicationFactory<Program>();
+		httpClient = testWebAppFactory.CreateClient();
+	}
+
+	[TearDown]
+	public void TearDown()
+	{
+		httpClient?.Dispose();
+		testWebAppFactory?.Dispose();
+	}
+
+	[Test]
+	public async Task GetScenarioFileAsync_ReturnsFileMatchingSortedListOrder()
+	{
+		using var scope = testWebAppFactory!.Services.CreateScope();
+		var sfm = scope.ServiceProvider.GetRequiredService<ServerFolderManager>();
+
+		var alphaRelativePath = Path.Combine(ServerFolderManager.CustomFolderName, "alpha.SC5");
+		var zuluRelativePath = Path.Combine(ServerFolderManager.CustomFolderName, "zulu.SC5");
+		var alphaPath = Path.Combine(sfm.ScenariosFolder, alphaRelativePath);
+		var zuluPath = Path.Combine(sfm.ScenariosFolder, zuluRelativePath);
+
+		await File.WriteAllBytesAsync(zuluPath, [9, 9, 9]);
+		await File.WriteAllBytesAsync(alphaPath, [1, 2, 3]);
+
+		var list = await Client.GetListAsync<Definitions.DTO.DtoScenarioEntry>(httpClient!, Client.ScenariosEndpointGroup);
+		var firstScenario = list.First();
+
+		using var response = await httpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.Scenarios}/{firstScenario.Id}{RoutesV2.File}");
+		var bytes = await response.Content.ReadAsByteArrayAsync();
+
+		using (Assert.EnterMultipleScope())
+		{
+			Assert.That(response.IsSuccessStatusCode, Is.True);
+			Assert.That(firstScenario.Name, Is.EqualTo(alphaRelativePath));
+			Assert.That(bytes, Is.EqualTo(new byte[] { 1, 2, 3 }));
+		}
+	}
+
+	[Test]
+	public async Task GetSC5FilePackFileAsync_ReturnsZipWithOnlySafeScenarioEntries()
+	{
+		using var scope = testWebAppFactory!.Services.CreateScope();
+		var sp = scope.ServiceProvider;
+		var db = sp.GetRequiredService<LocoDbContext>();
+		var sfm = sp.GetRequiredService<ServerFolderManager>();
+		var config = sp.GetRequiredService<IConfiguration>();
+		var rootFolder = config["ObjectService:RootFolder"];
+		ArgumentNullException.ThrowIfNull(rootFolder);
+
+		var safeRelativePath = Path.Combine(ServerFolderManager.CustomFolderName, "pack-safe.SC5");
+		var safePath = Path.Combine(sfm.ScenariosFolder, safeRelativePath);
+		await File.WriteAllBytesAsync(safePath, [1, 2, 3, 4]);
+
+		var outsidePath = Path.Combine(rootFolder, "outside.SC5");
+		await File.WriteAllBytesAsync(outsidePath, [7, 7, 7]);
+
+		var pack = new TblSC5FilePack
+		{
+			Id = 1,
+			Name = "Scenario Pack",
+			SC5Files =
+			[
+				new TblSC5File { Id = 1, Name = safeRelativePath },
+				new TblSC5File { Id = 2, Name = Path.Combine("..", "outside.SC5") },
+			],
+		};
+
+		_ = await db.SC5FilePacks.AddAsync(pack);
+		_ = await db.SaveChangesAsync();
+
+		using var response = await httpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.SC5FilePacks}/{pack.Id}{RoutesV2.File}");
+		var bytes = await response.Content.ReadAsByteArrayAsync();
+		using var archive = new ZipArchive(new MemoryStream(bytes), ZipArchiveMode.Read);
+
+		using (Assert.EnterMultipleScope())
+		{
+			Assert.That(response.IsSuccessStatusCode, Is.True);
+			Assert.That(response.Content.Headers.ContentType?.MediaType, Is.EqualTo("application/zip"));
+			Assert.That(archive.Entries.Select(x => x.FullName), Is.EqualTo(new[] { safeRelativePath.Replace('\\', '/') }));
+			await using var entryStream = archive.Entries.Single().Open();
+			using var entryMemoryStream = new MemoryStream();
+			await entryStream.CopyToAsync(entryMemoryStream);
+			Assert.That(entryMemoryStream.ToArray(), Is.EqualTo(new byte[] { 1, 2, 3, 4 }));
+		}
+	}
+
+	[Test]
+	public async Task GetObjectPackFileAsync_ReturnsZipWithOnlySafeIndexedObjectEntries()
+	{
+		using var scope = testWebAppFactory!.Services.CreateScope();
+		var sp = scope.ServiceProvider;
+		var db = sp.GetRequiredService<LocoDbContext>();
+		var sfm = sp.GetRequiredService<ServerFolderManager>();
+		var config = sp.GetRequiredService<IConfiguration>();
+		var rootFolder = config["ObjectService:RootFolder"];
+		ArgumentNullException.ThrowIfNull(rootFolder);
+
+		var safeRelativePath = Path.Combine(ServerFolderManager.CustomFolderName, "safe-object.dat");
+		var safePath = Path.Combine(sfm.ObjectsFolder, safeRelativePath);
+		await File.WriteAllBytesAsync(safePath, [4, 3, 2, 1]);
+
+		var outsidePath = Path.Combine(rootFolder, "outside.dat");
+		await File.WriteAllBytesAsync(outsidePath, [8, 8, 8]);
+
+		sfm.ObjectIndex.Objects.Add(new ObjectIndexEntry("SAFEOBJ", safeRelativePath, null, 111, null, ObjectType.Vehicle, ObjectSource.Custom, null, null));
+		sfm.ObjectIndex.Objects.Add(new ObjectIndexEntry("UNSAFEOBJ", Path.Combine("..", "outside.dat"), null, 222, null, ObjectType.Vehicle, ObjectSource.Custom, null, null));
+
+		var obj = new TblObject
+		{
+			Id = 1,
+			Name = "safe-obj",
+			SubObjectId = 1,
+			ObjectType = ObjectType.Vehicle,
+			ObjectSource = ObjectSource.Custom,
+			Availability = ObjectAvailability.Available,
+			DatObjects =
+			[
+				new TblDatObject { Id = 1, DatName = "SAFEOBJ", DatChecksum = 111, xxHash3 = 1, ObjectId = 1 },
+				new TblDatObject { Id = 2, DatName = "UNSAFEOBJ", DatChecksum = 222, xxHash3 = 2, ObjectId = 1 },
+			],
+		};
+
+		var pack = new TblObjectPack
+		{
+			Id = 1,
+			Name = "Object Pack",
+			Objects = [obj],
+		};
+
+		_ = await db.ObjectPacks.AddAsync(pack);
+		_ = await db.SaveChangesAsync();
+
+		using var response = await httpClient!.GetAsync($"{RoutesV2.Prefix}{RoutesV2.ObjectPacks}/{pack.Id}{RoutesV2.File}");
+		var bytes = await response.Content.ReadAsByteArrayAsync();
+		using var archive = new ZipArchive(new MemoryStream(bytes), ZipArchiveMode.Read);
+
+		using (Assert.EnterMultipleScope())
+		{
+			Assert.That(response.IsSuccessStatusCode, Is.True);
+			Assert.That(response.Content.Headers.ContentType?.MediaType, Is.EqualTo("application/zip"));
+			Assert.That(archive.Entries.Select(x => x.FullName), Is.EqualTo(new[] { safeRelativePath.Replace('\\', '/') }));
+			await using var entryStream = archive.Entries.Single().Open();
+			using var entryMemoryStream = new MemoryStream();
+			await entryStream.CopyToAsync(entryMemoryStream);
+			Assert.That(entryMemoryStream.ToArray(), Is.EqualTo(new byte[] { 4, 3, 2, 1 }));
+		}
+	}
+}