From bbfc364119ab15ec4600f9020e89e97e9f5e86aa Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Wed, 6 May 2026 06:12:11 -0700
Subject: [PATCH] fix(editor): texture exporter rejects path-traversal in
 source M2/WMO texture paths

Texture paths come from M2/WMO files which a malicious zone author
could craft to include '..' or absolute paths. Without this check,
exporting such a zone would write PNGs outside outputDir/textures/
and clobber sibling export files.
---
 tools/editor/texture_exporter.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/editor/texture_exporter.cpp b/tools/editor/texture_exporter.cpp
index c79ce0be..c169c471 100644
--- a/tools/editor/texture_exporter.cpp
+++ b/tools/editor/texture_exporter.cpp
@@ -117,6 +117,14 @@ int TextureExporter::exportTexturesAsPng(pipeline::AssetManager* am,
         if (dotPos != std::string::npos)
             outPath = outPath.substr(0, dotPos) + ".png";
 
+        // Reject path-traversal attempts in the source path. Texture paths
+        // come from M2/WMO files which a malicious zone could craft.
+        if (outPath.find("..") != std::string::npos ||
+            (!outPath.empty() && (outPath[0] == '/' || outPath[0] == '\\'))) {
+            LOG_WARNING("Texture path rejected (traversal attempt): ", texPath);
+            continue;
+        }
+
         std::string fullPath = outputDir + "/" + outPath;
         fs::create_directories(fs::path(fullPath).parent_path());