Merge branch '1.19.2' into 1.18.2

# Conflicts:
#	common/src/main/java/org/figuramc/figura/lua/api/net/HttpRequestsAPI.java
#	common/src/main/java/org/figuramc/figura/lua/api/net/SocketAPI.java

common/src/main/java/org/figuramc/figura/avatar/Avatar.java

@@ -40,7 +40,6 @@
 import org.figuramc.figura.lua.api.TextureAPI;
 import org.figuramc.figura.lua.api.data.FiguraBuffer;
 import org.figuramc.figura.lua.api.entity.EntityAPI;
-import org.figuramc.figura.lua.api.net.FiguraSocket;
 import org.figuramc.figura.lua.api.particle.ParticleAPI;
 import org.figuramc.figura.lua.api.ping.PingArg;
 import org.figuramc.figura.lua.api.ping.PingFunction;
@@ -109,7 +108,6 @@ public class Avatar {
 
     // Runtime data
     private final Queue<Runnable> events = new ConcurrentLinkedQueue<>();
-    public final ArrayList<FiguraSocket> openSockets = new ArrayList<>();
     public final ArrayList<FiguraBuffer> openBuffers = new ArrayList<>();
     public AvatarRenderer renderer;
     public FiguraLuaRuntime luaRuntime;
@@ -935,7 +933,6 @@ public void clean() {
 
         clearSounds();
         clearParticles();
-        closeSockets();
         closeBuffers();
 
         events.clear();
@@ -947,18 +944,6 @@ public void clearSounds() {
             value.releaseAlBuffer();
     }
 
-    public void closeSockets() {
-        for (FiguraSocket socket :
-                openSockets) {
-            if (!socket.isClosed()) {
-                try {
-                    socket.baseClose();
-                } catch (Exception ignored) {}
-            }
-        }
-        openSockets.clear();
-    }
-
     public void closeBuffers() {
         for (FiguraBuffer buffer :
                 openBuffers) {

common/src/main/java/org/figuramc/figura/config/ConfigType.java

@@ -352,7 +352,6 @@ public JsonElement serialize() {
                     filters) {
                 JsonObject o = new JsonObject();
                 o.addProperty("source", filter.getSource());
-                o.addProperty("mode", filter.getMode().getId());
                 array.add(o);
             }
             return array;
@@ -373,9 +372,7 @@ public void deserialize(JsonElement element) {
                 JsonPrimitive source = s.getAsJsonPrimitive();
                 JsonPrimitive mode = m.getAsJsonPrimitive();
                 if (!source.isString() || !mode.isNumber()) continue;
-                NetworkingAPI.Filter.FilterMode filterMode = NetworkingAPI.Filter.FilterMode.getById(mode.getAsInt());
-                if (filterMode == null) continue;
-                filters.add(new NetworkingAPI.Filter(source.getAsString(), filterMode));
+                filters.add(new NetworkingAPI.Filter(source.getAsString()));
             }
         }
 

common/src/main/java/org/figuramc/figura/gui/widgets/lists/NetworkFilterList.java

@@ -183,22 +183,17 @@ public List<NetworkFilterEntry> contents() {
     public static class NetworkFilterEntry extends AbstractContainerElement {
         private static final ResourceLocation deleteButtonLocation = new ResourceLocation("figura", "textures/gui/delete.png");
         private final NetworkingAPI.Filter sourceFilter;
-        private final EnumButton enumButton;
         private final IconButton deleteButton;
         private final TextField filterTextField;
         private final NetworkFilterList parent;
         public NetworkFilterEntry(NetworkFilterList parent, int x, int y, int width, int height) {
-            this(parent, x, y, width, height, new NetworkingAPI.Filter("https://example.com", NetworkingAPI.Filter.FilterMode.EQUALS));
+            this(parent, x, y, width, height, new NetworkingAPI.Filter("https://example.com"));
         }
 
         public NetworkFilterEntry(NetworkFilterList parent, int x, int y, int width, int height, NetworkingAPI.Filter sourceFilter) {
             super(x, y, width, height);
             this.parent = parent;
             this.sourceFilter = sourceFilter;
-            children.add(enumButton =
-                    new EnumButton(x+width-114, y, 90, 20, "gui.network_filter.list.filter_mode"
-                            ,sourceFilter.getMode().getId(), 5, this::onEnumSelect)
-            );
             children.add(filterTextField = new TextField(x, y, width - 118, 20, TextField.HintType.IP, this::onSourceChange));
             children.add(
                     deleteButton = new IconButton(x + width - 20, y, 20, 20,
@@ -227,17 +222,11 @@ private void onSourceChange(String s) {
             sourceFilter.setSource(s);
         }
 
-        private void onEnumSelect(int i) {
-            sourceFilter.setMode(NetworkingAPI.Filter.FilterMode.getById(i));
-        }
-
         private void repositionChildren() {
             int x = getX(), y = getY(), width = getWidth();
             filterTextField.setX(x);
             filterTextField.setY(y);
             filterTextField.setWidth(width - 118);
-            enumButton.setX(x+width-114);
-            enumButton.setY(y);
             deleteButton.setX(x+width-20);
             deleteButton.setY(y);
         }

common/src/main/java/org/figuramc/figura/lua/FiguraAPIManager.java

@@ -6,10 +6,8 @@
 import org.figuramc.figura.lua.api.data.*;
 import org.figuramc.figura.lua.api.json.*;
 import org.figuramc.figura.lua.api.entity.*;
-import org.figuramc.figura.lua.api.net.FiguraSocket;
 import org.figuramc.figura.lua.api.net.HttpRequestsAPI;
 import org.figuramc.figura.lua.api.net.NetworkingAPI;
-import org.figuramc.figura.lua.api.net.SocketAPI;
 import org.figuramc.figura.model.rendertasks.*;
 import org.figuramc.figura.lua.api.action_wheel.Action;
 import org.figuramc.figura.lua.api.action_wheel.ActionWheelAPI;
@@ -168,9 +166,6 @@ public class FiguraAPIManager {
 
         add(FiguraFuture.class);
 
-        add(SocketAPI.class);
-        add(FiguraSocket.class);
-
         add(RaycastAPI.class);
     }};
 

common/src/main/java/org/figuramc/figura/lua/FiguraLuaRuntime.java

@@ -406,7 +406,6 @@ public void error(Throwable e) {
         owner.luaRuntime = null;
         owner.clearParticles();
         owner.clearSounds();
-        owner.closeSockets();
         owner.closeBuffers();
     }
 

common/src/main/java/org/figuramc/figura/lua/api/AvatarAPI.java

@@ -330,18 +330,6 @@ public int getMaxBuffersCount() {
         return avatar.permissions.get(Permissions.BUFFERS_COUNT);
     }
 
-    @LuaWhitelist
-    @LuaMethodDoc("avatar.get_sockets_count")
-    public int getSocketsCount() {
-        return avatar.openSockets.size();
-    }
-
-    @LuaWhitelist
-    @LuaMethodDoc("avatar.get_max_sockets_count")
-    public int getMaxSocketsCount() {
-        return avatar.permissions.get(Permissions.MAX_SOCKETS);
-    }
-
     @LuaWhitelist
     @LuaMethodDoc("avatar.get_max_texture_size")
     public int getMaxTextureSize() {

common/src/main/java/org/figuramc/figura/lua/api/FileAPI.java

@@ -15,6 +15,7 @@
 import java.io.*;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -26,6 +27,7 @@ public class FileAPI {
     private final Avatar parent;
     private static final Path rootFolderPath = FiguraMod.getFiguraDirectory().resolve("data").toAbsolutePath()
             .normalize();
+    private static final String WRITE_NOT_ALLOWED = "You are only allowed to write in the data folder! Anything else is read only!";
 
     public FileAPI(Avatar parent) {
         this.parent = parent;
@@ -34,6 +36,7 @@ public FileAPI(Avatar parent) {
     private Path securityCheck(String path) {
         if (!parent.isHost) throw new LuaError("You can't use FileAPI outside of host environment");
         Path p = relativizePath(path);
+        if (Files.isSymbolicLink(p)) throw new LuaError("Symbolic links are not allowed in FileAPI %s!".formatted(path));
         if (!isPathAllowed(p)) throw new LuaError("Path %s is not allowed in FileAPI".formatted(path));
         return p;
     }
@@ -58,7 +61,7 @@ public boolean isPathAllowed(@LuaNotNil String path) {
     }
 
     public boolean isPathAllowed(Path path) {
-        return path.toAbsolutePath().startsWith(rootFolderPath);
+        return !Files.isSymbolicLink(path) && path.toAbsolutePath().startsWith(rootFolderPath);
     }
 
     @LuaWhitelist
@@ -149,6 +152,9 @@ public FiguraInputStream openReadStream(@LuaNotNil String path) {
     public FiguraOutputStream openWriteStream(@LuaNotNil String path) {
         try {
             Path p = securityCheck(path);
+            if (!p.startsWith(rootFolderPath)) {
+                throw new LuaError(WRITE_NOT_ALLOWED);
+            }
             File f = p.toFile();
             FileOutputStream fos = new FileOutputStream(f);
             return new FiguraOutputStream(fos);
@@ -218,6 +224,9 @@ public void writeString(@LuaNotNil String path, @LuaNotNil String data, String e
     )
     public boolean mkdir(@LuaNotNil String path) {
         Path p = securityCheck(path);
+        if (!p.startsWith(rootFolderPath)) {
+            throw new LuaError(WRITE_NOT_ALLOWED);
+        }
         File f = p.toFile();
         return f.mkdir();
     }
@@ -233,6 +242,9 @@ public boolean mkdir(@LuaNotNil String path) {
     )
     public boolean mkdirs(@LuaNotNil String path) {
         Path p = securityCheck(path);
+        if (!p.startsWith(rootFolderPath)) {
+            throw new LuaError(WRITE_NOT_ALLOWED);
+        }
         File f = p.toFile();
         return f.mkdirs();
     }
@@ -248,6 +260,9 @@ public boolean mkdirs(@LuaNotNil String path) {
     )
     public boolean delete(@LuaNotNil String path) {
         Path p = securityCheck(path);
+        if (!p.startsWith(rootFolderPath)) {
+            throw new LuaError(WRITE_NOT_ALLOWED);
+        }
         File f = p.toFile();
         return f.delete();
     }

common/src/main/java/org/figuramc/figura/lua/api/net/HttpRequestsAPI.java

@@ -1,7 +1,8 @@
 package org.figuramc.figura.lua.api.net;
 
-import net.minecraft.network.chat.Component;
 import net.minecraft.network.chat.TextComponent;
+import net.minecraft.network.chat.TranslatableComponent;
+import org.figuramc.figura.FiguraMod;
 import org.figuramc.figura.lua.api.data.FiguraBuffer;
 import org.figuramc.figura.lua.docs.LuaMethodOverload;
 import org.luaj.vm2.LuaError;
@@ -19,10 +20,7 @@
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 
 @LuaWhitelist
 @LuaTypeDoc(
@@ -32,6 +30,8 @@
 public class HttpRequestsAPI {
     private final NetworkingAPI parent;
     private final HttpClient httpClient;
+    private static final List<String> disallowedHeaders = Arrays.asList("Host", "X-Forwarded-Host", "X-Host");
+
     HttpRequestsAPI(NetworkingAPI parent) {
         this.parent = parent;
         httpClient = HttpClient.newBuilder().build();
@@ -260,6 +260,12 @@ private HttpRequest getRequest() {
                     HttpRequest.BodyPublishers.ofInputStream(this::inputStreamSupplier) : HttpRequest.BodyPublishers.noBody();
             for (Map.Entry<String, String> entry :
                     getHeaders().entrySet()) {
+                if (disallowedHeaders.stream().anyMatch(s -> s.equalsIgnoreCase(entry.getKey()))) {
+                    if (parent.parent.owner.isHost) {
+                        FiguraMod.sendChatMessage(new TranslatableComponent("figura.network.header_disabled", entry.getKey()));
+                    }
+                    continue;
+                }
                 builder.header(entry.getKey(), entry.getValue());
             }
             builder.method(getMethod(), bp);