[Security][Bugfix] Fix directory traversal exploit (#1907)

* [Security][Bugfix] Fix directory traversal exploit

1.The first slash will act as root path when resolving local path, so directory traversal is possible
2.Filter the illegal payload to prevent directory traversal
3.This also fix the bug about not loading the files in data folder when querying  `/hk4e/announcement/`

* Fix formatting

* Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java

src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java

@@ -14,6 +14,7 @@ import static emu.grasscutter.config.Configuration.*;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Objects;
+import java.util.StringJoiner;
 
 /**
  * Handles requests related to the announcements page.
@@ -72,7 +73,17 @@ public final class AnnouncementsHandler implements Router {
     }
 
     private static void getPageResources(Context ctx) {
-        try (InputStream filestream = DataLoader.load(ctx.path())) {
+        // Re-process the path - remove the first slash and prevent directory traversal
+        // (the first slash will act as root path when resolving local path)
+        String[] path = ctx.path().split("/");
+        StringJoiner stringJoiner = new StringJoiner("/");
+        for (String pathName : path) {
+            // Filter the illegal payload to prevent directory traversal
+            if (!pathName.isEmpty() && !pathName.equals("..") && !pathName.contains("\\")) {
+                stringJoiner.add(pathName);
+            }
+        }
+        try (InputStream filestream = DataLoader.load(stringJoiner.toString())) {
             String possibleFilename = ctx.path();
 
             ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1));