Zip bomb issue

[Zemogiter]

During the file merging phase, I get this error:

Traceback (most recent call last):
  File "/home/jonaszp/Downloads/spacehaven-modloader-master/spacehaven-modloader.py", line 684, in patchAndLaunch
    loader.load.load(self.jarPath, xmlMods, self.current_mods_signature())
  File "/home/jonaszp/Downloads/spacehaven-modloader-master/loader/load.py", line 35, in load
    loader.assets.library.patch(jarPath + '.vanilla', corePath, jarPath, extra_assets = extra_assets)
  File "/home/jonaszp/Downloads/spacehaven-modloader-master/loader/assets/library.py", line 44, in patch
    patched.writestr(file, original.read(file))
                           ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/zipfile/__init__.py", line 1567, in read
    with self.open(name, "r", pwd) as fp:
         ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/zipfile/__init__.py", line 1652, in open
    raise BadZipFile(f"Overlapped entries: {zinfo.orig_filename!r} (possible zip bomb)")
zipfile.BadZipFile: Overlapped entries: 'META-INF/windows/arm64/org/lwjgl/glfw/glfw.dll.sha1' (possible zip bomb)

logs.txt

I'm compiling the source code on Lubuntu 24.04, Python 3.12.3. Playing the stable branch of Space Haven. Let me know if I need to add more info.

[SagaciousZed]

The trace actually points to an error reading the original jar.

Python 3.12 has the following change :

gh-109858: Protect zipfile from “quoted-overlap” zipbomb. It now raises BadZipFile when try to read an entry that overlaps with other entry or central directory.

Looks like the jar shipped in the game is an invalid zip file, likely caused by this Gradle bug

The ZipFile implementation in 3.11 should have been patched to reject this type of malformed zip file, so its likely some additional code will be needed to handle this case with modern Python implementations.