fix: add path traversal guard to updater extraction

Validates that every destination path stays within project_root before writing. Prevents a malicious zip from writing outside the project directory via ../traversal entries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 3140416e80b1b56e4e6cccc930d11c2d5f9b1611
2026-04-28 22:18:21 +02:00 · 2026-03-14 14:48:47 -06:00
parent 95474c3ac5
commit b37bfc0162
1 changed files with 6 additions and 1 deletions
@@ -171,7 +171,12 @@ def _extract_and_copy(zip_path: str, project_root: str, temp_dir: str) -> int:
                skipped += 1
                continue

-            dst = os.path.join(project_root, rel)
+            dst = os.path.abspath(os.path.join(project_root, rel))
+            # Safety: never write outside the project root (zip path traversal)
+            if not dst.startswith(os.path.abspath(project_root)):
+                logger.warning(f"Safety skip (path traversal): {rel}")
+                skipped += 1
+                continue
            try:
                os.makedirs(os.path.dirname(dst), exist_ok=True)
                shutil.copy2(src, dst)