michael/merlyn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix potential Zip Slip path traversal in community plugin import

Browse Source 
Validate all ZIP entries before extraction in importCommunityItemFromUrl()
to prevent path traversal attacks (CWE-22). Malicious ZIP entries with
paths like "../../" could write files outside the intended plugin folder.

Requires admin privileges and explicit opt-in to unverified hub downloads.
GHSA-rh66-4w74-cf4m
This commit is contained in:
Timothy Carambat 2026-03-13 10:18:20 -07:00
parent a207449095
commit 6a492f038d
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/utils/agents/imported.js
View File

@ -277,6 +277,17 @@ class ImportedPlugin {
// Note: https://github.com/cthackers/adm-zip?tab=readme-ov-file#electron-original-fs // Note: https://github.com/cthackers/adm-zip?tab=readme-ov-file#electron-original-fs
const AdmZip = require("adm-zip"); const AdmZip = require("adm-zip");
const zip = new AdmZip(zipFilePath); const zip = new AdmZip(zipFilePath);
// Validate all zip entries to prevent Zip Slip path traversal attacks (CWE-22)
for (const entry of zip.getEntries()) {
const entryPath = path.resolve(pluginFolder, entry.entryName);
if (!isWithin(pluginFolder, entryPath) && pluginFolder !== entryPath) {
throw new Error(
`[ImportedPlugin.importCommunityItemFromUrl]: Entry "${entry.entryName}" would extract outside plugin folder - not allowed.`
);
}
}
zip.extractAllTo(pluginFolder); zip.extractAllTo(pluginFolder);
// We want to make sure specific keys are set to the proper values for // We want to make sure specific keys are set to the proper values for