Skip to content

fix(clashapi): prevent zip slip in external UI download#4121

Closed
allanjoshuaf wants to merge 78 commits into
SagerNet:testingfrom
allanjoshuaf:test-zip-slip
Closed

fix(clashapi): prevent zip slip in external UI download#4121
allanjoshuaf wants to merge 78 commits into
SagerNet:testingfrom
allanjoshuaf:test-zip-slip

Conversation

@allanjoshuaf
Copy link
Copy Markdown

@allanjoshuaf allanjoshuaf commented May 9, 2026

Summary

Fix a Zip Slip path traversal vulnerability in downloadZIP() used by external UI downloads.

The extracted file path is now validated to ensure it remains inside the configured output directory after path normalization.

Changes

  • Added path containment validation using filepath.Clean
  • Reject ZIP entries attempting directory traversal outside the output directory
  • Added regression test covering malicious ZIP traversal entries

Testing

Added TestDownloadZIPZipSlip which:

  • creates an in-memory ZIP archive containing a traversal payload (../../../pwned.txt)
  • verifies that downloadZIP() rejects the archive
  • verifies that no file is written outside the target directory

Related: #4117

@nekohasekai
Add MAC and hostname rule items
d3575cc
@nekohasekai
Add Android support for MAC and hostname rule items
c57e864
@nekohasekai
Add macOS support for MAC and hostname rule items
1c02d7e
@nekohasekai
documentation: Update descriptions for neighbor rules
4f6d0ff
@nekohasekai
Refactor ACME support to certificate provider
83fa58f
@nekohasekai
Add BBR profile and hop interval randomization for Hysteria2
0155352
@nekohasekai
platform: Add OOM Report & Crash Report
26ddb92
@nekohasekai
Also enable certificate store by default on Apple platforms
ff94634 
`SecTrustEvaluateWithError` is serial
@nekohasekai
Add evaluate DNS rule action and related rule items
e1a7ab3
@nekohasekai
platform: Fix set local
9e8f13c
@nekohasekai
Fix deprecated warning double-formatting on localized clients
0f6d110
@nekohasekai
oom-killer: Free memory on pressure notification and use gradual inte…
5ee373c 
…rval backoff
@nekohasekai
tools: Network Quality & STUN
0b8f380
@nekohasekai
platform: Fix darwin signal handler
ccc2742
@nekohasekai
tools: Tailscale status
ce6d683
@nekohasekai
Revert "Also enable certificate store by default on Apple platforms"
a7b02f9 
This reverts commit 62cb06c.
@nekohasekai
Fix rules lock
ec75e5e
@nekohasekai
Fix darwin local DNS transport
eade677
@nekohasekai
tools: Tailscale status
524578a
@nekohasekai
Un-deprecate ip_accept_any DNS rule item
e75e1c9
@nekohasekai
documentation: Fixes
e714efa
@nekohasekai
Add package_name_regex route, DNS and headless rule item
684ba79
@nekohasekai
platform: Wrap command RPC error returns with E.Cause
012db0e
@nekohasekai
Fix lint errors
5779b46
@nekohasekai
Add cloudflared inbound
08260fa
@nekohasekai
documentation: Fix missing update for ip_version and query_type
3828b4f
@nekohasekai
Fix stun test
104c7ae
@nekohasekai
Fix darwin cgo DNS again
8fb0191
@nekohasekai
Fix tailscale error
e6f5c24
@nekohasekai
Add optimistic DNS cache
0319b22
nekohasekai and others added 21 commits April 28, 2026 08:55
@nekohasekai
Improve oom-killer
b418ee1
@nekohasekai
tun: Add read waiter support for gVisor conn
78f502d
@nekohasekai
ssh: Add cipher, MAC, and key exchange configuration
610aa94
@nekohasekai
Cleanup compatible code for legacy Go
60a5f87
@nekohasekai
dns: Add timeout configuration
1bad8d8
@nekohasekai
Bump version
abedea4
@nekohasekai
sing: Fix contentjson crash
ddc2035
@nekohasekai
Fix tailscale start dependencies
2a533b0
@nekohasekai
dns: Add neighbor-based hostname resolution to local server
e171852
@nekohasekai
dns: Add preferred_by rule item
fdec2fe
@nekohasekai
dns: Add mDNS server
98b2122
@nekohasekai
cronet: Remove additional QUIC certificate check
85889fc
@nekohasekai
Allow customizing TUN DNS mode and hijack interface DNS by default
bb60b58
@nekohasekai
Update naiveproxy to v148.0.7778.96-1
772ab58
@macronut @nekohasekai
Add more spoof method
48c65a2 
Signed-off-by: macronut <4027187+macronut@users.noreply.github.com>
@nekohasekai
Bump version
9ee56ae
@nekohasekai
release: Add replace_macos_standalone make target
0ee7592
@nekohasekai
Fix cronet close and crash
31252a7
@nekohasekai
dns: Fix deadline
228eb2d
@nekohasekai
Bump version
4807ee9
@allanjoshuaf
fix(clashapi): prevent zip slip in external UI download
7f8e31a
@nekohasekai nekohasekai force-pushed the testing branch 6 times, most recently from 057f540 to 6b07a22 Compare May 15, 2026 05:29
@allanjoshuaf
Copy link
Copy Markdown
Author

allanjoshuaf commented May 16, 2026
edited
Loading

Superseded by #4142

@allanjoshuaf allanjoshuaf mentioned this pull request May 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@allanjoshuaf @nekohasekai @macronut