shahondin1624/Mitgliederverwaltung
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 16 Wiki Activity

fix: reject ZIP entries with path traversal sequences (Closes #168) #181

Merged
shahondin1624 merged 1 commits from feature/issue-168-zip-path-traversal-validation into main 2026-04-10 16:20:41 +02:00
Conversation 0 Commits 1 Files Changed 1
+19 -5
shahondin1624 commented 2026-04-10 16:20:36 +02:00
Owner
Copy Link
Copy Source

Summary

  • Adds explicit path traversal validation in BundleImportService::extractCsvFiles()
  • Rejects ZIP entries containing .., or starting with / or \
  • Logs warning for each rejected entry

Test plan

  • All 1012 tests pass
  • Path traversal entries are rejected and logged

Closes #168

## Summary - Adds explicit path traversal validation in `BundleImportService::extractCsvFiles()` - Rejects ZIP entries containing `..`, or starting with `/` or `\` - Logs warning for each rejected entry ## Test plan - [x] All 1012 tests pass - [x] Path traversal entries are rejected and logged Closes #168
shahondin1624 added 1 commit 2026-04-10 16:20:36 +02:00
fix: reject ZIP entries with path traversal sequences (Closes #168) 1e8724ad9c 
BundleImportService.extractCsvFiles() now skips entries containing
'..', absolute paths starting with '/' or '\'. Logs a warning for
each rejected entry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shahondin1624 merged commit 9968f8c58e into main 2026-04-10 16:20:41 +02:00
shahondin1624 deleted branch feature/issue-168-zip-path-traversal-validation 2026-04-10 16:20:41 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
backend
Backend / PHP work
 bug
Bug report
 database
Database migrations and schema
 documentation
Documentation
 enhancement
Enhancement or improvement
 epic
Epic / feature-group issues
 frontend
Frontend / Vue.js work
 integration
Nextcloud integrations (Calendar, Contacts, Files)
 priority:high
High priority
 priority:low
Low priority
 priority:medium
Medium priority
 security
Security-related work
 testing
Tests and test infrastructure
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
shahondin1624
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#181
Delete Branch "feature/issue-168-zip-path-traversal-validation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?