fix(core,security): safe update extraction and async bulk vk actions

2026-02-15 23:42:51 +03:00
parent c645d964bf
commit 5253c942e8
3 changed files with 224 additions and 83 deletions
--- a/services/auto_update_service.py
+++ b/services/auto_update_service.py
@@ -9,6 +9,18 @@ import zipfile


 class AutoUpdateService:
+    @staticmethod
+    def _safe_extract_zip(archive, destination_dir):
+        destination_real = os.path.realpath(destination_dir)
+        for member in archive.infolist():
+            member_name = member.filename or ""
+            if not member_name:
+                continue
+            target_path = os.path.realpath(os.path.join(destination_dir, member_name))
+            if target_path != destination_real and not target_path.startswith(destination_real + os.sep):
+                raise RuntimeError(f"Unsafe path in update archive: {member_name}")
+        archive.extractall(destination_dir)
+
    @staticmethod
    def download_update_archive(download_url, destination_path):
        request = urllib.request.Request(
@@ -215,6 +227,6 @@ class AutoUpdateService:
        cls.verify_update_checksum(zip_path, checksum_url, download_name)
        os.makedirs(unpack_dir, exist_ok=True)
        with zipfile.ZipFile(zip_path, "r") as archive:
-            archive.extractall(unpack_dir)
+            cls._safe_extract_zip(archive, unpack_dir)
        source_dir = cls.locate_extracted_root(unpack_dir)
        return work_dir, source_dir