Administrator/real-debrid-downloader
1
0
Fork 0
Code Issues Pull Requests Actions 132 Packages Projects Releases 238 Wiki Activity

Fix path traversal false positive: skip subst drive mapping for JVM backend
Some checks are pending
Build and Release / build (push) Waiting to run
Details

Browse Source 
Java's getCanonicalFile() resolves subst drives inconsistently,
causing secureResolve() to falsely block valid filenames. JVM handles
long paths natively so subst is only needed for legacy UnRAR/7z.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sucukdeluxe 2026-03-03 02:25:10 +01:00
parent 02b136dac7
commit eefb536cb3
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "real-debrid-downloader", "name": "real-debrid-downloader",
"version": "1.5.45", "version": "1.5.46",
"description": "Real-Debrid Downloader Desktop (Electron + React + TypeScript)", "description": "Real-Debrid Downloader Desktop (Electron + React + TypeScript)",
"main": "build/main/main/main.js", "main": "build/main/main/main.js",
"author": "Sucukdeluxe", "author": "Sucukdeluxe",

13
src/main/extractor.ts
View File

@ -1151,9 +1151,10 @@ async function runExternalExtract(
await fs.promises.mkdir(targetDir, { recursive: true }); await fs.promises.mkdir(targetDir, { recursive: true });
// On Windows, long targetDir + archive internal paths can exceed MAX_PATH (260 chars). // On Windows, long targetDir + archive internal paths can exceed MAX_PATH (260 chars).
// Use "subst" to map the targetDir to a short drive letter for the extraction process. // Use "subst" to map the targetDir to a short drive letter for the legacy extraction process.
const subst = createSubstMapping(targetDir); // JVM does NOT use subst — Java handles long paths natively and subst causes
const effectiveTargetDir = subst ? `${subst.drive}:` : targetDir; // false-positive path traversal errors in secureResolve (getCanonicalFile inconsistency).
let subst: SubstMapping | null = null;
try { try {
if (backendMode !== "legacy") { if (backendMode !== "legacy") {
@ -1169,7 +1170,7 @@ async function runExternalExtract(
const jvmResult = await runJvmExtractCommand( const jvmResult = await runJvmExtractCommand(
layout, layout,
archivePath, archivePath,
effectiveTargetDir, targetDir,
conflictMode, conflictMode,
passwordCandidates, passwordCandidates,
onArchiveProgress, onArchiveProgress,
@ -1196,6 +1197,10 @@ async function runExternalExtract(
} }
} }
// subst only needed for legacy UnRAR/7z (MAX_PATH limit)
subst = createSubstMapping(targetDir);
const effectiveTargetDir = subst ? `${subst.drive}:` : targetDir;
const command = await resolveExtractorCommand(); const command = await resolveExtractorCommand();
const password = await runExternalExtractInner( const password = await runExternalExtractInner(
command, command,