Fix path traversal false positive: skip subst drive mapping for JVM backend

Java's getCanonicalFile() resolves subst drives inconsistently, causing secureResolve() to falsely block valid filenames. JVM handles long paths natively so subst is only needed for legacy UnRAR/7z. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 02:25:10 +01:00 · 2026-03-03 02:25:10 +01:00 · eefb536cb3
commit eefb536cb3
parent 02b136dac7
2 changed files with 10 additions and 5 deletions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "real-debrid-downloader",
-  "version": "1.5.45",
+  "version": "1.5.46",
  "description": "Real-Debrid Downloader Desktop (Electron + React + TypeScript)",
  "main": "build/main/main/main.js",
  "author": "Sucukdeluxe",
--- a/src/main/extractor.ts
+++ b/src/main/extractor.ts
@ -1151,9 +1151,10 @@ async function runExternalExtract(
  await fs.promises.mkdir(targetDir, { recursive: true });

  // On Windows, long targetDir + archive internal paths can exceed MAX_PATH (260 chars).
-  // Use "subst" to map the targetDir to a short drive letter for the extraction process.
-  const subst = createSubstMapping(targetDir);
-  const effectiveTargetDir = subst ? `${subst.drive}:` : targetDir;
+  // Use "subst" to map the targetDir to a short drive letter for the legacy extraction process.
+  // JVM does NOT use subst — Java handles long paths natively and subst causes
+  // false-positive path traversal errors in secureResolve (getCanonicalFile inconsistency).
+  let subst: SubstMapping | null = null;

  try {
    if (backendMode !== "legacy") {
@ -1169,7 +1170,7 @@ async function runExternalExtract(
        const jvmResult = await runJvmExtractCommand(
          layout,
          archivePath,
-          effectiveTargetDir,
+          targetDir,
          conflictMode,
          passwordCandidates,
          onArchiveProgress,
@ -1196,6 +1197,10 @@ async function runExternalExtract(
      }
    }

+    // subst only needed for legacy UnRAR/7z (MAX_PATH limit)
+    subst = createSubstMapping(targetDir);
+    const effectiveTargetDir = subst ? `${subst.drive}:` : targetDir;
+
    const command = await resolveExtractorCommand();
    const password = await runExternalExtractInner(
      command,