DevToys-app
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 1 deletion b/‎.gitignore‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/Directory.Packages.props‎
Lines changed: 1 addition & 1 deletion b/‎src/Directory.Packages.props‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/app/dev/DevToys.Blazor/BuiltInTools/ExtensionsManager/ExtensionInstallationManager.cs‎
Lines changed: 14 additions & 3 deletions b/‎src/app/dev/DevToys.Blazor/BuiltInTools/ExtensionsManager/ExtensionInstallationManager.cs‎
Lines changed: 14 additions & 3 deletions
diff --git a/‎src/app/dev/DevToys.Blazor/BuiltInTools/ExtensionsManager/ExtensionInstallationResult.cs‎
Lines changed: 20 additions & 1 deletion b/‎src/app/dev/DevToys.Blazor/BuiltInTools/ExtensionsManager/ExtensionInstallationResult.cs‎
Lines changed: 20 additions & 1 deletion
@@ -38,13 +38,13 @@ jobs:
         run: ./build.cmd RunTests
   macos-latest:
     name: macOS
-    runs-on: macos-14
+    runs-on: macos-15
     timeout-minutes: 30
     steps:
-      - name: Set to use Xcode 15.1
+      - name: Set to use Xcode 26.1.1
         uses: maxim-lobanov/setup-xcode@v1
         with:
-          xcode-version: '15.1'
+          xcode-version: '26.1.1'
       - uses: actions/checkout@v3
       - name: 'Cache: .nuke/temp, ~/.nuget/packages'
         uses: actions/cache@v3
 
@@ -441,4 +441,7 @@ bld/
 [Oo]bj/
 # [Oo]ut/
 [Ll]og/
-[Ll]ogs/
+[Ll]ogs/
+
+# TestData
+!**/**/TestData/**
@@ -34,7 +34,7 @@
     <PackageVersion Include="NuGet.Packaging" Version="6.9.1" />
     <PackageVersion Include="Nuke.Common" Version="8.0.0" />
     <PackageVersion Include="OneOf" Version="3.0.271" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.5" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.12" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
     <PackageVersion Include="System.ComponentModel.Composition" Version="$(DotNetVersion)" />
 
@@ -98,7 +98,7 @@ internal static async Task<ExtensionInstallationResult> InstallExtensionAsync(Sa
             if (Directory.Exists(potentialExtensionInstallationPath))
             {
                 // Extension is already installed.
-                return new(AlreadyInstalled: true, nuspecReader, ExtensionInstallationPath: string.Empty);
+                return new(true, nuspecReader, string.Empty);
             }
         }
 
@@ -112,11 +112,22 @@ string extensionInstallationPath
         {
             if (!pathToExclude.Any(path => packagedFile.Contains(path, StringComparison.CurrentCultureIgnoreCase)))
             {
-                reader.ExtractFile(packagedFile, Path.Combine(extensionInstallationPath, packagedFile), null);
+                // Security: Prevent path traversal vulnerability (CWE-22 & CWE-23).
+                string fullTargetPath = Path.GetFullPath(Path.Combine(extensionInstallationPath, packagedFile));
+                string fullPluginPath = Path.GetFullPath(extensionInstallationPath);
+
+                if (!fullTargetPath.StartsWith(fullPluginPath + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase))
+                {
+                    Directory.Delete(extensionInstallationPath, true);
+                    logger.LogCritical("Security violation: Extension '{packagedFile}' contains path traversal sequence", nuspecReader.GetId());
+                    return new(nuspecReader, $"Security violation: Extension '{nuspecReader.GetId()}' contains path traversal sequence");
+                }
+
+                reader.ExtractFile(packagedFile, fullTargetPath, null);
             }
         }
 
-        return new(AlreadyInstalled: false, nuspecReader, extensionInstallationPath);
+        return new(false, nuspecReader, extensionInstallationPath);
     }
 
     internal static async Task<bool> CheckForAnyUpdateAsync(IWebClientService webClientService)
 
@@ -2,6 +2,25 @@
 
 namespace DevToys.Blazor.BuiltInTools.ExtensionsManager;
 
-internal record ExtensionInstallationResult(bool AlreadyInstalled, NuspecReader NuspecReader, string ExtensionInstallationPath)
+internal class ExtensionInstallationResult
 {
+    internal bool HasSucceeded => string.IsNullOrWhiteSpace(ErrorMessage);
+    internal bool AlreadyInstalled { get; }
+    internal NuspecReader NuspecReader { get; }
+    internal string ExtensionInstallationPath { get; } = string.Empty;
+    internal string ErrorMessage { get; } = string.Empty;
+
+    internal ExtensionInstallationResult(NuspecReader nuspecReader, string errorMessage)
+    {
+        ErrorMessage = errorMessage;
+        NuspecReader = nuspecReader;
+    }
+
+    internal ExtensionInstallationResult(bool alreadyInstalled, NuspecReader nuspecReader, string extensionInstallationPath)
+    {
+        AlreadyInstalled = alreadyInstalled;
+        NuspecReader = nuspecReader;
+        ExtensionInstallationPath = extensionInstallationPath;
+    }
 }
+
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ internal static async Task<ExtensionInstallationResult> InstallExtensionAsync(Sa`
`98`	`98`	`if (Directory.Exists(potentialExtensionInstallationPath))`
`99`	`99`	`{`
`100`	`100`	`// Extension is already installed.`
`101`		`- return new(AlreadyInstalled: true, nuspecReader, ExtensionInstallationPath: string.Empty);`
	`101`	`+ return new(true, nuspecReader, string.Empty);`
`102`	`102`	`}`
`103`	`103`	`}`
`104`	`104`
`@@ -112,11 +112,22 @@ string extensionInstallationPath`
`112`	`112`	`{`
`113`	`113`	`if (!pathToExclude.Any(path => packagedFile.Contains(path, StringComparison.CurrentCultureIgnoreCase)))`
`114`	`114`	`{`
`115`		`- reader.ExtractFile(packagedFile, Path.Combine(extensionInstallationPath, packagedFile), null);`
	`115`	`+ // Security: Prevent path traversal vulnerability (CWE-22 & CWE-23).`
	`116`	`+ string fullTargetPath = Path.GetFullPath(Path.Combine(extensionInstallationPath, packagedFile));`
	`117`	`+ string fullPluginPath = Path.GetFullPath(extensionInstallationPath);`
	`118`	`+`
	`119`	`+ if (!fullTargetPath.StartsWith(fullPluginPath + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase))`
	`120`	`+ {`
	`121`	`+ Directory.Delete(extensionInstallationPath, true);`
	`122`	`+ logger.LogCritical("Security violation: Extension '{packagedFile}' contains path traversal sequence", nuspecReader.GetId());`
	`123`	`+ return new(nuspecReader, $"Security violation: Extension '{nuspecReader.GetId()}' contains path traversal sequence");`
	`124`	`+ }`
	`125`	`+`
	`126`	`+ reader.ExtractFile(packagedFile, fullTargetPath, null);`
`116`	`127`	`}`
`117`	`128`	`}`
`118`	`129`
`119`		`- return new(AlreadyInstalled: false, nuspecReader, extensionInstallationPath);`
	`130`	`+ return new(false, nuspecReader, extensionInstallationPath);`
`120`	`131`	`}`
`121`	`132`
`122`	`133`	`internal static async Task<bool> CheckForAnyUpdateAsync(IWebClientService webClientService)`