Skip to content

Updated extensions manager to handle CWE-22 & CWE-23 #1643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
veler merged 4 commits into from
Jan 8, 2026
Merged

Updated extensions manager to handle CWE-22 & CWE-23 #1643

veler merged 4 commits into from
Jan 8, 2026

Conversation

@btiteux
Copy link
Collaborator

@btiteux btiteux commented Jan 8, 2026
edited by veler
Loading

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • New feature or enhancement
  • UI change (please include screenshot!)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Internationalization and localization
  • Other (please describe):

What is the current behavior?

The current build of DevToys allow the following vulnerability:

Issue Number: #1641

What is the new behavior?

The extensions manager will now check the package path and don't install the malicious package

Quality check

Before creating this PR:

  • Did you follow the code style guideline as described in CONTRIBUTING.md
  • Did you build the app and test your changes?
  • Did you check for accessibility? On Windows, you can use Accessibility Insights for this.
  • Did you verify that the change work in Release build configuration
  • Did you verify that all unit tests pass
  • If necessary and if possible, did you verify your changes on:
    • Windows
    • macOS
    • Linux

@btiteux btiteux force-pushed the feature/cwe-22-23-fix branch from 888a485 to bbe87c3 Compare January 8, 2026 18:21
@veler veler linked an issue Jan 8, 2026 that may be closed by this pull request
Critical Path Traversal (Zip Slip) Vulnerability in DevToys Extension Installation. #1641
Closed
@veler veler merged commit 02fb7d4 into main Jan 8, 2026
3 checks passed
@veler veler deleted the feature/cwe-22-23-fix branch January 8, 2026 21:23
@lihnucs lihnucs mentioned this pull request Jan 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veler veler veler approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Critical Path Traversal (Zip Slip) Vulnerability in DevToys Extension Installation.

2 participants

@btiteux @veler