[Fix] AI suggestions #9298

.cspell.json

@@ -807,8 +807,11 @@
 		"prepopulate",
 		"prepopulates",
 		"prepopulation",
-		"Liskov"
-		"Zrdm"
+		"Liskov",
+		"Zrdm",
+		"backoff",
+		"autodrain",
+		"pluginname"
 	],
 	"useGitignore": true,
 	"ignorePaths": [

packages/desktop-lib/src/lib/plugin-system/data-access/strategies/cdn-download.strategy.ts

@@ -296,8 +296,10 @@
 			let totalSize = 0;
 
 			await new Promise<void>((resolve, reject) => {
+				const baseExtractPath = path.resolve(extractDir);
+
 				createReadStream(filePath)
 					.pipe(unzipper.Parse())
 					.on('entry', (entry: any) => {
 						const { path: entryPath, type, size } = entry;
 
@@ -327,12 +329,31 @@
 						}
 
 						const fullPath = path.join(extractDir, entryPath);
+						const resolvedFullPath = path.resolve(fullPath);
+
+						// Additional Security: Ensure resolved path is within extraction directory
+						if (
+							!resolvedFullPath.startsWith(baseExtractPath + path.sep) &&
+							resolvedFullPath !== baseExtractPath
+						) {
+							logger.warn(`Resolved path escapes extract directory, skipping: ${entryPath}`);
+							entry.autodrain();
+							return;
+						}
 
 						if (type === 'Directory') {
 							entry.autodrain();
 						} else {
-							// Extract file
-							entry.pipe(createWriteStream(fullPath));
+							// Ensure directory exists before writing file
+							fs.mkdir(path.dirname(resolvedFullPath), { recursive: true })
+								.then(() => {
+									// Extract file
+									entry.pipe(createWriteStream(resolvedFullPath));
+								})
+								.catch((err) => {
+									logger.error(`Failed to create directory for ${resolvedFullPath}: ${err.message}`);
+									entry.autodrain();
+								});
 						}
 					})
 					.on('close', resolve)
@@ -415,10 +436,36 @@
 	/**
 	 * Validates that a file path is safe and doesn't attempt path traversal
 	 */
-	private isSafePath(basePath: string, filePath: string): boolean {
-		const resolvedPath = path.resolve(basePath, filePath);
-		const normalizedBase = path.normalize(basePath);
-		return resolvedPath.startsWith(normalizedBase);
+	private isSafePath(rootDir: string, entryPath: string): boolean {
+		if (!entryPath) {
+			return false;
+		}
+
+		// Normalize entry path separators
+		const normalizedEntry = entryPath.replace(/\\/g, '/');
+
+		// Disallow absolute paths and drive letters
+		if (path.isAbsolute(normalizedEntry)) {
+			return false;
+		}
+		if (/^[a-zA-Z]:/.test(normalizedEntry)) {
+			return false;
+		}
+
+		// Resolve the full path and ensure it stays within rootDir
+		const resolvedRoot = path.resolve(rootDir);
+		const resolvedTarget = path.resolve(rootDir, normalizedEntry);
+
+		// Ensure the resolved target is within the resolved root directory
+		if (resolvedTarget === resolvedRoot) {
+			return false;
+		}
+
+		if (!resolvedTarget.startsWith(resolvedRoot + path.sep)) {
+			return false;
+		}
+
+		return true;
 	}
 
 	/**

packages/plugins/registry/src/lib/domain/services/plugin-category.service.ts

@@ -172,10 +172,8 @@ export class PluginCategoryService extends TenantAwareCrudService<PluginCategory
 	): Promise<string> {
 		let baseSlug = name
 			.toLowerCase()
-			.replace(/[^a-z0-9\s-]/g, '')
-			.replace(/\s+/g, '-')
-			.replace(/-+/g, '-')
-			.replace(/^-+|-+$/g, '');
+			.replace(/[^a-z0-9]+/g, '-')
+			.replace(/^-|-$/g, '');
 
 		let slug = baseSlug;
 		let counter = 1;

packages/plugins/registry/src/lib/domain/services/plugin-subscription-plan.service.ts

@@ -369,7 +369,7 @@ export class PluginSubscriptionPlanService extends CrudService<PluginSubscriptio
 			return count > 0;
 		} catch (error) {
 			// If there's an error checking, default to false (treat as free plugin)
-			console.error(`Error checking if plugin ${pluginId} requires subscription:`, error);
+			console.error('Error checking if plugin %s requires subscription:', pluginId, error);
 			return false;
 		}
 	}