feat(security): Zip Slip & Arbitrary Code Execution/File Deletion Vulnerabilities

What's Changed

Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in https://github.com/tristanisham/zvm/pull/140

New Contributors

@dependabot[bot] made their first contribution in https://github.com/tristanisham/zvm/pull/140

Full Changelog: https://github.com/tristanisham/zvm/compare/v0.8.10...v0.8.11

feat(security): Implement robust path and archive extraction safeguards

This commit addresses several security vulnerabilities related to path traversal and insecure archive extraction.

Path Traversal Prevention (cli/config.go, cli/uninstall.go)

Introduced os.OpenRoot for file system operations in getVersion and Uninstall functions. This confines all file access to the designated base directory, effectively mitigating path traversal vulnerabilities that could lead to:

arbitrary code execution (via zvm use / run / sync)

arbitrary file deletion (via zvm uninstall)

Zip Slip Remediation (cli/upgrade.go)

Enhanced the untar function with explicit path validation using filepath.Abs and strings.HasPrefix. This ensures that files extracted during the upgrade process cannot be written outside the intended temporary directory, protecting against arbitrary file writes from a malicious tarball.

zvm

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

JPProject.IdentityServer4.SSO