Skip to content

fix(extensions): harden GitHub extension installs#138

Merged
lightningpixel merged 2 commits into
lightningpixel:devfrom
DrHepa:fix/github-extension-install-security
May 11, 2026
Merged

fix(extensions): harden GitHub extension installs#138
lightningpixel merged 2 commits into
lightningpixel:devfrom
DrHepa:fix/github-extension-install-security

Conversation

@DrHepa

@DrHepa DrHepa commented May 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add strict extension ID validation and canonical root confinement for GitHub install, repair, and uninstall paths.
  • Roll back failed GitHub installs so broken extensions are not left in the final extensions directory.

Security context

This addresses local filesystem safety around GitHub extension installation. I am intentionally keeping the report concise here and can share additional details privately if preferred.

Changes

File Change
electron/main/extension-path-guard.ts Adds reusable extension ID validation and root-confined path resolution helpers.
electron/main/extension-path-guard.test.ts Covers valid IDs, traversal attempts, absolute paths, separators, and backup path confinement.
electron/main/ipc-handlers.ts Applies guarded paths to install/repair/uninstall and restores/removes failed installs.

Test Plan

  • node --test electron/main/extension-path-guard.test.ts
  • Attempted tsc --noEmit -p tsconfig.node.json; current upstream branch fails on pre-existing electron/main/python-bridge.ts nullability errors unrelated to this patch.

@lightningpixel lightningpixel merged commit e99d53d into lightningpixel:dev May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants