fix: prevent zip slip attacks in DXT unpack function

CLI.md

@@ -157,10 +157,12 @@ dxt unsign my-extension.dxt
 For signing extensions, you need:
 
 1. **Certificate**: X.509 certificate in PEM format
+
    - Should have Code Signing extended key usage
    - Can be self-signed (for development) or CA-issued (for production)
 
 2. **Private Key**: Corresponding private key in PEM format
+
    - Must match the certificate's public key
 
 3. **Intermediate Certificates** (optional): For CA-issued certificates

MANIFEST.md

@@ -290,12 +290,14 @@ The `server` object defines how to run the MCP server:
 ### Server Types
 
 1. **Python**: `server.type = "python"`
+
    - Requires `entry_point` to Python file
    - All dependencies must be bundled in the DXT
    - Can use `server/lib` for packages or `server/venv` for full virtual environment
    - Python runtime version specified in `compatibility.runtimes.python`
 
 2. **Node.js**: `server.type = "node"`
+
    - Requires `entry_point` to JavaScript file
    - All dependencies must be bundled in `node_modules`
    - Node.js runtime version specified in `compatibility.runtimes.node`

src/cli/unpack.ts

@@ -1,6 +1,6 @@
 import { unzipSync } from "fflate";
 import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { join, resolve } from "path";
+import { join, resolve, sep } from "path";
 
 import { extractSignatureBlock } from "../node/sign.js";
 import { getLogger } from "../shared/log.js";
@@ -41,7 +41,7 @@
     if (isUnix) {
       // Parse ZIP central directory to extract file attributes
       const zipBuffer = originalContent;
 
       // Find end of central directory record
       let eocdOffset = -1;
       for (let i = zipBuffer.length - 22; i >= 0; i--) {
@@ -54,21 +54,21 @@
       if (eocdOffset !== -1) {
         const centralDirOffset = zipBuffer.readUInt32LE(eocdOffset + 16);
         const centralDirEntries = zipBuffer.readUInt16LE(eocdOffset + 8);
 
         let offset = centralDirOffset;
 
         for (let i = 0; i < centralDirEntries; i++) {
           if (zipBuffer.readUInt32LE(offset) === 0x02014b50) {
             const externalAttrs = zipBuffer.readUInt32LE(offset + 38);
             const filenameLength = zipBuffer.readUInt16LE(offset + 28);
             const filename = zipBuffer.toString('utf8', offset + 46, offset + 46 + filenameLength);
 
             // Extract Unix permissions from external attributes (upper 16 bits)
             const mode = (externalAttrs >> 16) & 0o777;
             if (mode > 0) {
               fileAttributes.set(filename, mode);
             }
 
             const extraFieldLength = zipBuffer.readUInt16LE(offset + 30);
             const commentLength = zipBuffer.readUInt16LE(offset + 32);
             offset += 46 + filenameLength + extraFieldLength + commentLength;
@@ -85,6 +85,17 @@
       if (Object.prototype.hasOwnProperty.call(decompressed, relativePath)) {
         const data = decompressed[relativePath];
         const fullPath = join(finalOutputDir, relativePath);
+
+        // Prevent zip slip attacks by validating the resolved path
+        const normalizedPath = resolve(fullPath);
+        const normalizedOutputDir = resolve(finalOutputDir);
+        if (
+          !normalizedPath.startsWith(normalizedOutputDir + sep) &&
+          normalizedPath !== normalizedOutputDir
+        ) {
+          throw new Error(`Path traversal attempt detected: ${relativePath}`);
+        }
+
         const dir = join(fullPath, "..");
         if (!existsSync(dir)) {
           mkdirSync(dir, { recursive: true });