Summary
The backup restore flow in ServerBackupManagerImpl.kt (lines 119-186) has a critical security vulnerability:
- Line 138:
cleanupPluginsDir(pluginsDir) β deletes all plugins
- Lines 150-152: Validates each ZIP entry with
startsWith() check (Zip Slip protection)
The problem: if the ZIP contains a malicious entry, legitimate plugins are already deleted before the validation catches it. A corrupt or malicious ZIP will leave the server with no plugins at all.
Additional concern: startsWith() path check
The Zip Slip protection uses canonicalPath.startsWith(pluginsDirCanonical), but sibling path attacks may bypass simple prefix matching without a trailing separator check.
Suggested Fix
- Validate first: Iterate all ZIP entries and validate paths BEFORE any destructive operation
- Extract to temp directory: Extract to a temp directory, verify all files, then atomically swap with the plugins directory
- Strengthen path check: Use
pluginsDirCanonical + File.separator as the prefix to prevent sibling directory traversal
Impact
- A corrupt backup ZIP will destroy the running server's plugins directory
- Potential path traversal attack vector
Summary
The backup restore flow in
ServerBackupManagerImpl.kt(lines 119-186) has a critical security vulnerability:cleanupPluginsDir(pluginsDir)β deletes all pluginsstartsWith()check (Zip Slip protection)The problem: if the ZIP contains a malicious entry, legitimate plugins are already deleted before the validation catches it. A corrupt or malicious ZIP will leave the server with no plugins at all.
Additional concern: startsWith() path check
The Zip Slip protection uses
canonicalPath.startsWith(pluginsDirCanonical), but sibling path attacks may bypass simple prefix matching without a trailing separator check.Suggested Fix
pluginsDirCanonical + File.separatoras the prefix to prevent sibling directory traversalImpact