From e4826547f384a64f6bc4ac67c92c3ea317bc999c Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Thu, 5 Feb 2026 06:37:53 +0000 Subject: [PATCH] fix: resolve critical vulnerability V-001 Automatically generated security fix --- RevokeMsgPatcher/Forms/FormLiteLoaderQQNT.cs | 21 ++++++++++++++++++++ RevokeMsgPatcher/Model/LiteLoaderRowData.cs | 19 ++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/RevokeMsgPatcher/Forms/FormLiteLoaderQQNT.cs b/RevokeMsgPatcher/Forms/FormLiteLoaderQQNT.cs index 159e663..c9b59f8 100644 --- a/RevokeMsgPatcher/Forms/FormLiteLoaderQQNT.cs +++ b/RevokeMsgPatcher/Forms/FormLiteLoaderQQNT.cs @@ -7,6 +7,7 @@ using System.Data; using System.Diagnostics; using System.IO; using System.Linq; +using System.Security; using System.Text; using System.Threading.Tasks; using System.Windows.Forms; @@ -221,6 +222,16 @@ namespace RevokeMsgPatcher.Forms private void RestoreDll(string installPath) { string destPath = Path.Combine(installPath, "dbghelp.dll"); + + // Validate that the path is safe and within expected directory + string normalizedDestPath = Path.GetFullPath(destPath); + string normalizedInstallPath = Path.GetFullPath(installPath); + + if (!normalizedDestPath.StartsWith(normalizedInstallPath, StringComparison.OrdinalIgnoreCase)) + { + throw new SecurityException("Invalid file path detected. Path traversal attempt blocked."); + } + if (File.Exists(destPath)) { File.Delete(destPath); @@ -295,6 +306,16 @@ namespace RevokeMsgPatcher.Forms { string fileName = "dbghelp.dll"; string destPath = Path.Combine(installPath, fileName); + + // Validate that the path is safe and within expected directory + string normalizedDestPath = Path.GetFullPath(destPath); + string normalizedInstallPath = Path.GetFullPath(installPath); + + if (!normalizedDestPath.StartsWith(normalizedInstallPath, StringComparison.OrdinalIgnoreCase)) + { + throw new SecurityException("Invalid file path detected. Path traversal attempt blocked."); + } + if (File.Exists(destPath)) { File.Delete(destPath); diff --git a/RevokeMsgPatcher/Model/LiteLoaderRowData.cs b/RevokeMsgPatcher/Model/LiteLoaderRowData.cs index 41eb74d..4c8b0b8 100644 --- a/RevokeMsgPatcher/Model/LiteLoaderRowData.cs +++ b/RevokeMsgPatcher/Model/LiteLoaderRowData.cs @@ -193,6 +193,16 @@ namespace RevokeMsgPatcher.Model // 解压 string zipFileName = Path.GetFileNameWithoutExtension(downloadedFilePath); string extractPath = Path.Combine(Application.StartupPath, "Public/Extracted", zipFileName); + + // Validate extractPath is within expected directory + string normalizedExtractPath = Path.GetFullPath(extractPath); + string normalizedBaseExtractPath = Path.GetFullPath(Path.Combine(Application.StartupPath, "Public/Extracted")); + + if (!normalizedExtractPath.StartsWith(normalizedBaseExtractPath, StringComparison.OrdinalIgnoreCase)) + { + throw new System.Security.SecurityException("Invalid extract path detected. Path traversal attempt blocked."); + } + if (Directory.Exists(extractPath)) { Directory.Delete(extractPath, true); @@ -214,6 +224,15 @@ namespace RevokeMsgPatcher.Model // 清理 + // Validate downloadedFilePath is within expected directory + string normalizedDownloadPath = Path.GetFullPath(downloadedFilePath); + string normalizedBaseDownloadPath = Path.GetFullPath(Path.Combine(Application.StartupPath, "Public/Download")); + + if (!normalizedDownloadPath.StartsWith(normalizedBaseDownloadPath, StringComparison.OrdinalIgnoreCase)) + { + throw new System.Security.SecurityException("Invalid download path detected. Path traversal attempt blocked."); + } + if (File.Exists(downloadedFilePath)) { File.Delete(downloadedFilePath);