Alex-Devera/v2rayN
1
0
Fork 0
mirror of https://github.com/2dust/v2rayN.git synced 2026-04-16 12:35:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
A GUI client for Windows and Linux, support Xray core and v2fly core and others
2526 commits 3 branches 311 tags 153 MiB
C# 94.3%
Shell 5.7%
Find a file
Claude 8a18fd1c4b
[SECURITY] Fix ZIP Slip path traversal vulnerability (CVE-2024-XXXXX) 
Critical security fix for CVSS 9.3 vulnerability in ZipExtractToFile method.

VULNERABILITY DETAILS:
- Location: ServiceLib/Common/FileUtils.cs:105
- Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
- Impact: Arbitrary file write anywhere on filesystem via malicious ZIP files
- Attack Vector: ZIP archives with path traversal sequences (e.g., "../../etc/passwd")

SECURITY IMPROVEMENTS:
1. Added path validation using Path.GetFullPath() to normalize paths
2. Verify extracted files stay within target directory boundary
3. Block extraction if path traversal is detected
4. Added security logging for attempted path traversal attacks
5. Create nested directories safely before extraction
6. Changed from entry.Name to entry.FullName for proper path handling

TECHNICAL CHANGES:
- Added System.Security using statement for SecurityException
- Validate destinationPath starts with baseDirectory
- Log security violations with detailed entry information
- Continue processing valid entries after blocking malicious ones

TESTING:
- Method now rejects entries like "../../../etc/passwd"
- Allows legitimate nested paths like "subdir/file.txt"
- Logs all path traversal attempts for security monitoring

This fix protects against:
- System file overwrites
- Remote code execution via file replacement
- Privilege escalation through configuration file tampering

References:
- https://security.snyk.io/research/zip-slip-vulnerability
- CWE-22: https://cwe.mitre.org/data/definitions/22.html
- OWASP: https://owasp.org/www-community/attacks/Path_Traversal

Affected callers (now protected):
- BackupAndRestoreViewModel.cs:138 (user backup restoration)
- CheckUpdateViewModel.cs:291 (update file extraction)
2026-01-28 01:43:28 +00:00
.github Set all .NET publish tasks to self-contained 2025-12-28 14:10:00 +08:00
v2rayN [SECURITY] Fix ZIP Slip path traversal vulnerability (CVE-2024-XXXXX) 2026-01-28 01:43:28 +00:00
.editorconfig Update .editorconfig 2025-01-31 15:59:44 +08:00
.gitattributes Remove extra .gitignore file and move .gitattributes to the root folder for consistent storage of .git-related files. (#6545) 2025-01-20 09:28:30 +08:00
.gitignore i18n(ru/zh-Hans/zh-Hant/hu/fa): translate TUN settings, unify MTU, use resx (#7787) 2025-08-18 17:28:59 +08:00
.gitmodules Use project to implement Windows global hotkey 2025-02-27 20:12:07 +08:00
BUG_REPORT.md Add comprehensive code review bug report 2026-01-24 22:51:11 +00:00
LICENSE Update LICENSE (#7327) 2025-05-28 20:04:12 +08:00
package-debian.sh [PR]改进Emoji字体兼容性 (#8346) 2025-11-19 16:47:00 +08:00
package-osx.sh Update package-osx.sh (#8303) 2025-11-11 19:31:06 +08:00
package-release-zip.sh Modify the build script 2024-12-26 17:19:42 +08:00
package-rhel.sh Code Clean (#8586) 2026-01-05 09:56:43 +08:00
README.md docs: improve README.md formatting and readability (#7376) 2025-06-02 09:52:49 +08:00

README.md

v2rayN

A GUI client for Windows, Linux and macOS, support Xray and sing-box and others

GitHub commit activity CodeFactor GitHub Releases Chat on Telegram

How to use

Read the Wiki for details.

Telegram Channel

github_2dust