Fix Zip Slip vulnerability, regex recompilation, and redundant hashCode#3810
Merged
guiyanakuang merged 1 commit intomainfrom Feb 9, 2026
Merged
Conversation
…Code - Add path traversal validation in CompressUtils.unzip() to prevent Zip Slip attacks from crafted zip entries - Move regex to companion object in OpenGraphService.extractFromJsonLd() to avoid recompilation on every call - Remove redundant inherited field hashing/comparison in PasteFileCoordinate and PasteFileInfoTreeCoordinate hashCode()/equals() Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
guiyanakuang
deleted the
fix/issue-3809-session32-serialization-persistence
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #3809\n\n## Summary\n- S32-01 (HIGH): Add path traversal validation in
CompressUtils.unzip()to prevent Zip Slip attacks — resolved paths are checked against the canonical target directory before writing\n- S32-02 (LOW): Move regex inOpenGraphService.extractFromJsonLd()to a companion object constant to avoid recompilation on every call\n- S32-03 (LOW): Remove redundant inherited field hashing/comparison inPasteFileCoordinateandPasteFileInfoTreeCoordinatehashCode()/equals()—super.hashCode()/super.equals()already covers inherited fields\n\n## Test plan\n- [ ] Verifyunzip()rejects zip entries with path traversal (e.g.,../../malicious.txt)\n- [ ] Verify Open Graph image extraction still works for URLs with JSON-LD\n- [ ] Verify paste coordinate equality/hashing works correctly in file sync operations\n\n🤖 Generated with Claude Code\nvia Happy