security: Path traversal in JpaUnarchiver — no filename sanitization #72

New Issue

2026-06-21T23:00:58Z

jmiller commented

2026-06-21 23:00:58 +00:00

Severity: CRITICAL

JpaUnarchiver reads the file path directly from the JPA binary header and uses it raw to construct the output path:

$dirPath  = $this->outputDir . '/' . $path;   // line 211
$fullPath = $this->outputDir . '/' . $path;   // line 230

A maliciously crafted JPA file with a path like ../../../../etc/cron.d/pwned would write files outside the staging directory.

Fix

Sanitize $path — reject absolute paths and ../ sequences, validate realpath() stays within $this->outputDir.

File

src/Engine/JpaUnarchiver.php:211,230

## Severity: CRITICAL `JpaUnarchiver` reads the file path directly from the JPA binary header and uses it raw to construct the output path: ```php $dirPath = $this->outputDir . '/' . $path; // line 211 $fullPath = $this->outputDir . '/' . $path; // line 230 ``` A maliciously crafted JPA file with a path like `../../../../etc/cron.d/pwned` would write files outside the staging directory. ## Fix Sanitize `$path` — reject absolute paths and `../` sequences, validate `realpath()` stays within `$this->outputDir`. ## File - `src/Engine/JpaUnarchiver.php:211,230`

jmiller added the component: engine label 2026-06-21 23:00:58 +00:00

jmiller referenced this issue

2026-06-21 23:04:13 +00:00

test: Deep dive audit — verify and fix all findings #81

jmiller referenced this issue from a commit

2026-06-21 23:09:43 +00:00

fix: critical and high audit findings (#81)

jmiller referenced this issue

2026-06-21 23:09:56 +00:00

fix: Critical and high audit findings (#81) #83

jmiller referenced this issue from a commit

2026-06-21 23:50:12 +00:00