Merge pull request #17013 from dfederm/dfederm/fix-jellyfin-16899

Reject unsafe plugin package names in installer
2026-06-28 10:30:57 +01:00 · 2026-06-27 10:00:00 -04:00
parent cbef19c313 0ed27bad65
commit c158418e0b
2 changed files with 65 additions and 0 deletions
--- a/Emby.Server.Implementations/Updates/InstallationManager.cs
+++ b/Emby.Server.Implementations/Updates/InstallationManager.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Buffers;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.IO;
@@ -32,6 +33,8 @@ namespace Emby.Server.Implementations.Updates
    /// </summary>
    public class InstallationManager : IInstallationManager
    {
+        private static readonly SearchValues<char> InvalidPackageNameChars = SearchValues.Create([.. Path.GetInvalidFileNameChars(), '/', '\\']);
+
        /// <summary>
        /// The logger.
        /// </summary>
@@ -521,9 +524,27 @@ namespace Emby.Server.Implementations.Updates
                return;
            }

+            if (!IsValidPackageDirectoryName(package.Name))
+            {
+                _logger.LogError("Refusing to install package with invalid name {PackageName}.", package.Name);
+                throw new InvalidDataException($"Plugin package name '{package.Name}' is not a valid directory name.");
+            }
+
            // Always override the passed-in target (which is a file) and figure it out again
            string targetDir = Path.Combine(_appPaths.PluginsPath, package.Name);

+            var pluginsRoot = Path.TrimEndingDirectorySeparator(Path.GetFullPath(_appPaths.PluginsPath));
+            var resolvedTarget = Path.GetFullPath(targetDir);
+            if (!resolvedTarget.StartsWith(pluginsRoot + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase))
+            {
+                _logger.LogError(
+                    "Refusing to install package {PackageName}: resolved target {Resolved} is outside plugins directory {Root}.",
+                    package.Name,
+                    resolvedTarget,
+                    pluginsRoot);
+                throw new InvalidDataException($"Plugin package name '{package.Name}' resolves outside the plugins directory.");
+            }
+
            using var response = await _httpClientFactory.CreateClient(NamedClient.Default)
                .GetAsync(new Uri(package.SourceUrl), cancellationToken).ConfigureAwait(false);
            response.EnsureSuccessStatusCode();
@@ -572,6 +593,26 @@ namespace Emby.Server.Implementations.Updates
            _pluginManager.ImportPluginFrom(targetDir);
        }

+        private static bool IsValidPackageDirectoryName(string? name)
+        {
+            if (string.IsNullOrWhiteSpace(name))
+            {
+                return false;
+            }
+
+            if (name.Equals(".", StringComparison.Ordinal) || name.Equals("..", StringComparison.Ordinal))
+            {
+                return false;
+            }
+
+            if (name.IndexOfAny(InvalidPackageNameChars) >= 0)
+            {
+                return false;
+            }
+
+            return true;
+        }
+
        private async Task<bool> InstallPackageInternal(InstallationInfo package, CancellationToken cancellationToken)
        {
            LocalPlugin? plugin = _pluginManager.Plugins.FirstOrDefault(p => p.Id.Equals(package.Id) && p.Version.Equals(package.Version))