• v2.5.5-hotfix cee4f53753

    FTMahringer released this 2026-05-13 00:01:38 +02:00 | 80 commits to main since this release

    v2.5.5-hotfix

    Hotfix for v2.5.5-dev addressing CodeQL Critical and High severity alerts.

    Fixes

    • PluginLoaderService: validate jarPath is within pluginsDir using normalize() + startsWith()
    • PluginLoaderService: construct file:// URL from validated path, check startsWith("file://") before new URL() — fixes SSRF alert #10
    • PluginStorageService: added normalize() + startsWith(stagingDir) check in stageJar() — fixes path-injection alert #8

    Workflow Status

    • Compose Smoke Test
    • CodeQL (re-scan pending)
    Downloads