fix(utils): harden zip member path exclusion checks

Author: nijel

weblate/utils/files.py

@@ -6,7 +6,7 @@
 import os
 import shutil
 import stat
-from pathlib import Path
+from pathlib import Path, PurePosixPath, PureWindowsPath
 from typing import TYPE_CHECKING
 
 from django.conf import settings
@@ -98,7 +98,16 @@ def should_skip(location):
 
 def is_excluded(path: str) -> bool:
     """Whether path should be excluded from zip extraction."""
-    return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path
+    normalized = path.replace("\\", "/")
+    posix_path = PurePosixPath(normalized)
+    windows_path = PureWindowsPath(path)
+    return (
+        any(exclude in f"/{normalized}/" for exclude in PATH_EXCLUDES)
+        or ".." in posix_path.parts
+        or posix_path.is_absolute()
+        or windows_path.is_absolute()
+        or bool(windows_path.drive)
+    )
 
 
 def is_path_within_directory(path: str, directory: str) -> bool:

weblate/utils/tests/test_files.py

@@ -17,6 +17,7 @@
 from weblate.utils.files import (
     REPO_TEMP_DIRNAME,
     get_repo_temp_dir,
+    is_excluded,
     is_path_within_directory,
     read_file_bytes,
     remove_tree,
@@ -71,6 +72,14 @@ def test_read_file_bytes_resets_position_to_start(self) -> None:
         self.assertEqual(read_file_bytes(filelike, max_size=10), b"test")
         self.assertEqual(filelike.tell(), 0)
 
+    def test_is_excluded_rejects_path_traversal_and_absolute_paths(self) -> None:
+        self.assertTrue(is_excluded("../outside.po"))
+        self.assertTrue(is_excluded("/etc/passwd"))
+        self.assertTrue(is_excluded(r"C:\temp\escape.po"))
+
+    def test_is_excluded_allows_regular_relative_paths(self) -> None:
+        self.assertFalse(is_excluded("locale/cs/messages.po"))
+
     def test_is_path_within_directory_accepts_descendants(self) -> None:
         with tempfile.TemporaryDirectory() as tempdir:
             repo_path = os.path.join(tempdir, "repo")