Fix zip extraction path traversal vulnerability in DevPullCommand by Copilot · Pull Request #22 · sak0a/notur

Copilot · 2026-02-07T17:08:32Z

ZipArchive::extractTo() extracts untrusted archives without path validation, allowing malicious entries like ../../../etc/passwd or C:/Windows/System32/evil.dll to write outside the target directory.

Changes

Replace unsafe extraction with validated manual extraction:

Parse each zip entry and validate before writing
Reject absolute paths (/etc/passwd, C:/Windows/System32)
Reject parent traversal sequences (../, ../../)
Reject null byte injection (\0)

Multi-layer path validation:

isUnsafePath() - regex checks for dangerous patterns
normalizePath() - resolve . and .., throw on root escape attempts
Verify normalized destination stays within target (string prefix + realpath)
Symlink protection via original path validation + resolved path verification

Additional hardening:

Directory permissions: 0755 → 0750
Error handling on file_put_contents() failures
Maintain both original and resolved target paths to prevent symlink bypass

Example

// Before: Unsafe direct extraction
$zip->extractTo($targetDir);  // Vulnerable to ../../../etc/passwd

// After: Validated entry-by-entry extraction
for ($i = 0; $i < $zip->numFiles; $i++) {
    $entry = $zip->getNameIndex($i);
    if ($this->isUnsafePath($entry)) {
        throw new \RuntimeException("Unsafe path: {$entry}");
    }
    $normalized = $this->normalizePath($entry);  // Throws on escape
    $destination = $secureTargetDir . DIRECTORY_SEPARATOR . $normalized;
    // Verify destination, extract, validate write success
}

Unit tests cover absolute paths, traversal sequences, null bytes, and edge cases.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

- Introduced 'repository' configuration in notur.php for GitHub source code. - Registered DevPullCommand in NoturServiceProvider for enhanced development workflow.

…ntegration - Bumped framework version to 1.2.4 in configuration. - Introduced `notur:dev:pull` command to facilitate pulling updates from GitHub, including options for specific branches and dry-run functionality. - Added `repository` configuration key for GitHub source management. - Updated documentation to reflect new command and configuration changes.

Co-authored-by: sak0a <24781653+sak0a@users.noreply.github.com>

Copilot · 2026-02-07T17:17:44Z

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/repos/CarbonPHP/carbon-doctrine-types/zipball/18ba5ddfec8976260ead6e866180bd5d2f71aa1d
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/CarbonPHP/carbon/zipball/f438fcc98f92babee98381d399c65336f3a3827f
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/FakerPHP/Faker/zipball/e0ee18eb1e6dc3cda3ce9fd97e5a0689a88a64b5
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/GrahamCampbell/Result-Type/zipball/e01f4a821471308ba86aa202fed6698b6b695e3b
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/Seldaek/monolog/zipball/b321dd6749f0bf7189444158a3ce785cc16d69b0
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/bobthecow/psysh/zipball/a4f766e5c5b6773d8399711019bb7d90875a50ee
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/brick/math/zipball/a8b53e6cc4d3a336543f042a4dfa0e3f2f2356a4
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/composer/semver/zipball/198166618906cb2de69b95d7d47e5fa8aa1b2b95
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/dflydev/dflydev-dot-access-data/zipball/a23a2bf4f31d3518f3ecb38660c95715dfead60f
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/doctrine/inflector/zipball/6d6c96277ea252fc1304627204c3d5e6e15faa3b
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/doctrine/lexer/zipball/31ad66abc0fc9e1a1f2d9bc6a42668d2fbbcd6dd
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/dragonmantank/cron-expression/zipball/d61a8a9604ec1f8c3d150d09db6ce98b32675013
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/egulias/EmailValidator/zipball/d42c8731f0624ad6bdc8d3e5e9a4524f68801cfa
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/filp/whoops/zipball/d2102955e48b9fd9ab24280a7ad12ed552752c4d
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/fruitcake/php-cors/zipball/38aaa6c3fd4c157ffe2a4d10aa8b9b16ba8de379
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/guzzle/guzzle/zipball/b51ac707cfa420b7bfd4e4d5e510ba8008e822b4
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/guzzle/promises/zipball/481557b130ef3790cf82b713667b43030dc9c957
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/guzzle/uri-template/zipball/4f4bbd4e7172148801e76e3decc1e559bdee34e1
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/hamcrest/hamcrest-php/zipball/f8b1c0173b22fa6ec77a81fe63e5b01eba7e6487
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/laravel/framework/zipball/5b23ab29087dbcb13077e5c049c431ec4b82f236
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/laravel/pail/zipball/49f92285ff5d6fc09816e976a004f8dec6a0ea30
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/laravel/prompts/zipball/dd2a2ed95acacbcccd32fd98dee4c946ae7a7217
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/laravel/serializable-closure/zipball/7581a4407012f5f53365e11bafc520fd7f36bc9b
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/laravel/tinker/zipball/3d34b97c9a1747a81a3fde90482c092bd8b66468
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/mockery/mockery/zipball/1f4efdd7d3beafe9807b08156dfcb176d18f1699
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/myclabs/DeepCopy/zipball/07d290f0c47959fd5eed98c95ee5602db07e0b6a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/nette/schema/zipball/2befc2f42d7c715fd9d95efc31b1081e5d765004
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/nette/utils/zipball/c99059c0315591f1a0db7ad6002000288ab8dc72
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/nikic/PHP-Parser/zipball/dca41cd15c2ac9d055ad70dbfd011130757d1f82
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/nunomaduro/collision/zipball/1dc9e88d105699d0fee8bb18890f41b274f6b4c4
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/nunomaduro/termwind/zipball/6fb2a640ff502caace8e05fd7be3b503a7e1c017
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/canvas-core/zipball/a8ebfa6c2e50f8c6597c489b4dfaf9af6789f62a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/canvas/zipball/002d948834c0899e511f5ac0381669363d7881e5
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/sidekick/zipball/267a71b56cb2fe1a634d69fc99889c671b77ff43
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/testbench-core/zipball/c3d35db076830039e91aa5a74a6247c03e5ffd87
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/testbench/zipball/a279fe746c8a15d4d3607a66f356eb3354ac361e
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/orchestral/workbench/zipball/7515d2f7d59b6f5f315273c8b435e8b6b8906f49
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/phar-io/manifest/zipball/54750ef60c58e43759730615a392c31c80e23176
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/phar-io/version/zipball/4f7fd7836c6f332bb2933569e566a0d6c4cbed74
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/container/zipball/c71ecc56dfe541dbd90c5360474fbc405f8d5963
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/event-dispatcher/zipball/dbefd12671e8a14ec7f180cab83036ed26714bb0
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/http-client/zipball/bb5906edc1c324c9a05aa0873d40117941e5fa90
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/http-factory/zipball/2b4765fddfe3b508ac62f829e852b1501d3f6e8a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/http-message/zipball/402d35bcb92c70c026d1a6a9883f06b2ead23d71
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/log/zipball/f16e1d5863e37f8d8c2a01719f5b34baa2b714d3
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/php-fig/simple-cache/zipball/764e0b3939f5ca87cb904f570ef9be2d78a07865
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/ramsey/collection/zipball/344572933ad0181accbf4ba763e85a0306a8c5e2
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/ramsey/uuid/zipball/8429c78ca35a09f27565311b98101e2826affde0
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/schmittjoh/php-option/zipball/75365b91986c2405cf5e1e012c5595cd487a98be
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/cli-parser/zipball/15c5dd40dc4f38794d383bb95465193f5e0ae180
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/code-unit-reverse-lookup/zipball/183a9b2632194febd219bb9246eee421dad8d45e
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/code-unit/zipball/54391c61e4af8078e5b276ab082b6d3c54c9ad64
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/comparator/zipball/2c95e1e86cb8dd41beb8d502057d1081ccc8eca9
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/complexity/zipball/ee41d384ab1906c68852636b6de493846e13e5a0
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/diff/zipball/b4ccd857127db5d41a5b676f24b51371d76d8544
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/environment/zipball/a5c75038693ad2e8d4b6c15ba2403532647830c4
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/exporter/zipball/70a298763b40b213ec087c51c739efcaa90bcd74
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/global-state/zipball/3be331570a721f9a4b5917f4209773de17f747d7
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/lines-of-code/zipball/d36ad0d782e5756913e42ad87cb2890f4ffe467a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/object-enumerator/zipball/f5b498e631a74204185071eb41f33f38d64608aa
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/object-reflector/zipball/6e1a43b411b2ad34146dee7524cb13a068bb35f9
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/2c1ed04922802c15e1de5d7447b4856de949cf56
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/php-text-template/zipball/3e0404dc6b300e6bf56415467ebcb3fe4f33e964
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/php-timer/zipball/3b415def83fbcb41f991d9ebf16ae4ad8b7837b3
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/phpunit/zipball/fdfc727f0fcacfeb8fcb30c7e5da173125b58be3
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/recursion-context/zipball/f6458abbf32a6c8174f8f26261475dc133b3d9dc
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/type/zipball/f77d2d4e78738c98d9a68d2596fe5e8fa380f449
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/sebastianbergmann/version/zipball/c687e3387b99f5b03b6caa64c74b63e2936ff874
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/staabm/side-effects-detector/zipball/d8334211a140ce329c13726d4a715adbddd0a163
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/clock/zipball/9169f24776edde469914c1e7a1442a50f7a4e110
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/console/zipball/41e38717ac1dd7a46b6bda7d6a82af2d98a78894
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/css-selector/zipball/ab862f478513e7ca2fe9ec117a6f01a8da6e1135
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/deprecation-contracts/zipball/63afe740e99a13ba87ec199bb07bbdee937a5b62
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/error-handler/zipball/8da531f364ddfee53e36092a7eebbbd0b775f6b8
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/event-dispatcher-contracts/zipball/59eb412e93815df44f05f342958efa9f46b1e586
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/event-dispatcher/zipball/dc2c0eba1af673e736bb851d747d266108aea746
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/finder/zipball/ad4daa7c38668dcb031e63bc99ea9bd42196a2cb
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/http-foundation/zipball/446d0db2b1f21575f1284b74533e425096abdfb6
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/http-kernel/zipball/229eda477017f92bd2ce7615d06222ec0c19e82a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/mailer/zipball/7b750074c40c694ceb34cb926d6dffee231c5cd6
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/mime/zipball/b18c7e6e9eee1e19958138df10412f3c4c316148
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-ctype/zipball/a3cc8b044a6ea513310cbd48ef7333b384945638
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/380872130d3a5dd3ace2f4010d95125fde5d5c70
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/9614ac4d8061dc257ecc64cba1b140873dce8ad3
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/3833d7255cc303546435cb650316bff708a1c75c
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6d857f4d76bd4b343eac26d6b539585d2bc56493
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-php80/zipball/0cc9dd0f17f61d8131e7df6b84bd344899fe2608
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-php83/zipball/17f6f9a6b1735c0f163024d959f700cfbc5155e5
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-php85/zipball/d4e5fcd4ab3d998ab16c0db48e6cbb9a01993f91
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/polyfill-uuid/zipball/21533be36c24be3f4b1669c4725c7d1d2bab4ae2
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/process/zipball/608476f4604102976d687c483ac63a79ba18cc97
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/routing/zipball/0798827fe2c79caeed41d70b680c2c3507d10147
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/service-contracts/zipball/45112560a3ba2d715666a509a0bc9521d10b6c43
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/string/zipball/1c4b10461bf2ec27537b5f36105337262f5f5d6f
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/translation-contracts/zipball/65a8bc82080447fae78373aa10f8d13b38338977
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/translation/zipball/bfde13711f53f549e73b06d27b35a55207528877
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/uid/zipball/7719ce8aba76be93dfe249192f1fbfa52c588e36
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/var-dumper/zipball/0e4769b46a0c3c62390d124635ce59f66874b282
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/symfony/yaml/zipball/24dd4de28d2e3988b311751ac49e684d783e2345
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/commonmark/zipball/4efa10c1e56488e658d10adf7b7b7dcd19940bfb
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/config/zipball/754b3604fb2984c71f4af4a9cbe7b57f346ec1f3
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/flysystem-local/zipball/2f669db18a4c20c755c2bb7d3a7b0b2340488079
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/flysystem/zipball/1717e0b3642b0df65ecb0cc89cdd99fa840672ff
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/mime-type-detection/zipball/2d6702ff215bf922936ccc1ad31007edc76451b9
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/uri-interfaces/zipball/c5c5cd056110fc8afaba29fa6b72a43ced42acd4
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/thephpleague/uri/zipball/4436c6ec8d458e4244448b069cc572d088230b76
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/tijsverkoyen/CssToInlineStyles/zipball/f0292ccf0ec75843d65027214426b6b163b48b41
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/vlucas/phpdotenv/zipball/955e7815d677a3eaa7075231212f2110983adecc
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)
https://api.github.com/repos/voku/portable-ascii/zipball/b1d923f88091c6bf09699efcd7c8a1b1bfd7351d
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/YGU46u /usr/bin/composer install --no-interaction --prefer-dist (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

sak0a and others added 4 commits February 7, 2026 08:39

Add GitHub repository configuration and register DevPullCommand

80749a6

- Introduced 'repository' configuration in notur.php for GitHub source code. - Registered DevPullCommand in NoturServiceProvider for enhanced development workflow.

Fix package manager detection for npm

07a5b54

Initial plan

c1256be

Copilot AI assigned Copilot and sak0a Feb 7, 2026

Copilot AI mentioned this pull request Feb 7, 2026

Feature/dev pull command #18

Merged

Copilot started work on behalf of sak0a February 7, 2026 17:08 View session

Copilot AI and others added 3 commits February 7, 2026 17:14

Add path validation to prevent zip extraction path traversal attacks

e46dd76

Co-authored-by: sak0a <24781653+sak0a@users.noreply.github.com>

Improve path validation logic and add tests for edge cases

821b0f0

Co-authored-by: sak0a <24781653+sak0a@users.noreply.github.com>

Enhance security with better symlink handling and error checking

bcb96d9

Co-authored-by: sak0a <24781653+sak0a@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Address feedback on feature/dev pull command PR~~ Fix zip extraction path traversal vulnerability in DevPullCommand Feb 7, 2026

Copilot AI requested a review from sak0a February 7, 2026 17:17

Copilot finished work on behalf of sak0a February 7, 2026 17:17

Base automatically changed from feature/dev-pull-command to master February 7, 2026 17:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix zip extraction path traversal vulnerability in DevPullCommand#22

Fix zip extraction path traversal vulnerability in DevPullCommand#22
Copilot wants to merge 7 commits intomasterfrom
copilot/sub-pr-18-yet-again

Copilot AI commented Feb 7, 2026 •

edited

Loading

Uh oh!

Copilot AI commented Feb 7, 2026

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Feb 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Example

Uh oh!

Copilot AI commented Feb 7, 2026

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Feb 7, 2026 •

edited

Loading