Critical Zip-Slip Path Traversal Vulnerability in Plugin Installation Allows Arbitrary File Overwrite

A critical path traversal vulnerability has been disclosed in the plugin installation mechanism, where files are written to paths constructed from registry-supplied filenames without validating that destinations remain within the intended plugin directory. The flaw, classified as a zip-slip vulnerability, could allow a malicious plugin archive to overwrite arbitrary files on the target system—including core application files such as the main Electron process—if an entry contains relative path sequences like `../../electron/main.cjs`.

The vulnerability exists in `downloadFile()` within `electron/plugin-ipc.cjs`, specifically in the `plugin:install` handler. While plugin files are currently downloaded individually rather than as compressed archives, the `extract-zip` dependency is already listed and flagged for potential future use in plugin packaging. If archive extraction is implemented without path validation, the attack surface would expand significantly. The issue relates to a previously reported path traversal concern documented in Issue #18, suggesting a pattern of insufficient path sanitization in the plugin subsystem.

The disclosed fix requires validating every destination path before file write operations: resolving the full destination path and confirming it starts with the resolved plugin directory path plus a separator. This check must be applied both to current download operations and to any future `extract-zip` implementation, where each `entry.fileName` would need identical validation. Without this safeguard, the plugin installation flow remains exposed to supply-chain-style attacks where compromised or malicious registry entries could achieve remote code execution by overwriting critical application files. The vulnerability underscores the risks of trusting external sources for filesystem paths and highlights the need for rigorous canonicalization checks in any software extension mechanism.