Harden ZIP extractor against Windows drive-letter and backslash entries

Copilot review on #427 flagged that the path-traversal guard added in
#426 was OS-dependent: on Windows, a crafted member like
"addons/godot_ai/C:evil.txt" yields a relative pathlib.Path with a
drive component, and `target_addon / rel` discards `target_addon`,
writing outside the fixture directory. CI runs on Linux so the
existing guard passed, but the harness also runs on developer
Windows machines.

Three-pronged fix:

- Parse zip member names as `PurePosixPath` (ZIP spec uses `/`) so
  Windows host pathlib doesn't reinterpret drive-letter syntax.
- Reject any member name containing a literal backslash up front
  (mirrors update_reload_runner.gd::_is_safe_zip_addon_file()).
- Final containment check via `Path.is_relative_to()` on the resolved
  output path -- catches any OS-specific path-parsing quirk that
  sneaks past the parts-based check.

New `tests/unit/test_self_update_fixture_extract.py` covers the
clean-zip happy path, parent-traversal rejection, backslash
rejection, zip-directory-entries are skipped, and entries outside
the addons/godot_ai prefix are skipped. 912 pytest tests pass (+5).

https://claude.ai/code/session_01VgXf3Lqv2ypt36g6EqpRYg

Author: claude

tests/integration/_self_update_fixture.py

@@ -5,7 +5,7 @@
 import subprocess
 import zipfile
 from importlib.machinery import SourceFileLoader
-from pathlib import Path
+from pathlib import Path, PurePosixPath
 from types import ModuleType
 
 import pytest
@@ -274,17 +274,37 @@ def assert_no_update_parse_errors(log: str) -> None:
 
 def extract_addon_from_zip(zip_path: Path, target_addon: Path) -> None:
     target_addon.mkdir(parents=True)
+    target_resolved = target_addon.resolve()
     with zipfile.ZipFile(zip_path) as zf:
         for info in zf.infolist():
             if not info.filename.startswith("addons/godot_ai/") or info.is_dir():
                 continue
-            rel = Path(info.filename).relative_to("addons/godot_ai")
+            # ZIP spec uses POSIX-style forward-slash separators; parsing the
+            # member name as PurePosixPath stops a Windows host from
+            # reinterpreting an entry like "addons/godot_ai/C:evil.txt" as a
+            # drive component (which would make `target_addon / rel` discard
+            # the prefix and write outside the fixture).
+            if "\\" in info.filename:
+                raise ValueError(
+                    f"Refusing unsafe zip entry {info.filename!r}: contains backslash"
+                )
+            rel = PurePosixPath(info.filename).relative_to("addons/godot_ai")
             if rel.is_absolute() or any(part in ("", ".", "..") for part in rel.parts):
                 raise ValueError(
                     f"Refusing unsafe zip entry {info.filename!r}: relative path "
                     f"{rel!s} contains absolute or traversal segments"
                 )
-            out = target_addon / rel
+            out = target_addon.joinpath(*rel.parts)
+            # Belt-and-suspenders containment: if the resolved output path
+            # would escape target_addon (e.g. an OS-specific path-parsing
+            # quirk we didn't anticipate), refuse the entry.
+            candidate = out if out.exists() else target_resolved / Path(*rel.parts)
+            resolved = candidate.resolve()
+            if not resolved.is_relative_to(target_resolved):
+                raise ValueError(
+                    f"Refusing unsafe zip entry {info.filename!r}: resolved "
+                    f"output {resolved!s} escapes target {target_resolved!s}"
+                )
             out.parent.mkdir(parents=True, exist_ok=True)
             out.write_bytes(zf.read(info.filename))
 

tests/unit/test_self_update_fixture_extract.py

@@ -0,0 +1,91 @@
+"""Unit tests for `tests/integration/_self_update_fixture.py::extract_addon_from_zip`.
+
+The helper extracts release-zip entries into a fixture directory before the
+integration tests in `tests/integration/test_self_update_*.py` exercise the
+update flow. The runtime installer (`update_reload_runner.gd`) rejects unsafe
+zip entries via `_is_safe_zip_addon_file()`; this helper mirrors that
+defense in Python so a crafted/corrupt release zip can't escape the fixture
+sandbox on developer machines or CI runners.
+"""
+
+from __future__ import annotations
+
+import zipfile
+from pathlib import Path
+
+import pytest
+
+from tests.integration._self_update_fixture import extract_addon_from_zip
+
+
+def _write_zip(path: Path, members: dict[str, bytes]) -> None:
+    with zipfile.ZipFile(path, "w") as zf:
+        for name, data in members.items():
+            zf.writestr(name, data)
+
+
+def test_clean_zip_extracts_files_to_target(tmp_path: Path) -> None:
+    zip_path = tmp_path / "good.zip"
+    _write_zip(
+        zip_path,
+        {
+            "addons/godot_ai/plugin.cfg": b"[plugin]\nname=ok\n",
+            "addons/godot_ai/sub/file.gd": b"pass",
+        },
+    )
+    target = tmp_path / "target"
+    extract_addon_from_zip(zip_path, target)
+    assert (target / "plugin.cfg").read_bytes().startswith(b"[plugin]")
+    assert (target / "sub" / "file.gd").read_bytes() == b"pass"
+
+
+def test_parent_traversal_entry_is_rejected(tmp_path: Path) -> None:
+    zip_path = tmp_path / "bad.zip"
+    _write_zip(
+        zip_path,
+        {
+            "addons/godot_ai/plugin.cfg": b"[plugin]\nname=ok\n",
+            "addons/godot_ai/../../escape.txt": b"escape",
+        },
+    )
+    with pytest.raises(ValueError, match="absolute or traversal segments"):
+        extract_addon_from_zip(zip_path, tmp_path / "target")
+
+
+def test_backslash_in_entry_name_is_rejected(tmp_path: Path) -> None:
+    zip_path = tmp_path / "bad.zip"
+    _write_zip(
+        zip_path,
+        {
+            "addons/godot_ai/plugin.cfg": b"[plugin]\nname=ok\n",
+            "addons/godot_ai/sub\\windows-style.gd": b"oops",
+        },
+    )
+    with pytest.raises(ValueError, match="contains backslash"):
+        extract_addon_from_zip(zip_path, tmp_path / "target")
+
+
+def test_directory_entries_are_skipped(tmp_path: Path) -> None:
+    zip_path = tmp_path / "dirs.zip"
+    with zipfile.ZipFile(zip_path, "w") as zf:
+        zf.writestr("addons/godot_ai/sub/", b"")
+        zf.writestr("addons/godot_ai/plugin.cfg", b"[plugin]\nname=ok\n")
+    target = tmp_path / "target"
+    extract_addon_from_zip(zip_path, target)
+    assert (target / "plugin.cfg").is_file()
+    assert not (target / "sub").exists()
+
+
+def test_entries_outside_addon_prefix_are_skipped(tmp_path: Path) -> None:
+    zip_path = tmp_path / "mixed.zip"
+    _write_zip(
+        zip_path,
+        {
+            "addons/godot_ai/plugin.cfg": b"[plugin]\nname=ok\n",
+            "README.md": b"not an addon file",
+            "other/thing.txt": b"also not",
+        },
+    )
+    target = tmp_path / "target"
+    extract_addon_from_zip(zip_path, target)
+    assert sorted(p.name for p in target.iterdir()) == ["plugin.cfg"]