fix(security): harden archive extraction (#16203)

* fix(browser): confine upload paths for file chooser

* fix(browser): sanitize suggested download filenames

* chore(lint): avoid control regex in download sanitizer

* test(browser): cover absolute escape paths

* docs(browser): update upload example path

* refactor(browser): centralize upload path confinement

* fix(infra): harden tmp dir selection

* fix(security): harden archive extraction

* fix(infra): harden tar extraction filter

src/browser/pw-tools-core.downloads.ts

@@ -18,9 +18,38 @@ import {
   toAIFriendlyError,
 } from "./pw-tools-core.shared.js";
 
+function sanitizeDownloadFileName(fileName: string): string {
+  const trimmed = String(fileName ?? "").trim();
+  if (!trimmed) {
+    return "download.bin";
+  }
+
+  // `suggestedFilename()` is untrusted (influenced by remote servers). Force a basename so
+  // path separators/traversal can't escape the downloads dir on any platform.
+  let base = path.posix.basename(trimmed);
+  base = path.win32.basename(base);
+  let cleaned = "";
+  for (let i = 0; i < base.length; i++) {
+    const code = base.charCodeAt(i);
+    if (code < 0x20 || code === 0x7f) {
+      continue;
+    }
+    cleaned += base[i];
+  }
+  base = cleaned.trim();
+
+  if (!base || base === "." || base === "..") {
+    return "download.bin";
+  }
+  if (base.length > 200) {
+    base = base.slice(0, 200);
+  }
+  return base;
+}
+
 function buildTempDownloadPath(fileName: string): string {
   const id = crypto.randomUUID();
-  const safeName = fileName.trim() ? fileName.trim() : "download.bin";
+  const safeName = sanitizeDownloadFileName(fileName);
   return path.join(resolvePreferredOpenClawTmpDir(), "downloads", `${id}-${safeName}`);
 }