fix: close potential gaps

Author: zerebos

internal/betterdiscord/addons.go

@@ -218,6 +218,16 @@ func downloadAddon(kind AddonKind, dir, rawURL string) (string, error) {
 	}
 
 	dest := filepath.Join(dir, base)
+
+	// Normalize and ensure the destination remains within the addon directory
+	dest = filepath.Clean(dest)
+	dirClean := filepath.Clean(dir)
+	dirWithSep := dirClean + string(os.PathSeparator)
+
+	if dest != dirClean && !strings.HasPrefix(dest, dirWithSep) {
+		return "", fmt.Errorf("resolved addon path is outside the addon directory")
+	}
+
 	if _, err := utils.DownloadFile(rawURL, dest); err != nil {
 		return "", err
 	}

internal/betterdiscord/buildinfo.go

@@ -44,7 +44,7 @@ func (i *BDInstall) ReadBuildinfo() (bi Buildinfo, err error) {
 
 	// Compile your regexes
 	versionRe := regexp.MustCompile(`version:\s?"([0-9]+\.[0-9]+\.[0-9]+)"`)
-	commitRe := regexp.MustCompile(`commit:\s?"(\b[0-9a-f]{5,40}\b)"`)
+	commitRe := regexp.MustCompile(`commit:\s?"([0-9a-f]{5,40})"`)
 	branchRe := regexp.MustCompile(`branch:\s?"([a-zA-Z0-9_\-]+)"`)
 	modeRe := regexp.MustCompile(`build:\s?"([a-zA-Z]+)"`)
 
@@ -90,11 +90,16 @@ func (i *BDInstall) ReadBuildinfo() (bi Buildinfo, err error) {
 				}
 			}
 
-			// Keep last 1 KB as tail (enough for your patterns)
+			// Keep last 1 KB as tail for next round
+			// Use a copy to avoid holding onto the entire window
 			if len(window) > 1024 {
-				tail = window[len(window)-1024:]
+				newTail := make([]byte, 1024)
+				copy(newTail, window[len(window)-1024:])
+				tail = newTail
 			} else {
-				tail = window
+				newTail := make([]byte, len(window))
+				copy(newTail, window)
+				tail = newTail
 			}
 		}