DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE
The unzipDirectory() function in packages/api/src/shell/unzipDirectory.js (line 27) does not validate that extracted file paths stay within the output directory. A malicious ZIP with ../ entries writes files anywhere on the filesystem. In the default Docker deployment, DbGate runs as root and the none auth provider issues JWT tokens without credentials via POST /auth/login, so this is exploitable by any network-adjacent attacker. Affected code: packages/api/src/shell/unzipDirectory.js, line 27: const destPath = path.join(outputDirectory, …