Skip to content

Commit

Permalink
Merge pull request #154 from mockingbot/fix-zip-traversal-vulnerability
Browse files Browse the repository at this point in the history 
Fix zip traversal vulnerability
  • Loading branch information
@plrthink
plrthink authored Jul 28, 2019
2 parents 2fdb740 + af7fbd0 commit 199a607
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 15 deletions.
29 changes: 15 additions & 14 deletions android/src/main/java/com/rnziparchive/RNZipArchiveModule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,15 @@
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import java.util.zip.ZipInputStream;
import java.util.zip.ZipOutputStream;

import net.lingala.zip4j.exception.ZipException;
import net.lingala.zip4j.model.FileHeader;
import net.lingala.zip4j.progress.ProgressMonitor;
import net.lingala.zip4j.model.ZipParameters;
import net.lingala.zip4j.util.Zip4jConstants;

public class RNZipArchiveModule extends ReactContextBaseJavaModule {
private static final String TAG = RNZipArchiveModule.class.getSimpleName();

private static final int BUFFER_SIZE = 4096;
private static final String PROGRESS_EVENT_NAME = "zipArchiveProgressEvent";
private static final String EVENT_KEY_FILENAME = "filePath";
private static final String EVENT_KEY_PROGRESS = "progress";
Expand Down Expand Up @@ -83,14 +80,18 @@ public void run() {
updateProgress(0, 1, zipFilePath); // force 0%
for (int i = 0; i < totalFiles; i++) {
FileHeader fileHeader = (FileHeader) fileHeaderList.get(i);

File fout = new File(destDirectory, fileHeader.getFileName());
ensureZipPathSafety(fout, destDirectory);

zipFile.extractFile(fileHeader, destDirectory);
if (!fileHeader.isDirectory()) {
extractedFileNames.add(fileHeader.getFileName());
}
updateProgress(i + 1, totalFiles, zipFilePath);
}
promise.resolve(Arguments.fromList(extractedFileNames));
} catch (ZipException ex) {
} catch (Exception ex) {
updateProgress(0, 1, zipFilePath); // force 0%
promise.reject(null, String.format("Failed to unzip file, due to: %s", getStackTrace(ex)));
}
Expand Down Expand Up @@ -161,11 +162,7 @@ public void onCopyProgress(long bytesRead) {
};

File fout = new File(destDirectory, entry.getName());
String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
String canonicalPath = fout.getCanonicalPath();
if (!canonicalPath.startsWith(destDirCanonicalPath)) {
throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
}
ensureZipPathSafety(fout, destDirectory);

if (!fout.exists()) {
//noinspection ResultOfMethodCallIgnored
Expand Down Expand Up @@ -254,11 +251,7 @@ public void run() {
if (entry.isDirectory()) continue;
fout = new File(destDirectory, entry.getName());

String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
String canonicalPath = fout.getCanonicalPath();
if (!canonicalPath.startsWith(destDirCanonicalPath)) {
throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
}
ensureZipPathSafety(fout, destDirectory);

if (!fout.exists()) {
//noinspection ResultOfMethodCallIgnored
Expand Down Expand Up @@ -493,4 +486,12 @@ private String getStackTrace(Exception e) {
return sw.toString();
}

private void ensureZipPathSafety(final File fout, final String destDirectory) throws Exception {
String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
String canonicalPath = fout.getCanonicalPath();
if (!canonicalPath.startsWith(destDirCanonicalPath)) {
throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
}
}

}
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "react-native-zip-archive",
"version": "4.1.1",
"version": "4.1.2-beta.0",
"description": "A little wrapper on ZipArchive for react-native",
"main": "index.js",
"scripts": {
Expand Down

0 comments on commit 199a607

Please sign in to comment.