fix: zipslip
This commit is contained in:
sunnylqm
parent
b747b1f356
commit
8622935bdf
@ -237,19 +237,7 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
|
||||
while (entries.hasMoreElements()) {
|
||||
ZipEntry ze = entries.nextElement();
|
||||
|
||||
String fn = ze.getName();
|
||||
File fmd = new File(param.unzipDirectory, fn);
|
||||
|
||||
if (UpdateContext.DEBUG) {
|
||||
Log.d("RNUpdate", "Unzipping " + fn);
|
||||
}
|
||||
|
||||
if (ze.isDirectory()) {
|
||||
fmd.mkdirs();
|
||||
continue;
|
||||
}
|
||||
|
||||
zipFile.unzipToFile(ze, fmd);
|
||||
zipFile.unzipToPath(ze, param.unzipDirectory);
|
||||
}
|
||||
|
||||
zipFile.close();
|
||||
@ -324,8 +312,15 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
|
||||
} else {
|
||||
target = copyList.get((from));
|
||||
}
|
||||
target.add(new File(param.unzipDirectory, to));
|
||||
//copyFromResource(from, new File(param.unzipDirectory, to));
|
||||
File toFile = new File(param.unzipDirectory, to);
|
||||
|
||||
// Fixing a Zip Path Traversal Vulnerability
|
||||
// https://support.google.com/faqs/answer/9294009
|
||||
String canonicalPath = toFile.getCanonicalPath();
|
||||
if (!canonicalPath.startsWith(param.unzipDirectory.getCanonicalPath() + File.separator)) {
|
||||
throw new SecurityException("Illegal name: " + to);
|
||||
}
|
||||
target.add(toFile);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
@ -339,18 +334,9 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
|
||||
fout.close();
|
||||
continue;
|
||||
}
|
||||
File fmd = new File(param.unzipDirectory, fn);
|
||||
|
||||
if (UpdateContext.DEBUG) {
|
||||
Log.d("RNUpdate", "Unzipping " + fn);
|
||||
}
|
||||
|
||||
if (ze.isDirectory()) {
|
||||
fmd.mkdirs();
|
||||
continue;
|
||||
}
|
||||
|
||||
zipFile.unzipToFile(ze, fmd);
|
||||
zipFile.unzipToPath(ze, param.unzipDirectory);
|
||||
}
|
||||
|
||||
zipFile.close();
|
||||
@ -419,18 +405,8 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
|
||||
fout.close();
|
||||
continue;
|
||||
}
|
||||
File fmd = new File(param.unzipDirectory, fn);
|
||||
|
||||
if (UpdateContext.DEBUG) {
|
||||
Log.d("RNUpdate", "Unzipping " + fn);
|
||||
}
|
||||
|
||||
if (ze.isDirectory()) {
|
||||
fmd.mkdirs();
|
||||
continue;
|
||||
}
|
||||
|
||||
zipFile.unzipToFile(ze, fmd);
|
||||
zipFile.unzipToPath(ze, param.unzipDirectory);
|
||||
}
|
||||
|
||||
zipFile.close();
|
||||
|
||||
@ -1,5 +1,7 @@
|
||||
package cn.reactnative.modules.update;
|
||||
|
||||
import android.util.Log;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.File;
|
||||
@ -10,12 +12,15 @@ import java.util.Enumeration;
|
||||
import java.util.zip.ZipEntry;
|
||||
import java.util.zip.ZipFile;
|
||||
|
||||
|
||||
public class SafeZipFile extends ZipFile {
|
||||
|
||||
public SafeZipFile(File file) throws IOException {
|
||||
super(file);
|
||||
}
|
||||
|
||||
private static final int BUFFER_SIZE = 8192;
|
||||
|
||||
@Override
|
||||
public Enumeration<? extends ZipEntry> entries() {
|
||||
return new SafeZipEntryIterator(super.entries());
|
||||
@ -43,40 +48,46 @@ public class SafeZipFile extends ZipFile {
|
||||
* avoid ZipperDown
|
||||
*/
|
||||
if (null != name && (name.contains("../") || name.contains("..\\"))) {
|
||||
throw new SecurityException("illegal entry: " + entry.getName());
|
||||
throw new SecurityException("illegal entry: " + name);
|
||||
}
|
||||
}
|
||||
return entry;
|
||||
}
|
||||
}
|
||||
|
||||
public void unzipToFile(ZipEntry entry, File output) throws IOException {
|
||||
InputStream inputStream = null;
|
||||
try {
|
||||
inputStream = getInputStream(entry);
|
||||
writeOutInputStream(output, inputStream);
|
||||
} finally {
|
||||
if (inputStream != null) {
|
||||
inputStream.close();
|
||||
public void unzipToPath(ZipEntry ze, File targetPath) throws IOException {
|
||||
String name = ze.getName();
|
||||
File target = new File(targetPath, name);
|
||||
|
||||
// Fixing a Zip Path Traversal Vulnerability
|
||||
// https://support.google.com/faqs/answer/9294009
|
||||
String canonicalPath = target.getCanonicalPath();
|
||||
if (!canonicalPath.startsWith(targetPath.getCanonicalPath() + File.separator)) {
|
||||
throw new SecurityException("Illegal name: " + name);
|
||||
}
|
||||
|
||||
if (UpdateContext.DEBUG) {
|
||||
Log.d("RNUpdate", "Unzipping " + name);
|
||||
}
|
||||
|
||||
if (ze.isDirectory()) {
|
||||
target.mkdirs();
|
||||
return;
|
||||
}
|
||||
unzipToFile(ze, target);
|
||||
}
|
||||
|
||||
public void unzipToFile(ZipEntry ze, File target) throws IOException {
|
||||
try (InputStream inputStream = getInputStream(ze)) {
|
||||
try (BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream(target));
|
||||
BufferedInputStream input = new BufferedInputStream(inputStream)) {
|
||||
byte[] buffer = new byte[BUFFER_SIZE];
|
||||
int n;
|
||||
while ((n = input.read(buffer, 0, BUFFER_SIZE)) >= 0) {
|
||||
output.write(buffer, 0, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
|
||||
BufferedOutputStream output = null;
|
||||
try {
|
||||
output = new BufferedOutputStream(
|
||||
new FileOutputStream(file));
|
||||
BufferedInputStream input = new BufferedInputStream(inputStream);
|
||||
byte b[] = new byte[8192];
|
||||
int n;
|
||||
while ((n = input.read(b, 0, 8192)) >= 0) {
|
||||
output.write(b, 0, n);
|
||||
}
|
||||
} finally {
|
||||
if (output != null) {
|
||||
output.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user