mirror/react-native-update
1
0
Fork 0
mirror of https://gitcode.com/gh_mirrors/re/react-native-pushy.git synced 2025-09-16 10:31:39 +08:00
Code Issues Packages Projects Releases Wiki Activity GitHub Gitee

fix: zipslip

Browse Source
This commit is contained in:
sunnylqm
2023-12-12 22:59:32 +08:00
parent b747b1f356
commit 8622935bdf
2 changed files with 49 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
android/src/main/java/cn/reactnative/modules/update/DownloadTask.java
View File

@@ -237,19 +237,7 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
while (entries.hasMoreElements()) { while (entries.hasMoreElements()) {
ZipEntry ze = entries.nextElement(); ZipEntry ze = entries.nextElement();
String fn = ze.getName(); zipFile.unzipToPath(ze, param.unzipDirectory);
File fmd = new File(param.unzipDirectory, fn);
if (UpdateContext.DEBUG) {
Log.d("RNUpdate", "Unzipping " + fn);
}
if (ze.isDirectory()) {
fmd.mkdirs();
continue;
}
zipFile.unzipToFile(ze, fmd);
} }
zipFile.close(); zipFile.close();
@@ -324,8 +312,15 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
} else { } else {
target = copyList.get((from)); target = copyList.get((from));
} }
target.add(new File(param.unzipDirectory, to)); File toFile = new File(param.unzipDirectory, to);
//copyFromResource(from, new File(param.unzipDirectory, to));
// Fixing a Zip Path Traversal Vulnerability
// https://support.google.com/faqs/answer/9294009
String canonicalPath = toFile.getCanonicalPath();
if (!canonicalPath.startsWith(param.unzipDirectory.getCanonicalPath() + File.separator)) {
throw new SecurityException("Illegal name: " + to);
}
target.add(toFile);
} }
continue; continue;
} }
@@ -339,18 +334,9 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
fout.close(); fout.close();
continue; continue;
} }
File fmd = new File(param.unzipDirectory, fn);
if (UpdateContext.DEBUG) {
Log.d("RNUpdate", "Unzipping " + fn);
}
if (ze.isDirectory()) { zipFile.unzipToPath(ze, param.unzipDirectory);
fmd.mkdirs();
continue;
}
zipFile.unzipToFile(ze, fmd);
} }
zipFile.close(); zipFile.close();
@@ -419,18 +405,8 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
fout.close(); fout.close();
continue; continue;
} }
File fmd = new File(param.unzipDirectory, fn);
if (UpdateContext.DEBUG) { zipFile.unzipToPath(ze, param.unzipDirectory);
Log.d("RNUpdate", "Unzipping " + fn);
}
if (ze.isDirectory()) {
fmd.mkdirs();
continue;
}
zipFile.unzipToFile(ze, fmd);
} }
zipFile.close(); zipFile.close();

63
android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
View File

@@ -1,5 +1,7 @@
package cn.reactnative.modules.update; package cn.reactnative.modules.update;
import android.util.Log;
import java.io.BufferedInputStream; import java.io.BufferedInputStream;
import java.io.BufferedOutputStream; import java.io.BufferedOutputStream;
import java.io.File; import java.io.File;
@@ -10,12 +12,15 @@ import java.util.Enumeration;
import java.util.zip.ZipEntry; import java.util.zip.ZipEntry;
import java.util.zip.ZipFile; import java.util.zip.ZipFile;
public class SafeZipFile extends ZipFile { public class SafeZipFile extends ZipFile {
public SafeZipFile(File file) throws IOException { public SafeZipFile(File file) throws IOException {
super(file); super(file);
} }
private static final int BUFFER_SIZE = 8192;
@Override @Override
public Enumeration<? extends ZipEntry> entries() { public Enumeration<? extends ZipEntry> entries() {
return new SafeZipEntryIterator(super.entries()); return new SafeZipEntryIterator(super.entries());
@@ -43,40 +48,46 @@ public class SafeZipFile extends ZipFile {
* avoid ZipperDown * avoid ZipperDown
*/ */
if (null != name && (name.contains("../") || name.contains("..\\"))) { if (null != name && (name.contains("../") || name.contains("..\\"))) {
throw new SecurityException("illegal entry: " + entry.getName()); throw new SecurityException("illegal entry: " + name);
} }
} }
return entry; return entry;
} }
} }
public void unzipToFile(ZipEntry entry, File output) throws IOException { public void unzipToPath(ZipEntry ze, File targetPath) throws IOException {
InputStream inputStream = null; String name = ze.getName();
try { File target = new File(targetPath, name);
inputStream = getInputStream(entry);
writeOutInputStream(output, inputStream); // Fixing a Zip Path Traversal Vulnerability
} finally { // https://support.google.com/faqs/answer/9294009
if (inputStream != null) { String canonicalPath = target.getCanonicalPath();
inputStream.close(); if (!canonicalPath.startsWith(targetPath.getCanonicalPath() + File.separator)) {
throw new SecurityException("Illegal name: " + name);
}
if (UpdateContext.DEBUG) {
Log.d("RNUpdate", "Unzipping " + name);
}
if (ze.isDirectory()) {
target.mkdirs();
return;
}
unzipToFile(ze, target);
}
public void unzipToFile(ZipEntry ze, File target) throws IOException {
try (InputStream inputStream = getInputStream(ze)) {
try (BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream(target));
BufferedInputStream input = new BufferedInputStream(inputStream)) {
byte[] buffer = new byte[BUFFER_SIZE];
int n;
while ((n = input.read(buffer, 0, BUFFER_SIZE)) >= 0) {
output.write(buffer, 0, n);
}
} }
} }
} }
private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
BufferedOutputStream output = null;
try {
output = new BufferedOutputStream(
new FileOutputStream(file));
BufferedInputStream input = new BufferedInputStream(inputStream);
byte b[] = new byte[8192];
int n;
while ((n = input.read(b, 0, 8192)) >= 0) {
output.write(b, 0, n);
}
} finally {
if (output != null) {
output.close();
}
}
}
} }