v7.4.0-beta.0

Try fix safezip for google play
v7.3.8
2025-09-18 19:10:38 +08:00 · 2022-01-19 21:30:56 +08:00 · 2022-01-19 21:29:35 +08:00 · 2021-11-22 18:12:02 +08:00
4 changed files with 13 additions and 41 deletions
--- a/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
+++ b/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
@@ -16,40 +16,6 @@ public class SafeZipFile extends ZipFile {
        super(file);
    }
    @Override
    public Enumeration<? extends ZipEntry> entries() {
        return new SafeZipEntryIterator(super.entries());
    }
    private static class SafeZipEntryIterator implements Enumeration<ZipEntry> {
        final private Enumeration<? extends ZipEntry> delegate;
        private SafeZipEntryIterator(Enumeration<? extends ZipEntry> delegate) {
            this.delegate = delegate;
        }
        @Override
        public boolean hasMoreElements() {
            return delegate.hasMoreElements();
        }
        @Override
        public ZipEntry nextElement() {
            ZipEntry entry = delegate.nextElement();
            if (null != entry) {
                String name = entry.getName();
                /**
                 * avoid ZipperDown
                 */
                if (null != name && (name.contains("../") || name.contains("..\\"))) {
                    throw new SecurityException("illegal entry: " + entry.getName());
                }
            }
            return entry;
        }
    }
    public void unzipToFile(ZipEntry entry, File output) throws IOException {
        InputStream inputStream = null;
        try {
@@ -63,6 +29,11 @@ public class SafeZipFile extends ZipFile {
    }
    private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
        // https://support.google.com/faqs/answer/9294009
        String canonicalPath = file.getCanonicalPath();
        if (!canonicalPath.startsWith(UpdateContext.getRootDir())) {
            throw new SecurityException("illegal entry: " + file.getName());
        }
        BufferedOutputStream output = null;
        try {
            output = new BufferedOutputStream(
--- a/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java
+++ b/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java
@@ -19,13 +19,14 @@ import java.io.File;
 public class UpdateContext {
    private Context context;
-    private File rootDir;
+    private static File rootDir;
    private Executor executor;
    public static boolean DEBUG = false;
    private static ReactInstanceManager mReactInstanceManager;
    private static boolean isUsingBundleUrl = false;
    public UpdateContext(Context context) {
        this.context = context;
        this.executor = Executors.newSingleThreadExecutor();
@@ -49,7 +50,7 @@ public class UpdateContext {
        }
    }
-    public String getRootDir() {
+    public static String getRootDir() {
        return rootDir.toString();
    }
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "react-native-update",
-  "version": "7.3.8",
+  "version": "7.4.0-beta.0",
  "description": "react-native hot update",
  "main": "lib/index.js",
  "scripts": {
--- a/yarn.lock
+++ b/yarn.lock
@@ -2,7 +2,7 @@
 # yarn lockfile v1
-nanoid@^3.1.28:
+nanoid@^3.1.30:
-  version "3.1.28"
+  version "3.1.30"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.28.tgz#3c01bac14cb6c5680569014cc65a2f26424c6bd4"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.30.tgz#63f93cc548d2a113dc5dfbc63bfa09e2b9b64362"
-  integrity sha512-gSu9VZ2HtmoKYe/lmyPFES5nknFrHa+/DT9muUFWFMi6Jh9E1I7bkvlQ8xxf1Kos9pi9o8lBnIOkatMhKX/YUw==
+  integrity sha512-zJpuPDwOv8D2zq2WRoMe1HsfZthVewpel9CAvTfc/2mBD1uUT/agc5f7GHGWXlYkFvi1mVxe4IjvP2HNrop7nQ==
Author	SHA1	Message	Date
sunnylqm	d76e8052f5	v7.4.0-beta.0	2022-01-19 21:30:56 +08:00
sunnylqm	3ebf6e95c9	Try fix safezip for google play	2022-01-19 21:29:35 +08:00
sunnylqm	2ae4180840	v7.3.8	2021-11-22 18:12:02 +08:00