fix: zipslip

android/src/main/java/cn/reactnative/modules/update/DownloadTask.java

@@ -237,19 +237,7 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
         while (entries.hasMoreElements()) {
             ZipEntry ze = entries.nextElement();
 
-            String fn = ze.getName();
+            zipFile.unzipToPath(ze, param.unzipDirectory);
-            File fmd = new File(param.unzipDirectory, fn);
-
-            if (UpdateContext.DEBUG) {
-                Log.d("RNUpdate", "Unzipping " + fn);
-            }
-
-            if (ze.isDirectory()) {
-                fmd.mkdirs();
-                continue;
-            }
-
-            zipFile.unzipToFile(ze, fmd);
         }
 
         zipFile.close();
@@ -324,8 +312,15 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
                     } else {
                         target = copyList.get((from));
                     }
-                    target.add(new File(param.unzipDirectory, to));
+                    File toFile = new File(param.unzipDirectory, to);
-                    //copyFromResource(from, new File(param.unzipDirectory, to));
+
+                    // Fixing a Zip Path Traversal Vulnerability
+                    // https://support.google.com/faqs/answer/9294009
+                    String canonicalPath = toFile.getCanonicalPath();
+                    if (!canonicalPath.startsWith(param.unzipDirectory.getCanonicalPath() + File.separator)) {
+                        throw new SecurityException("Illegal name: " + to);
+                    }
+                    target.add(toFile);
                 }
                 continue;
             }
@@ -339,18 +334,9 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
                 fout.close();
                 continue;
             }
-            File fmd = new File(param.unzipDirectory, fn);
 
-            if (UpdateContext.DEBUG) {
-                Log.d("RNUpdate", "Unzipping " + fn);
-            }
 
-            if (ze.isDirectory()) {
+            zipFile.unzipToPath(ze, param.unzipDirectory);
-                fmd.mkdirs();
-                continue;
-            }
-
-            zipFile.unzipToFile(ze, fmd);
         }
 
         zipFile.close();
@@ -419,18 +405,8 @@ class DownloadTask extends AsyncTask<DownloadTaskParams, long[], Void> {
                 fout.close();
                 continue;
             }
-            File fmd = new File(param.unzipDirectory, fn);
 
-            if (UpdateContext.DEBUG) {
+            zipFile.unzipToPath(ze, param.unzipDirectory);
-                Log.d("RNUpdate", "Unzipping " + fn);
-            }
-
-            if (ze.isDirectory()) {
-                fmd.mkdirs();
-                continue;
-            }
-
-            zipFile.unzipToFile(ze, fmd);
         }
 
         zipFile.close();

android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java

@@ -1,5 +1,7 @@
 package cn.reactnative.modules.update;
 
+import android.util.Log;
+
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -10,12 +12,15 @@ import java.util.Enumeration;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 
+
 public class SafeZipFile extends ZipFile {
 
     public SafeZipFile(File file) throws IOException {
         super(file);
     }
 
+    private static final int BUFFER_SIZE = 8192;
+
     @Override
     public Enumeration<? extends ZipEntry> entries() {
         return new SafeZipEntryIterator(super.entries());
@@ -43,40 +48,46 @@ public class SafeZipFile extends ZipFile {
                  * avoid ZipperDown
                  */
                 if (null != name && (name.contains("../") || name.contains("..\\"))) {
-                    throw new SecurityException("illegal entry: " + entry.getName());
+                    throw new SecurityException("illegal entry: " + name);
                 }
             }
             return entry;
         }
     }
 
-    public void unzipToFile(ZipEntry entry, File output) throws IOException {
+    public void unzipToPath(ZipEntry ze, File targetPath) throws IOException {
-        InputStream inputStream = null;
+        String name = ze.getName();
-        try {
+        File target = new File(targetPath, name);
-            inputStream = getInputStream(entry);
+
-            writeOutInputStream(output, inputStream);
+        // Fixing a Zip Path Traversal Vulnerability
-        } finally {
+        // https://support.google.com/faqs/answer/9294009
-            if (inputStream != null) {
+        String canonicalPath = target.getCanonicalPath();
-                inputStream.close();
+        if (!canonicalPath.startsWith(targetPath.getCanonicalPath() + File.separator)) {
+            throw new SecurityException("Illegal name: " + name);
+        }
+
+        if (UpdateContext.DEBUG) {
+            Log.d("RNUpdate", "Unzipping " + name);
+        }
+
+        if (ze.isDirectory()) {
+            target.mkdirs();
+            return;
+        }
+        unzipToFile(ze, target);
+    }
+
+    public void unzipToFile(ZipEntry ze, File target) throws IOException {
+        try (InputStream inputStream = getInputStream(ze)) {
+            try (BufferedOutputStream output = new BufferedOutputStream(new FileOutputStream(target));
+                 BufferedInputStream input = new BufferedInputStream(inputStream)) {
+                byte[] buffer = new byte[BUFFER_SIZE];
+                int n;
+                while ((n = input.read(buffer, 0, BUFFER_SIZE)) >= 0) {
+                    output.write(buffer, 0, n);
+                }
             }
         }
     }
 
-    private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
-        BufferedOutputStream output = null;
-        try {
-            output = new BufferedOutputStream(
-                    new FileOutputStream(file));
-            BufferedInputStream input = new BufferedInputStream(inputStream);
-            byte b[] = new byte[8192];
-            int n;
-            while ((n = input.read(b, 0, 8192)) >= 0) {
-                output.write(b, 0, n);
-            }
-        } finally {
-            if (output != null) {
-                output.close();
-            }
-        }
-    }
 }

lib/index.web.js

@@ -14,5 +14,5 @@ export const markSuccess = noop;
 export const downloadAndInstallApk = noop;
 export const setCustomEndpoints = noop;
 export const getCurrentVersionInfo = noop;
-export const simpleUpdate = noop;
+export const simpleUpdate = (app) => app;
-export const onEvents = noop;
+export const onPushyEvents = noop;

lib/main.ts

@@ -78,7 +78,7 @@ if (!uuid) {
 const noop = () => {};
 let reporter: UpdateEventsListener = noop;
 
-export function onEvents(customReporter: UpdateEventsListener) {
+export function onPushyEvents(customReporter: UpdateEventsListener) {
   reporter = customReporter;
   if (isRolledBack) {
     report({
@@ -322,10 +322,12 @@ function assertHash(hash: string) {
   return true;
 }
 
+let applyingUpdate = false;
 export function switchVersion(hash: string) {
   assertRelease();
-  if (assertHash(hash)) {
+  if (assertHash(hash) && !applyingUpdate) {
     logger('switchVersion: ' + hash);
+    applyingUpdate = true;
     PushyModule.reloadUpdate({ hash });
   }
 }

lib/simpleUpdate.tsx

@@ -16,20 +16,20 @@ import {
   switchVersionLater,
   markSuccess,
   downloadAndInstallApk,
-  onEvents,
+  onPushyEvents,
 } from './main';
 import { UpdateEventsListener } from './type';
 
 export function simpleUpdate(
   WrappedComponent: ComponentType,
-  options: { appKey?: string; onEvents?: UpdateEventsListener } = {},
+  options: { appKey?: string; onPushyEvents?: UpdateEventsListener } = {},
 ) {
-  const { appKey, onEvents: eventListeners } = options;
+  const { appKey, onPushyEvents: eventListeners } = options;
   if (!appKey) {
     throw new Error('appKey is required for simpleUpdate()');
   }
   if (typeof eventListeners === 'function') {
-    onEvents(eventListeners);
+    onPushyEvents(eventListeners);
   }
   return __DEV__
     ? WrappedComponent

package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-update",
-  "version": "9.1.0",
+  "version": "9.1.4",
   "description": "react-native hot update",
   "main": "lib/index.ts",
   "scripts": {
@@ -57,11 +57,14 @@
   "devDependencies": {
     "@types/fs-extra": "^9.0.13",
     "@types/jest": "^29.2.1",
+    "@types/node": "^20.8.9",
+    "@types/react": "^18.2.33",
     "detox": "^20.5.0",
     "firebase-tools": "^11.24.1",
     "fs-extra": "^9.1.0",
     "jest": "^29.2.1",
     "pod-install": "^0.1.37",
+    "react-native": "^0.72.6",
     "ts-jest": "^29.0.3",
     "typescript": "^5.2.2"
   }