diff --git a/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java b/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java index 8572fb26..de053d7f 100644 --- a/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java +++ b/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java @@ -617,7 +617,7 @@ public class Androlib { ) { copyExistingFiles(inputFile, actualOutput); copyUnknownFiles(appDir, actualOutput, files); - } catch (IOException ex) { + } catch (IOException | BrutException ex) { throw new AndrolibException(ex); } @@ -646,12 +646,12 @@ public class Androlib { } private void copyUnknownFiles(File appDir, ZipOutputStream outputFile, Map files) - throws IOException { + throws BrutException, IOException { File unknownFileDir = new File(appDir, UNK_DIRNAME); // loop through unknown files for (Map.Entry unknownFileInfo : files.entrySet()) { - File inputFile = new File(unknownFileDir, unknownFileInfo.getKey()); + File inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey())); if (inputFile.isDirectory()) { continue; } diff --git a/brut.apktool/apktool-lib/src/test/java/brut/androlib/UnknownDirectoryTraversalTest.java b/brut.apktool/apktool-lib/src/test/java/brut/androlib/UnknownDirectoryTraversalTest.java new file mode 100644 index 00000000..453b0576 --- /dev/null +++ b/brut.apktool/apktool-lib/src/test/java/brut/androlib/UnknownDirectoryTraversalTest.java @@ -0,0 +1,77 @@ +/** + * Copyright 2014 Ryszard Wiśniewski + * Copyright 2016 Connor Tumbleson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package brut.androlib; + +import brut.common.BrutException; +import brut.common.InvalidUnknownFileException; +import brut.common.RootUnknownFileException; +import brut.common.TraversalUnknownFileException; +import brut.directory.ExtFile; +import brut.util.BrutIO; +import brut.util.OS; +import org.junit.BeforeClass; +import org.junit.Test; + +import java.io.File; +import java.io.IOException; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +/** + * @author Connor Tumbleson + */ +public class UnknownDirectoryTraversalTest { + + @BeforeClass + public static void beforeClass() throws Exception { + sTmpDir = new ExtFile(OS.createTempDirectory()); + TestUtils.copyResourceDir(UnknownDirectoryTraversalTest.class, "brut/apktool/traversal", sTmpDir); + } + + @Test + public void validFileTest() throws IOException, BrutException { + String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "file"); + assertEquals(validFilename, "file"); + + File validFile = new File(sTmpDir, validFilename); + assertTrue(validFile.isFile()); + } + + @Test(expected = TraversalUnknownFileException.class) + public void invalidBackwardFileTest() throws IOException, BrutException { + BrutIO.sanitizeUnknownFile(sTmpDir, "../file"); + } + + @Test(expected = RootUnknownFileException.class) + public void invalidRootFileTest() throws IOException, BrutException { + BrutIO.sanitizeUnknownFile(sTmpDir, "/file"); + } + + @Test(expected = InvalidUnknownFileException.class) + public void noFilePassedTest() throws IOException, BrutException { + BrutIO.sanitizeUnknownFile(sTmpDir, ""); + } + + @Test + public void validDirectoryFileTest() throws IOException, BrutException { + String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file"); + assertEquals("dir" + File.separator + "file", validFilename); + } + + public static File sTmpDir; +} diff --git a/brut.apktool/apktool-lib/src/test/resources/brut/apktool/traversal/file b/brut.apktool/apktool-lib/src/test/resources/brut/apktool/traversal/file new file mode 100644 index 00000000..1a010b1c --- /dev/null +++ b/brut.apktool/apktool-lib/src/test/resources/brut/apktool/traversal/file @@ -0,0 +1 @@ +file \ No newline at end of file diff --git a/brut.j.common/src/main/java/brut/common/InvalidUnknownFileException.java b/brut.j.common/src/main/java/brut/common/InvalidUnknownFileException.java new file mode 100644 index 00000000..d978dab6 --- /dev/null +++ b/brut.j.common/src/main/java/brut/common/InvalidUnknownFileException.java @@ -0,0 +1,23 @@ +/** + * Copyright 2014 Ryszard Wiśniewski + * Copyright 2017 Connor Tumbleson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package brut.common; + +public class InvalidUnknownFileException extends BrutException { + public InvalidUnknownFileException(String message) { + super(message); + } +} diff --git a/brut.j.common/src/main/java/brut/common/RootUnknownFileException.java b/brut.j.common/src/main/java/brut/common/RootUnknownFileException.java new file mode 100644 index 00000000..c425d0a2 --- /dev/null +++ b/brut.j.common/src/main/java/brut/common/RootUnknownFileException.java @@ -0,0 +1,23 @@ +/** + * Copyright 2014 Ryszard Wiśniewski + * Copyright 2017 Connor Tumbleson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package brut.common; + +public class RootUnknownFileException extends BrutException { + public RootUnknownFileException(String message) { + super(message); + } +} diff --git a/brut.j.common/src/main/java/brut/common/TraversalUnknownFileException.java b/brut.j.common/src/main/java/brut/common/TraversalUnknownFileException.java new file mode 100644 index 00000000..23fd34d3 --- /dev/null +++ b/brut.j.common/src/main/java/brut/common/TraversalUnknownFileException.java @@ -0,0 +1,23 @@ +/** + * Copyright 2014 Ryszard Wiśniewski + * Copyright 2017 Connor Tumbleson + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package brut.common; + +public class TraversalUnknownFileException extends BrutException { + public TraversalUnknownFileException(String message) { + super(message); + } +} diff --git a/brut.j.util/src/main/java/brut/util/BrutIO.java b/brut.j.util/src/main/java/brut/util/BrutIO.java index 651ec308..da4e8ece 100644 --- a/brut.j.util/src/main/java/brut/util/BrutIO.java +++ b/brut.j.util/src/main/java/brut/util/BrutIO.java @@ -22,6 +22,10 @@ import java.util.zip.ZipEntry; import java.util.zip.ZipFile; import java.util.zip.ZipOutputStream; +import brut.common.BrutException; +import brut.common.InvalidUnknownFileException; +import brut.common.RootUnknownFileException; +import brut.common.TraversalUnknownFileException; import org.apache.commons.io.IOUtils; /** @@ -73,6 +77,26 @@ public class BrutIO { return crc; } + public static String sanitizeUnknownFile(final File directory, final String entry) throws IOException, BrutException { + if (entry.length() == 0) { + throw new InvalidUnknownFileException("Invalid Unknown File - " + entry); + } + + if (new File(entry).isAbsolute()) { + throw new RootUnknownFileException("Absolute Unknown Files is not allowed - " + entry); + } + + final String canonicalDirPath = directory.getCanonicalPath() + File.separator; + final String canonicalEntryPath = new File(directory, entry).getCanonicalPath(); + + if (!canonicalEntryPath.startsWith(canonicalDirPath)) { + throw new TraversalUnknownFileException("Directory Traversal is not allowed - " + entry); + } + + // https://stackoverflow.com/q/2375903/455008 + return canonicalEntryPath.substring(canonicalDirPath.length()); + } + public static void copy(File inputFile, ZipOutputStream outputFile) throws IOException { try ( FileInputStream fis = new FileInputStream(inputFile)