mirror of
https://github.com/revanced/Apktool.git
synced 2024-12-12 05:47:46 +01:00
Merge pull request #1551 from iBotPeaches/directory-trav
Prevent malicious directory/file with unknown files
This commit is contained in:
commit
20a7837ec5
@ -617,7 +617,7 @@ public class Androlib {
|
|||||||
) {
|
) {
|
||||||
copyExistingFiles(inputFile, actualOutput);
|
copyExistingFiles(inputFile, actualOutput);
|
||||||
copyUnknownFiles(appDir, actualOutput, files);
|
copyUnknownFiles(appDir, actualOutput, files);
|
||||||
} catch (IOException ex) {
|
} catch (IOException | BrutException ex) {
|
||||||
throw new AndrolibException(ex);
|
throw new AndrolibException(ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -646,12 +646,12 @@ public class Androlib {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private void copyUnknownFiles(File appDir, ZipOutputStream outputFile, Map<String, String> files)
|
private void copyUnknownFiles(File appDir, ZipOutputStream outputFile, Map<String, String> files)
|
||||||
throws IOException {
|
throws BrutException, IOException {
|
||||||
File unknownFileDir = new File(appDir, UNK_DIRNAME);
|
File unknownFileDir = new File(appDir, UNK_DIRNAME);
|
||||||
|
|
||||||
// loop through unknown files
|
// loop through unknown files
|
||||||
for (Map.Entry<String,String> unknownFileInfo : files.entrySet()) {
|
for (Map.Entry<String,String> unknownFileInfo : files.entrySet()) {
|
||||||
File inputFile = new File(unknownFileDir, unknownFileInfo.getKey());
|
File inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey()));
|
||||||
if (inputFile.isDirectory()) {
|
if (inputFile.isDirectory()) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,77 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (C) 2017 Ryszard Wiśniewski <brut.alll@gmail.com>
|
||||||
|
* Copyright (C) 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package brut.androlib;
|
||||||
|
|
||||||
|
import brut.common.BrutException;
|
||||||
|
import brut.common.InvalidUnknownFileException;
|
||||||
|
import brut.common.RootUnknownFileException;
|
||||||
|
import brut.common.TraversalUnknownFileException;
|
||||||
|
import brut.directory.ExtFile;
|
||||||
|
import brut.util.BrutIO;
|
||||||
|
import brut.util.OS;
|
||||||
|
import org.junit.BeforeClass;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author Connor Tumbleson <connor.tumbleson@gmail.com>
|
||||||
|
*/
|
||||||
|
public class UnknownDirectoryTraversalTest {
|
||||||
|
|
||||||
|
@BeforeClass
|
||||||
|
public static void beforeClass() throws Exception {
|
||||||
|
sTmpDir = new ExtFile(OS.createTempDirectory());
|
||||||
|
TestUtils.copyResourceDir(UnknownDirectoryTraversalTest.class, "brut/apktool/traversal", sTmpDir);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void validFileTest() throws IOException, BrutException {
|
||||||
|
String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "file");
|
||||||
|
assertEquals(validFilename, "file");
|
||||||
|
|
||||||
|
File validFile = new File(sTmpDir, validFilename);
|
||||||
|
assertTrue(validFile.isFile());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = TraversalUnknownFileException.class)
|
||||||
|
public void invalidBackwardFileTest() throws IOException, BrutException {
|
||||||
|
BrutIO.sanitizeUnknownFile(sTmpDir, "../file");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = RootUnknownFileException.class)
|
||||||
|
public void invalidRootFileTest() throws IOException, BrutException {
|
||||||
|
BrutIO.sanitizeUnknownFile(sTmpDir, "/file");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test(expected = InvalidUnknownFileException.class)
|
||||||
|
public void noFilePassedTest() throws IOException, BrutException {
|
||||||
|
BrutIO.sanitizeUnknownFile(sTmpDir, "");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void validDirectoryFileTest() throws IOException, BrutException {
|
||||||
|
String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file");
|
||||||
|
assertEquals("dir" + File.separator + "file", validFilename);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static File sTmpDir;
|
||||||
|
}
|
@ -0,0 +1 @@
|
|||||||
|
file
|
@ -0,0 +1,23 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (C) 2017 Ryszard Wiśniewski <brut.alll@gmail.com>
|
||||||
|
* Copyright (C) 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package brut.common;
|
||||||
|
|
||||||
|
public class InvalidUnknownFileException extends BrutException {
|
||||||
|
public InvalidUnknownFileException(String message) {
|
||||||
|
super(message);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (C) 2017 Ryszard Wiśniewski <brut.alll@gmail.com>
|
||||||
|
* Copyright (C) 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package brut.common;
|
||||||
|
|
||||||
|
public class RootUnknownFileException extends BrutException {
|
||||||
|
public RootUnknownFileException(String message) {
|
||||||
|
super(message);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
/**
|
||||||
|
* Copyright (C) 2017 Ryszard Wiśniewski <brut.alll@gmail.com>
|
||||||
|
* Copyright (C) 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package brut.common;
|
||||||
|
|
||||||
|
public class TraversalUnknownFileException extends BrutException {
|
||||||
|
public TraversalUnknownFileException(String message) {
|
||||||
|
super(message);
|
||||||
|
}
|
||||||
|
}
|
@ -22,6 +22,10 @@ import java.util.zip.ZipEntry;
|
|||||||
import java.util.zip.ZipFile;
|
import java.util.zip.ZipFile;
|
||||||
import java.util.zip.ZipOutputStream;
|
import java.util.zip.ZipOutputStream;
|
||||||
|
|
||||||
|
import brut.common.BrutException;
|
||||||
|
import brut.common.InvalidUnknownFileException;
|
||||||
|
import brut.common.RootUnknownFileException;
|
||||||
|
import brut.common.TraversalUnknownFileException;
|
||||||
import org.apache.commons.io.IOUtils;
|
import org.apache.commons.io.IOUtils;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -73,6 +77,26 @@ public class BrutIO {
|
|||||||
return crc;
|
return crc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static String sanitizeUnknownFile(final File directory, final String entry) throws IOException, BrutException {
|
||||||
|
if (entry.length() == 0) {
|
||||||
|
throw new InvalidUnknownFileException("Invalid Unknown File - " + entry);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (new File(entry).isAbsolute()) {
|
||||||
|
throw new RootUnknownFileException("Absolute Unknown Files is not allowed - " + entry);
|
||||||
|
}
|
||||||
|
|
||||||
|
final String canonicalDirPath = directory.getCanonicalPath() + File.separator;
|
||||||
|
final String canonicalEntryPath = new File(directory, entry).getCanonicalPath();
|
||||||
|
|
||||||
|
if (!canonicalEntryPath.startsWith(canonicalDirPath)) {
|
||||||
|
throw new TraversalUnknownFileException("Directory Traversal is not allowed - " + entry);
|
||||||
|
}
|
||||||
|
|
||||||
|
// https://stackoverflow.com/q/2375903/455008
|
||||||
|
return canonicalEntryPath.substring(canonicalDirPath.length());
|
||||||
|
}
|
||||||
|
|
||||||
public static void copy(File inputFile, ZipOutputStream outputFile) throws IOException {
|
public static void copy(File inputFile, ZipOutputStream outputFile) throws IOException {
|
||||||
try (
|
try (
|
||||||
FileInputStream fis = new FileInputStream(inputFile)
|
FileInputStream fis = new FileInputStream(inputFile)
|
||||||
|
Loading…
Reference in New Issue
Block a user