fix: skip files that violate safe filepath

2024-12-11 13:27:47 +01:00 · 2020-12-10 07:58:15 -05:00 · 2020-12-10 07:58:15 -05:00 · 98aa7acb22
commit 98aa7acb22
parent 49a167540f
2 changed files with 23 additions and 9 deletions
--- a/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java
+++ b/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java
@ -22,6 +22,9 @@ import brut.androlib.res.AndrolibResources;
 import brut.androlib.res.data.ResPackage;
 import brut.androlib.res.data.ResTable;
 import brut.androlib.res.data.ResUnknownFiles;
+import brut.common.InvalidUnknownFileException;
+import brut.common.RootUnknownFileException;
+import brut.common.TraversalUnknownFileException;
 import brut.directory.ExtFile;
 import brut.androlib.res.xml.ResXmlPatcher;
 import brut.androlib.src.SmaliBuilder;
@ -663,7 +666,15 @@ public class Androlib {

        // loop through unknown files
        for (Map.Entry<String,String> unknownFileInfo : files.entrySet()) {
-            File inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey()));
+            File inputFile;
+
+            try {
+                inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey()));
+            } catch (RootUnknownFileException | InvalidUnknownFileException | TraversalUnknownFileException exception) {
+                LOGGER.warning(String.format("Skipping file %s (%s)", unknownFileInfo.getKey(), exception.getMessage()));
+                continue;
+            }
+
            if (inputFile.isDirectory()) {
                continue;
            }
--- a/brut.j.dir/src/main/java/brut/directory/DirUtil.java
+++ b/brut.j.dir/src/main/java/brut/directory/DirUtil.java
@ -17,14 +17,20 @@
 package brut.directory;

 import brut.common.BrutException;
+import brut.common.InvalidUnknownFileException;
+import brut.common.RootUnknownFileException;
+import brut.common.TraversalUnknownFileException;
 import brut.util.BrutIO;
 import brut.util.OS;
 import java.io.*;
+import java.util.logging.Logger;

 /**
 * @author Ryszard Wiśniewski <brut.alll@gmail.com>
 */
 public class DirUtil {
+    private static final Logger LOGGER = Logger.getLogger("");
+
    public static void copyToDir(Directory in, Directory out)
            throws DirectoryException {
        for (String fileName : in.getFiles(true)) {
@ -84,15 +90,12 @@ public class DirUtil {
                String cleanedFilename = BrutIO.sanitizeUnknownFile(out, fileName);
                File outFile = new File(out, cleanedFilename);
                outFile.getParentFile().mkdirs();
-                BrutIO.copyAndClose(in.getFileInput(fileName),
-                    new FileOutputStream(outFile));
+                BrutIO.copyAndClose(in.getFileInput(fileName), new FileOutputStream(outFile));
            }
-        } catch (IOException ex) {
-            throw new DirectoryException(
-                "Error copying file: " + fileName, ex);
-        } catch (BrutException ex) {
-            throw new DirectoryException(
-                "Error copying file: " + fileName, ex);
+        } catch (RootUnknownFileException | InvalidUnknownFileException | TraversalUnknownFileException exception) {
+            LOGGER.warning(String.format("Skipping file %s (%s)", fileName, exception.getMessage()));
+        } catch (IOException | BrutException ex) {
+            throw new DirectoryException("Error copying file: " + fileName, ex);
        }
    }
 }