From 98aa7acb2201fdf7bf7372e5cba896594b9b9f17 Mon Sep 17 00:00:00 2001 From: Connor Tumbleson Date: Thu, 10 Dec 2020 07:58:15 -0500 Subject: [PATCH] fix: skip files that violate safe filepath --- .../src/main/java/brut/androlib/Androlib.java | 13 ++++++++++++- .../src/main/java/brut/directory/DirUtil.java | 19 +++++++++++-------- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java b/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java index 518ca571..e9067504 100644 --- a/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java +++ b/brut.apktool/apktool-lib/src/main/java/brut/androlib/Androlib.java @@ -22,6 +22,9 @@ import brut.androlib.res.AndrolibResources; import brut.androlib.res.data.ResPackage; import brut.androlib.res.data.ResTable; import brut.androlib.res.data.ResUnknownFiles; +import brut.common.InvalidUnknownFileException; +import brut.common.RootUnknownFileException; +import brut.common.TraversalUnknownFileException; import brut.directory.ExtFile; import brut.androlib.res.xml.ResXmlPatcher; import brut.androlib.src.SmaliBuilder; @@ -663,7 +666,15 @@ public class Androlib { // loop through unknown files for (Map.Entry unknownFileInfo : files.entrySet()) { - File inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey())); + File inputFile; + + try { + inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey())); + } catch (RootUnknownFileException | InvalidUnknownFileException | TraversalUnknownFileException exception) { + LOGGER.warning(String.format("Skipping file %s (%s)", unknownFileInfo.getKey(), exception.getMessage())); + continue; + } + if (inputFile.isDirectory()) { continue; } diff --git a/brut.j.dir/src/main/java/brut/directory/DirUtil.java b/brut.j.dir/src/main/java/brut/directory/DirUtil.java index 14c79638..b8adb2ec 100644 --- a/brut.j.dir/src/main/java/brut/directory/DirUtil.java +++ b/brut.j.dir/src/main/java/brut/directory/DirUtil.java @@ -17,14 +17,20 @@ package brut.directory; import brut.common.BrutException; +import brut.common.InvalidUnknownFileException; +import brut.common.RootUnknownFileException; +import brut.common.TraversalUnknownFileException; import brut.util.BrutIO; import brut.util.OS; import java.io.*; +import java.util.logging.Logger; /** * @author Ryszard Wiśniewski */ public class DirUtil { + private static final Logger LOGGER = Logger.getLogger(""); + public static void copyToDir(Directory in, Directory out) throws DirectoryException { for (String fileName : in.getFiles(true)) { @@ -84,15 +90,12 @@ public class DirUtil { String cleanedFilename = BrutIO.sanitizeUnknownFile(out, fileName); File outFile = new File(out, cleanedFilename); outFile.getParentFile().mkdirs(); - BrutIO.copyAndClose(in.getFileInput(fileName), - new FileOutputStream(outFile)); + BrutIO.copyAndClose(in.getFileInput(fileName), new FileOutputStream(outFile)); } - } catch (IOException ex) { - throw new DirectoryException( - "Error copying file: " + fileName, ex); - } catch (BrutException ex) { - throw new DirectoryException( - "Error copying file: " + fileName, ex); + } catch (RootUnknownFileException | InvalidUnknownFileException | TraversalUnknownFileException exception) { + LOGGER.warning(String.format("Skipping file %s (%s)", fileName, exception.getMessage())); + } catch (IOException | BrutException ex) { + throw new DirectoryException("Error copying file: " + fileName, ex); } } }