Merge pull request #2072 from iBotPeaches/issue-2058

Prevent directory traversal on asset decoding

brut.apktool/apktool-lib/src/test/java/brut/androlib/util/UnknownDirectoryTraversalTest.java

@@ -71,6 +71,18 @@ public class UnknownDirectoryTraversalTest extends BaseTest {
         BrutIO.sanitizeUnknownFile(sTmpDir, "");
     }
 
+    @Test(expected = TraversalUnknownFileException.class)
+    public void invalidBackwardPathOnWindows() throws IOException, BrutException {
+        String invalidPath;
+        if (! OSDetection.isWindows()) {
+            invalidPath = "../../app";
+        } else {
+            invalidPath = "..\\..\\app.exe";
+        }
+
+        BrutIO.sanitizeUnknownFile(sTmpDir, invalidPath);
+    }
+
     @Test
     public void validDirectoryFileTest() throws IOException, BrutException {
         String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file");

brut.j.dir/src/main/java/brut/directory/DirUtil.java

@@ -81,7 +81,8 @@ public class DirUtil {
                 if (fileName.equals("res") && !in.containsFile(fileName)) {
                     return;
                 }
-                File outFile = new File(out, fileName);
+                String cleanedFilename = BrutIO.sanitizeUnknownFile(out, fileName);
+                File outFile = new File(out, cleanedFilename);
                 outFile.getParentFile().mkdirs();
                 BrutIO.copyAndClose(in.getFileInput(fileName),
                     new FileOutputStream(outFile));