Merge pull request #154 from mockingbot/fix-zip-traversal-vulnerability

Fix zip traversal vulnerability

Author: plrthink

android/src/main/java/com/rnziparchive/RNZipArchiveModule.java

@@ -27,18 +27,15 @@
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import java.util.zip.ZipInputStream;
-import java.util.zip.ZipOutputStream;
 
 import net.lingala.zip4j.exception.ZipException;
 import net.lingala.zip4j.model.FileHeader;
-import net.lingala.zip4j.progress.ProgressMonitor;
 import net.lingala.zip4j.model.ZipParameters;
 import net.lingala.zip4j.util.Zip4jConstants;
 
 public class RNZipArchiveModule extends ReactContextBaseJavaModule {
   private static final String TAG = RNZipArchiveModule.class.getSimpleName();
 
-  private static final int BUFFER_SIZE = 4096;
   private static final String PROGRESS_EVENT_NAME = "zipArchiveProgressEvent";
   private static final String EVENT_KEY_FILENAME = "filePath";
   private static final String EVENT_KEY_PROGRESS = "progress";
@@ -83,14 +80,18 @@ public void run() {
           updateProgress(0, 1, zipFilePath); // force 0%
           for (int i = 0; i < totalFiles; i++) {
             FileHeader fileHeader = (FileHeader) fileHeaderList.get(i);
+
+            File fout = new File(destDirectory, fileHeader.getFileName());
+            ensureZipPathSafety(fout, destDirectory);
+
             zipFile.extractFile(fileHeader, destDirectory);
             if (!fileHeader.isDirectory()) {
               extractedFileNames.add(fileHeader.getFileName());
             }
             updateProgress(i + 1, totalFiles, zipFilePath);
           }
           promise.resolve(Arguments.fromList(extractedFileNames));
-        } catch (ZipException ex) {
+        } catch (Exception ex) {
           updateProgress(0, 1, zipFilePath); // force 0%
           promise.reject(null, String.format("Failed to unzip file, due to: %s", getStackTrace(ex)));
         }
@@ -161,11 +162,7 @@ public void onCopyProgress(long bytesRead) {
             };
 
             File fout = new File(destDirectory, entry.getName());
-            String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
-            String canonicalPath = fout.getCanonicalPath();
-            if (!canonicalPath.startsWith(destDirCanonicalPath)) {
-              throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
-            }
+            ensureZipPathSafety(fout, destDirectory);
 
             if (!fout.exists()) {
               //noinspection ResultOfMethodCallIgnored
@@ -254,11 +251,7 @@ public void run() {
               if (entry.isDirectory()) continue;
               fout = new File(destDirectory, entry.getName());
 
-              String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
-              String canonicalPath = fout.getCanonicalPath();
-              if (!canonicalPath.startsWith(destDirCanonicalPath)) {
-                throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
-              }
+              ensureZipPathSafety(fout, destDirectory);
 
               if (!fout.exists()) {
                 //noinspection ResultOfMethodCallIgnored
@@ -493,4 +486,12 @@ private String getStackTrace(Exception e) {
     return sw.toString();
   }
 
+  private void ensureZipPathSafety(final File fout, final String destDirectory) throws Exception {
+    String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
+    String canonicalPath = fout.getCanonicalPath();
+    if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+      throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+    }
+  }
+
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-zip-archive",
-  "version": "4.1.1",
+  "version": "4.1.2-beta.0",
   "description": "A little wrapper on ZipArchive for react-native",
   "main": "index.js",
   "scripts": {