Fix Android Warning "Zip Path Traversal Vulnerability"

moweex-mobile · plrthink · commit 1c3a4d3b41c8 · 2020-02-06T10:21:53.000+08:00
diff --git a/android/src/main/java/com/rnziparchive/RNZipArchiveModule.java b/android/src/main/java/com/rnziparchive/RNZipArchiveModule.java
@@ -86,7 +86,12 @@ public void run() {
             FileHeader fileHeader = (FileHeader) fileHeaderList.get(i);
 
             File fout = new File(destDirectory, fileHeader.getFileName());
-            ensureZipPathSafety(fout, destDirectory);
+            String canonicalPath = fout.getCanonicalPath();
+            String destDirCanonicalPath = (new File(destDirectory).getCanonicalPath()) + File.separator;
+
+            if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+                 throw new SecurityException(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+            }
 
             zipFile.extractFile(fileHeader, destDirectory);
             if (!fileHeader.isDirectory()) {
@@ -172,8 +177,13 @@ public void onCopyProgress(long bytesRead) {
             };
 
             File fout = new File(destDirectory, entry.getName());
-            ensureZipPathSafety(fout, destDirectory);
+            String canonicalPath = fout.getCanonicalPath();
+            String destDirCanonicalPath = (new File(destDirectory).getCanonicalPath()) + File.separator;
 
+            if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+                 throw new SecurityException(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+            }
+            
             if (!fout.exists()) {
               //noinspection ResultOfMethodCallIgnored
               (new File(fout.getParent())).mkdirs();
@@ -260,8 +270,12 @@ public void run() {
             while ((entry = zipIn.getNextEntry()) != null) {
               if (entry.isDirectory()) continue;
               fout = new File(destDirectory, entry.getName());
+              String canonicalPath = fout.getCanonicalPath();
+              String destDirCanonicalPath = (new File(destDirectory).getCanonicalPath()) + File.separator;
 
-              ensureZipPathSafety(fout, destDirectory);
+              if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+                   throw new SecurityException(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+              }
 
               if (!fout.exists()) {
                 //noinspection ResultOfMethodCallIgnored
@@ -472,12 +486,4 @@ private String getStackTrace(Exception e) {
     return sw.toString();
   }
 
-  private void ensureZipPathSafety(final File fout, final String destDirectory) throws Exception {
-    String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
-    String canonicalPath = fout.getCanonicalPath();
-    if (!canonicalPath.startsWith(destDirCanonicalPath)) {
-      throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
-    }
-  }
-
 }
