fix path traversal vulnerability issue

plrthink · plrthink · commit 74da5ecb3c61 · 2019-06-08T18:48:54.000+08:00
diff --git a/android/src/main/java/com/rnziparchive/RNZipArchiveModule.java b/android/src/main/java/com/rnziparchive/RNZipArchiveModule.java
@@ -159,6 +159,12 @@ public void onCopyProgress(long bytesRead) {
             };
 
             File fout = new File(destDirectory, entry.getName());
+            String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
+            String canonicalPath = fout.getCanonicalPath();
+            if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+              throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+            }
+
             if (!fout.exists()) {
               //noinspection ResultOfMethodCallIgnored
               (new File(fout.getParent())).mkdirs();
@@ -245,6 +251,13 @@ public void run() {
             while ((entry = zipIn.getNextEntry()) != null) {
               if (entry.isDirectory()) continue;
               fout = new File(destDirectory, entry.getName());
+
+              String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath();
+              String canonicalPath = fout.getCanonicalPath();
+              if (!canonicalPath.startsWith(destDirCanonicalPath)) {
+                throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", canonicalPath));
+              }
+
               if (!fout.exists()) {
                 //noinspection ResultOfMethodCallIgnored
                 (new File(fout.getParent())).mkdirs();
diff --git a/example/App.js b/example/App.js
@@ -10,21 +10,13 @@ import {
   StyleSheet,
   View
 } from 'react-native'
-import App from './App'
 import UnzipApp from './UnzipApp'
 
-export default class example extends Component {
-  constructor () {
-    super()
-    this.state = {
-      unzipWithPassword: true
-    }
-  }
-
+export default class Example extends Component {
   render () {
     return (
       <View style={styles.container}>
-        {this.state.unzipWithPassword ? (<UnzipApp />) : (<App />)}
+        <UnzipApp />
       </View>
     )
   }
@@ -37,4 +29,4 @@ const styles = StyleSheet.create({
   }
 })
 
-AppRegistry.registerComponent('example', () => example)
+AppRegistry.registerComponent('example', () => Example)
diff --git a/example/android/app/build.gradle b/example/android/app/build.gradle
@@ -137,10 +137,10 @@ android {
 }
 
 dependencies {
+    implementation project(':react-native-custom-tabs')
     implementation project(':react-native-zip-archive')
     implementation project(':react-native-fs')
     implementation project(':react-native-document-picker')
-    implementation project(':react-native-custom-tabs')
     implementation fileTree(dir: "libs", include: ["*.jar"])
     implementation "com.android.support:appcompat-v7:${rootProject.ext.supportLibVersion}"
     implementation "com.facebook.react:react-native:+"  // From node_modules
diff --git a/example/android/app/src/main/java/com/example/MainApplication.java b/example/android/app/src/main/java/com/example/MainApplication.java
@@ -3,10 +3,10 @@
 import android.app.Application;
 
 import com.facebook.react.ReactApplication;
+import com.github.droibit.android.reactnative.customtabs.CustomTabsPackage;
 import com.rnziparchive.RNZipArchivePackage;
 import com.rnfs.RNFSPackage;
 import com.reactnativedocumentpicker.ReactNativeDocumentPicker;
-import com.github.droibit.android.reactnative.customtabs.CustomTabsPackage;
 import com.facebook.react.ReactNativeHost;
 import com.facebook.react.ReactPackage;
 import com.facebook.react.shell.MainReactPackage;
@@ -27,10 +27,10 @@ public boolean getUseDeveloperSupport() {
     protected List<ReactPackage> getPackages() {
       return Arrays.<ReactPackage>asList(
           new MainReactPackage(),
+            new CustomTabsPackage(),
             new RNZipArchivePackage(),
             new RNFSPackage(),
-            new ReactNativeDocumentPicker(),
-            new CustomTabsPackage()
+            new ReactNativeDocumentPicker()
       );
     }
 
diff --git a/example/android/build.gradle b/example/android/build.gradle
@@ -13,7 +13,7 @@ buildscript {
         jcenter()
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.2.1'
+        classpath 'com.android.tools.build:gradle:3.4.1'
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files
@@ -35,8 +35,7 @@ allprojects {
     }
 }
 
-
-task wrapper(type: Wrapper) {
-    gradleVersion = '4.7'
+wrapper {
+    gradleVersion = '5.1.1'
     distributionUrl = distributionUrl.replace("bin", "all")
 }
diff --git a/example/android/gradle/wrapper/gradle-wrapper.jar b/example/android/gradle/wrapper/gradle-wrapper.jar
diff --git a/example/android/gradle/wrapper/gradle-wrapper.properties b/example/android/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-5.1.1-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.7-all.zip
diff --git a/example/android/gradlew b/example/android/gradlew
@@ -28,7 +28,7 @@ APP_NAME="Gradle"
 APP_BASE_NAME=`basename "$0"`
 
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS=""
+DEFAULT_JVM_OPTS='"-Xmx64m"'
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD="maximum"
diff --git a/example/android/gradlew.bat b/example/android/gradlew.bat
@@ -14,7 +14,7 @@ set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-set DEFAULT_JVM_OPTS=
+set DEFAULT_JVM_OPTS="-Xmx64m"
 
 @rem Find java.exe
 if defined JAVA_HOME goto findJavaFromJavaHome
diff --git a/example/android/settings.gradle b/example/android/settings.gradle
@@ -1,11 +1,11 @@
 rootProject.name = 'example'
+include ':react-native-custom-tabs'
+project(':react-native-custom-tabs').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-custom-tabs/android')
 include ':react-native-zip-archive'
 project(':react-native-zip-archive').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-zip-archive/android')
 include ':react-native-fs'
 project(':react-native-fs').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-fs/android')
 include ':react-native-document-picker'
 project(':react-native-document-picker').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-document-picker/android')
-include ':react-native-custom-tabs'
-project(':react-native-custom-tabs').projectDir = new File(rootProject.projectDir, '../node_modules/react-native-custom-tabs/android')
 
 include ':app'
diff --git a/example/ios/example.xcodeproj/project.pbxproj b/example/ios/example.xcodeproj/project.pbxproj
@@ -5,7 +5,6 @@
 	};
 	objectVersion = 46;
 	objects = {
-
 /* Begin PBXBuildFile section */
 		00C302E51ABCBA2D00DB3ED1 /* libRCTActionSheet.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 00C302AC1ABCB8CE00DB3ED1 /* libRCTActionSheet.a */; };
 		00C302E71ABCBA2D00DB3ED1 /* libRCTGeolocation.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 00C302BA1ABCB90400DB3ED1 /* libRCTGeolocation.a */; };
@@ -24,11 +23,11 @@
 		1521892E0DC34ED8B39572BC /* libz.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 092148306BC145E5A5DFA6A0 /* libz.tbd */; };
 		832341BD1AAA6AB300B99B32 /* libRCTText.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 832341B51AAA6A8300B99B32 /* libRCTText.a */; };
 		ADBDB9381DFEBF1600ED6528 /* libRCTBlob.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ADBDB9271DFEBF0700ED6528 /* libRCTBlob.a */; };
-		B19666C0B76C458E880F3061 /* libDBCustomTabs.a in Frameworks */ = {isa = PBXBuildFile; fileRef = F99C94F502CA4D2B9F66A55A /* libDBCustomTabs.a */; };
 		B1E02DAFC3244F4492E73632 /* libRNFS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 8A8A06B3CBFF4903BA59A99D /* libRNFS.a */; };
 		D70F33A64E71488992F0571A /* libRNDocumentPicker.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 21124052BD1C42B29932C41E /* libRNDocumentPicker.a */; };
 		E0CDCAA4E49345679D245D75 /* libRNZipArchive.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 2B002C38E4184BA89B596A48 /* libRNZipArchive.a */; };
 		ED297163215061F000B7C4FE /* JavaScriptCore.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = ED297162215061F000B7C4FE /* JavaScriptCore.framework */; };
+		319494D9F49D461984CA7D2B /* libDBCustomTabs.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 02563868580D41E0AC0F0BD0 /* libDBCustomTabs.a */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -291,13 +290,6 @@
 			remoteGlobalIDString = ED296FEE214C9CF800B7C4FE;
 			remoteInfo = "jsiexecutor-tvOS";
 		};
-		D0257100222AFA9000FCA22C /* PBXContainerItemProxy */ = {
-			isa = PBXContainerItemProxy;
-			containerPortal = ACF59FB5EA87437CB8D11A80 /* ReactNativeCustomTabs.xcodeproj */;
-			proxyType = 2;
-			remoteGlobalIDString = DA7118681CC9158A0087DF95;
-			remoteInfo = DBCustomTabs;
-		};
 		D0257103222AFA9000FCA22C /* PBXContainerItemProxy */ = {
 			isa = PBXContainerItemProxy;
 			containerPortal = E30BF4840B534983B566B463 /* RNDocumentPicker.xcodeproj */;
@@ -355,13 +347,13 @@
 		832341B01AAA6A8300B99B32 /* RCTText.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = RCTText.xcodeproj; path = "../node_modules/react-native/Libraries/Text/RCTText.xcodeproj"; sourceTree = "<group>"; };
 		8A8A06B3CBFF4903BA59A99D /* libRNFS.a */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = archive.ar; path = libRNFS.a; sourceTree = "<group>"; };
 		910349A9C5884E88B21C0558 /* RNFS.xcodeproj */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = "wrapper.pb-project"; name = RNFS.xcodeproj; path = "../node_modules/react-native-fs/RNFS.xcodeproj"; sourceTree = "<group>"; };
-		ACF59FB5EA87437CB8D11A80 /* ReactNativeCustomTabs.xcodeproj */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = "wrapper.pb-project"; name = ReactNativeCustomTabs.xcodeproj; path = "../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs.xcodeproj"; sourceTree = "<group>"; };
 		ADBDB91F1DFEBF0600ED6528 /* RCTBlob.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = RCTBlob.xcodeproj; path = "../node_modules/react-native/Libraries/Blob/RCTBlob.xcodeproj"; sourceTree = "<group>"; };
 		D025710E222AFAC400FCA22C /* example.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; name = example.entitlements; path = example/example.entitlements; sourceTree = "<group>"; };
 		E30BF4840B534983B566B463 /* RNDocumentPicker.xcodeproj */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = "wrapper.pb-project"; name = RNDocumentPicker.xcodeproj; path = "../node_modules/react-native-document-picker/ios/RNDocumentPicker.xcodeproj"; sourceTree = "<group>"; };
 		ED297162215061F000B7C4FE /* JavaScriptCore.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = JavaScriptCore.framework; path = System/Library/Frameworks/JavaScriptCore.framework; sourceTree = SDKROOT; };
 		ED2971642150620600B7C4FE /* JavaScriptCore.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = JavaScriptCore.framework; path = Platforms/AppleTVOS.platform/Developer/SDKs/AppleTVOS12.0.sdk/System/Library/Frameworks/JavaScriptCore.framework; sourceTree = DEVELOPER_DIR; };
-		F99C94F502CA4D2B9F66A55A /* libDBCustomTabs.a */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = archive.ar; path = libDBCustomTabs.a; sourceTree = "<group>"; };
+		62380DDADCCE4A5EBF5806C9 /* ReactNativeCustomTabs.xcodeproj */ = {isa = PBXFileReference; name = "ReactNativeCustomTabs.xcodeproj"; path = "../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs.xcodeproj"; sourceTree = "<group>"; fileEncoding = undefined; lastKnownFileType = wrapper.pb-project; explicitFileType = undefined; includeInIndex = 0; };
+		02563868580D41E0AC0F0BD0 /* libDBCustomTabs.a */ = {isa = PBXFileReference; name = "libDBCustomTabs.a"; path = "libDBCustomTabs.a"; sourceTree = "<group>"; fileEncoding = undefined; lastKnownFileType = archive.ar; explicitFileType = undefined; includeInIndex = 0; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -382,11 +374,11 @@
 				832341BD1AAA6AB300B99B32 /* libRCTText.a in Frameworks */,
 				00C302EA1ABCBA2D00DB3ED1 /* libRCTVibration.a in Frameworks */,
 				139FDEF61B0652A700C62182 /* libRCTWebSocket.a in Frameworks */,
-				B19666C0B76C458E880F3061 /* libDBCustomTabs.a in Frameworks */,
 				D70F33A64E71488992F0571A /* libRNDocumentPicker.a in Frameworks */,
 				B1E02DAFC3244F4492E73632 /* libRNFS.a in Frameworks */,
 				E0CDCAA4E49345679D245D75 /* libRNZipArchive.a in Frameworks */,
 				1521892E0DC34ED8B39572BC /* libz.tbd in Frameworks */,
+				319494D9F49D461984CA7D2B /* libDBCustomTabs.a in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -537,10 +529,10 @@
 				832341B01AAA6A8300B99B32 /* RCTText.xcodeproj */,
 				00C302DF1ABCB9EE00DB3ED1 /* RCTVibration.xcodeproj */,
 				139FDEE61B06529A00C62182 /* RCTWebSocket.xcodeproj */,
-				ACF59FB5EA87437CB8D11A80 /* ReactNativeCustomTabs.xcodeproj */,
 				E30BF4840B534983B566B463 /* RNDocumentPicker.xcodeproj */,
 				910349A9C5884E88B21C0558 /* RNFS.xcodeproj */,
 				0B3D178E544E488F8D7872E2 /* RNZipArchive.xcodeproj */,
+				62380DDADCCE4A5EBF5806C9 /* ReactNativeCustomTabs.xcodeproj */,
 			);
 			name = Libraries;
 			sourceTree = "<group>";
@@ -596,14 +588,6 @@
 			name = "Recovered References";
 			sourceTree = "<group>";
 		};
-		D02570F7222AFA8E00FCA22C /* Products */ = {
-			isa = PBXGroup;
-			children = (
-				D0257101222AFA9000FCA22C /* libDBCustomTabs.a */,
-			);
-			name = Products;
-			sourceTree = "<group>";
-		};
 		D02570F9222AFA8F00FCA22C /* Products */ = {
 			isa = PBXGroup;
 			children = (
@@ -729,10 +713,6 @@
 					ProductGroup = 146834001AC3E56700842450 /* Products */;
 					ProjectRef = 146833FF1AC3E56700842450 /* React.xcodeproj */;
 				},
-				{
-					ProductGroup = D02570F7222AFA8E00FCA22C /* Products */;
-					ProjectRef = ACF59FB5EA87437CB8D11A80 /* ReactNativeCustomTabs.xcodeproj */;
-				},
 				{
 					ProductGroup = D02570F9222AFA8F00FCA22C /* Products */;
 					ProjectRef = E30BF4840B534983B566B463 /* RNDocumentPicker.xcodeproj */;
@@ -1013,13 +993,6 @@
 			remoteRef = D02570F5222AFA8E00FCA22C /* PBXContainerItemProxy */;
 			sourceTree = BUILT_PRODUCTS_DIR;
 		};
-		D0257101222AFA9000FCA22C /* libDBCustomTabs.a */ = {
-			isa = PBXReferenceProxy;
-			fileType = archive.ar;
-			path = libDBCustomTabs.a;
-			remoteRef = D0257100222AFA9000FCA22C /* PBXContainerItemProxy */;
-			sourceTree = BUILT_PRODUCTS_DIR;
-		};
 		D0257104222AFA9000FCA22C /* libRNDocumentPicker.a */ = {
 			isa = PBXReferenceProxy;
 			fileType = archive.ar;
@@ -1114,10 +1087,10 @@
 				DEVELOPMENT_TEAM = YMUB8PUSZ5;
 				HEADER_SEARCH_PATHS = (
 					"$(inherited)",
-					"$(SRCROOT)/../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs",
 					"$(SRCROOT)/../node_modules/react-native-document-picker/ios/RNDocumentPicker",
 					"$(SRCROOT)/../node_modules/react-native-fs/**",
 					"$(SRCROOT)/../node_modules/react-native-zip-archive/ios/**",
+					"$(SRCROOT)/../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs",
 				);
 				INFOPLIST_FILE = example/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
@@ -1129,6 +1102,10 @@
 				PRODUCT_BUNDLE_IDENTIFIER = com.mockingbot.rnza.example;
 				PRODUCT_NAME = example;
 				VERSIONING_SYSTEM = "apple-generic";
+				LIBRARY_SEARCH_PATHS = (
+					"$(inherited)",
+					"\"$(SRCROOT)/example\"",
+				);
 			};
 			name = Debug;
 		};
@@ -1141,10 +1118,10 @@
 				DEVELOPMENT_TEAM = YMUB8PUSZ5;
 				HEADER_SEARCH_PATHS = (
 					"$(inherited)",
-					"$(SRCROOT)/../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs",
 					"$(SRCROOT)/../node_modules/react-native-document-picker/ios/RNDocumentPicker",
 					"$(SRCROOT)/../node_modules/react-native-fs/**",
 					"$(SRCROOT)/../node_modules/react-native-zip-archive/ios/**",
+					"$(SRCROOT)/../node_modules/react-native-custom-tabs/ios/ReactNativeCustomTabs",
 				);
 				INFOPLIST_FILE = example/Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks";
@@ -1156,6 +1133,10 @@
 				PRODUCT_BUNDLE_IDENTIFIER = com.mockingbot.rnza.example;
 				PRODUCT_NAME = example;
 				VERSIONING_SYSTEM = "apple-generic";
+				LIBRARY_SEARCH_PATHS = (
+					"$(inherited)",
+					"\"$(SRCROOT)/example\"",
+				);
 			};
 			name = Release;
 		};
diff --git a/example/yarn.lock b/example/yarn.lock
@@ -4630,7 +4630,7 @@ react-native-really-awesome-button@^0.8.3:
   integrity sha1-gbnxl3XQ8JRGdVDsRYR2Lx+92EE=
 
 "react-native-zip-archive@file:..":
-  version "3.0.1"
+  version "4.0.1"
 
 react-native@0.58.6:
   version "0.58.6"
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ buildscript {`
`13`	`13`	`jcenter()`
`14`	`14`	`}`
`15`	`15`	`dependencies {`
`16`		`- classpath 'com.android.tools.build:gradle:3.2.1'`
	`16`	`+ classpath 'com.android.tools.build:gradle:3.4.1'`
`17`	`17`
`18`	`18`	`// NOTE: Do not place your application dependencies here; they belong`
`19`	`19`	`// in the individual module build.gradle files`
`@@ -35,8 +35,7 @@ allprojects {`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`-`
`39`		`-task wrapper(type: Wrapper) {`
`40`		`- gradleVersion = '4.7'`
	`38`	`+wrapper {`
	`39`	`+ gradleVersion = '5.1.1'`
`41`	`40`	`distributionUrl = distributionUrl.replace("bin", "all")`
`42`	`41`	`}`