Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle zip traversal vulnerability #92

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

webberig
Copy link

Fixes #91 by checking the file path as described in this article

@google-cla
Copy link

google-cla bot commented Jan 29, 2021

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@webberig
Copy link
Author

@googlebot I signed it!

wnabil pushed a commit to wnabil/cordova-plugin-zip that referenced this pull request Feb 11, 2021
@nicolaswww
Copy link

nicolaswww commented Feb 20, 2021

Great job! I have created a fork in the meantime :) (some owner please merge it)

@srgpqt
Copy link

srgpqt commented Aug 11, 2021

This fix sometimes fails, presumably when outputDirectory is not itself canonical.
Had to revert it in our project.

@ZumelzuR
Copy link

can somebody merge this?????

@DavidTalevski
Copy link

This fix sometimes fails, presumably when outputDirectory is not itself canonical. Had to revert it in our project.

When the outputDirectory is a relative path you can convert it to a canonical path and still apply the same check.

  File file = new File(outputDirectory + compressedName);
  String canonicalDestinationPath = (new File(outputDirectory)).getCanonicalPath();
  String canonicalPath = file.getCanonicalPath();
  if (!canonicalPath.startsWith(canonicalDestinationPath)) {
      String errorMessage = "Zip traversal security error";
      callbackContext.error(errorMessage);
      Log.e(LOG_TAG, errorMessage);
      return;
  }

Copy link

@lukaszkurowskilbn lukaszkurowskilbn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's work!

@lczw
Copy link

lczw commented Dec 15, 2021

Should this really be approved, if it fails when the outputDirectory is not canonical? The code snippet by @DavidTalevski should be the way to go, or is there some weird behavior that occurs with it?

@DavidTalevski
Copy link

@lczw I've tested the solution for both relative and full paths and it works for both. So far I have not encountered any weird behaviors.

@lukaszkurowskilbn
Copy link

lukaszkurowskilbn commented Dec 16, 2021 via email

@lczw
Copy link

lczw commented Dec 16, 2021

I see. I have encountered a problem where there was a mismatch which is fixed by getting the canonical path of the output directory.

However, if it works on your end then it's probably something that should be fixed in my project instead of the plugin ^^

@DavidTalevski
Copy link

I see. I have encountered a problem where there was a mismatch which is fixed by getting the canonical path of the output directory.

However, if it works on your end then it's probably something that should be fixed in my project instead of the plugin ^^

I was describing the getCanonicalPath solution. I also had an issue with the PR code with relative paths which got fixed when turning them to canonical, so the problem is most likely not on your end.

@lczw
Copy link

lczw commented Dec 16, 2021

I misunderstood your comment, sorry. Your code works fine for me as well, which is why I though it's a good idea to use it instead of the PR's code

lauralujan added a commit to SunPower/cordova-plugin-zip that referenced this pull request Feb 10, 2022
remoorejr added a commit to remoorejr/cordova-plugin-zip that referenced this pull request Feb 12, 2022
@aymanar
Copy link

aymanar commented Mar 14, 2022

So is the final decision that this will not be merged?

@jcperuffo
Copy link

Hi devs,

I've manually applied this fix into my code today and would like to share a note about the problem. The fix was applied to an Android APP (Ionic v3 / Angular) that uses the cordova-plugin-zip lib. After apply the fix and test the APP, I noticed that the zip content that I had into my APP was not being unzipped, and while checking logs with adb logcat, I saw the message "Zip traversal security error" from the fix applied.

After debug the problem, I saw that, in my APP, the output directory where the content was being extracted is the user directory inside the Android filesystem. Compare the directories below:

Output from "file.getCanonicalPath()":
/data/data/br.com.someapplication.sub/files/...

My APP output directory (where the zip content would be extract to):
/data/user/0/br.com.someapplication.sub/files/...

Because of this, the code if (!canonicalPath.startsWith(outputDirectory)... fails and my zip files are not unzipped.

So, to be able to use the fix #92 and attend my scenario, I've added one more verification, as below:

...
File file = new File(outputDirectory + compressedName);
String canonicalPath = file.getCanonicalPath();
String absolutePath = file.getAbsolutePath();
if (!canonicalPath.startsWith(outputDirectory) && !absolutePath.startsWith(outputDirectory)) {
    String errorMessage = "Zip traversal security error";
    ...

Hope this can help someone.

bikubi added a commit to bikubi/cordova-plugin-zip that referenced this pull request May 19, 2022
/data/data/foo vs /data/user/0/foo,
as suggested by @jcperuffo in MobileChromeApps#92 (comment)
@bikubi
Copy link

bikubi commented May 19, 2022

@jcperuffo we ran into the same problem & your solution worked. thanks!
I made a fork: https://github.com/bikubi/cordova-plugin-zip/ or see commit above.

@SeroK
Copy link

SeroK commented May 19, 2022

This fix sometimes fails, presumably when outputDirectory is not itself canonical. Had to revert it in our project.

When the outputDirectory is a relative path you can convert it to a canonical path and still apply the same check.

  File file = new File(outputDirectory + compressedName);
  String canonicalDestinationPath = (new File(outputDirectory)).getCanonicalPath();
  String canonicalPath = file.getCanonicalPath();
  if (!canonicalPath.startsWith(canonicalDestinationPath)) {
      String errorMessage = "Zip traversal security error";
      callbackContext.error(errorMessage);
      Log.e(LOG_TAG, errorMessage);
      return;
  }

I think this is the fix we want.

akrcc pushed a commit to akrcc/cordova-plugin-zip that referenced this pull request Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Zip Path Traversal vulnerability