3.2.5

- Fixed #6 zip path traversal vulnerability in Android implementation
sitewaerts · Sep 29, 2022 · 5c3d72c · 5c3d72c
1 parent 19c18aa
commit 5c3d72c
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -43,6 +43,9 @@ Note that 'jszip' is the only algorithm that doesn't extract empty folders.
 
 ## Release Notes
 
+### 3.2.5 (Sep 29, 2022)
+* Fixed zip path traversal vulnerability in Android implementation (Zip.java)
+
 ### 3.2.4 (Dec 14, 2021)
 * Fixed miniz-cpp not extracting more than one file successfully
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cordova-plugin-zip",
-  "version": "3.2.3",
+  "version": "3.2.5",
   "description": "Unzips zip files",
   "cordova": {
     "id": "cordova-plugin-unzip",

diff --git a/plugin.xml b/plugin.xml
@@ -2,7 +2,7 @@
 <plugin xmlns="http://phonegap.com/ns/plugins/1.0"
         xmlns:android="http://schemas.android.com/apk/res/android"
         id="cordova-plugin-zip"
-        version="3.2.3">
+        version="3.2.5">
     <engines>
         <engine name="cordova" version=">=3.3.0"/>
     </engines>

diff --git a/src/android/Zip.java b/src/android/Zip.java
@@ -6,6 +6,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.FileNotFoundException;
+import java.lang.SecurityException;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 
@@ -120,12 +121,16 @@ private void unzipSync(CordovaArgs args, CallbackContext callbackContext) {
             {
                 anyEntries = true;
                 String compressedName = ze.getName();
+                File file = new File(outputDirectory + compressedName);
+
+                // Prevent zip path traversal vulnerability: https://support.google.com/faqs/answer/9294009
+                if (!file.getCanonicalPath().startsWith(outputDirectory)) {
+                    throw new SecurityException("Potential zip path traversal vulnerability detected");
+                }
 
                 if (ze.isDirectory()) {
-                   File dir = new File(outputDirectory + compressedName);
-                   dir.mkdirs();
+                   file.mkdirs();
                 } else {
-                    File file = new File(outputDirectory + compressedName);
                     file.getParentFile().mkdirs();
                     if(file.exists() || file.createNewFile()){
                         Log.w("Zip", "extracting: " + file.getPath());