Applied path traversal patch

Mirrored from MobileChromeApps#94 which itself was based on couple of other people's changes in relation to this issue
gregbgithub · Apr 26, 2023 · 92e525b · 92e525b
1 parent 977b57d
commit 92e525b
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/android/Zip.java b/src/android/Zip.java
@@ -126,6 +126,16 @@ private void unzipSync(CordovaArgs args, CallbackContext callbackContext) {
                    dir.mkdirs();
                 } else {
                     File file = new File(outputDirectory + compressedName);
+
+                    String canonicalPath = file.getCanonicalPath();
+                    String absolutePath = file.getAbsolutePath();
+                    if (!canonicalPath.startsWith(outputDirectory) && !absolutePath.startsWith(outputDirectory)) {
+                        String errorMessage = "Zip traversal security error";
+                        callbackContext.error(errorMessage);
+                        Log.e(LOG_TAG, errorMessage);
+                        return;
+                    }
+
                     file.getParentFile().mkdirs();
                     if(file.exists() || file.createNewFile()){
                         Log.w("Zip", "extracting: " + file.getPath());