-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent arbitrary file writes with malicious resource names. (#3484)
* refactor: rename sanitize function * fix: expose getDir * fix: safe handling of untrusted resource names - fixes: GHSA-2hqv-2xv4-5h5w * test: sample file for GHSA-2hqv-2xv4-5h5w * refactor: avoid detection of absolute files for resource check * chore: enable info mode on gradle * test: skip test on windows * chore: debug windows handling * fix: normalize entry with file separators * fix: normalize filepath after cleansing * chore: Android paths are not OS specific * refactor: use java.nio for path traversal checking * chore: align path separator on Windows for Zip files * chore: rework towards basic directory traversal * chore: remove '--info' on build.yml
- Loading branch information
1 parent
077b200
commit 93e7d6b
Showing
10 changed files
with
100 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
...pktool/apktool-lib/src/test/java/brut/androlib/decode/ResourceDirectoryTraversalTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
/* | ||
* Copyright (C) 2010 Ryszard Wiśniewski <brut.alll@gmail.com> | ||
* Copyright (C) 2010 Connor Tumbleson <connor.tumbleson@gmail.com> | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package brut.androlib.decode; | ||
|
||
import brut.androlib.ApkDecoder; | ||
import brut.androlib.BaseTest; | ||
import brut.androlib.Config; | ||
import brut.androlib.TestUtils; | ||
import brut.common.BrutException; | ||
import brut.directory.ExtFile; | ||
import brut.util.OS; | ||
import brut.util.OSDetection; | ||
import org.junit.AfterClass; | ||
import org.junit.Assume; | ||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
|
||
import java.io.File; | ||
import java.io.IOException; | ||
|
||
import static org.junit.Assert.assertTrue; | ||
|
||
public class ResourceDirectoryTraversalTest extends BaseTest { | ||
|
||
@BeforeClass | ||
public static void beforeClass() throws Exception { | ||
TestUtils.cleanFrameworkFile(); | ||
sTmpDir = new ExtFile(OS.createTempDirectory()); | ||
TestUtils.copyResourceDir(ResourceDirectoryTraversalTest.class, "decode/arbitrary-write/", sTmpDir); | ||
Assume.assumeFalse(OSDetection.isWindows()); | ||
} | ||
|
||
@AfterClass | ||
public static void afterClass() throws BrutException { | ||
OS.rmdir(sTmpDir); | ||
} | ||
|
||
@Test | ||
public void checkIfMaliciousRawFileIsDisassembledProperly() throws BrutException, IOException { | ||
String apk = "GHSA-2hqv-2xv4-5h5w.apk"; | ||
|
||
Config config = Config.getDefaultConfig(); | ||
config.forceDelete = true; | ||
ApkDecoder apkDecoder = new ApkDecoder(config, new File(sTmpDir + File.separator + apk)); | ||
File outDir = new File(sTmpDir + File.separator + apk + ".out"); | ||
apkDecoder.decode(outDir); | ||
|
||
File pocTestFile = new File(outDir,"res/raw/poc"); | ||
assertTrue(pocTestFile.exists()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file added
BIN
+49.6 KB
brut.apktool/apktool-lib/src/test/resources/decode/arbitrary-write/GHSA-2hqv-2xv4-5h5w.apk
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -119,7 +119,7 @@ private void loadAll() { | |
} | ||
} | ||
|
||
private File getDir() { | ||
public File getDir() { | ||
return mDir; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters