Skip to content
Permalink
Browse files

Prevent malicious directory/file work with unknown files

  • Loading branch information...
iBotPeaches committed Jul 5, 2017
1 parent 2e7f2a9 commit 02c8b62b00da8e45d9cf09536e73df947fceb7c2
@@ -617,7 +617,7 @@ public void buildUnknownFiles(File appDir, File outFile, MetaInfo meta)
) {
copyExistingFiles(inputFile, actualOutput);
copyUnknownFiles(appDir, actualOutput, files);
} catch (IOException ex) {
} catch (IOException | BrutException ex) {
throw new AndrolibException(ex);
}

@@ -646,12 +646,12 @@ private void copyExistingFiles(ZipFile inputFile, ZipOutputStream outputFile) th
}

private void copyUnknownFiles(File appDir, ZipOutputStream outputFile, Map<String, String> files)
throws IOException {
throws BrutException, IOException {
File unknownFileDir = new File(appDir, UNK_DIRNAME);

// loop through unknown files
for (Map.Entry<String,String> unknownFileInfo : files.entrySet()) {
File inputFile = new File(unknownFileDir, unknownFileInfo.getKey());
File inputFile = new File(unknownFileDir, BrutIO.sanitizeUnknownFile(unknownFileDir, unknownFileInfo.getKey()));
if (inputFile.isDirectory()) {
continue;
}
@@ -0,0 +1,77 @@
/**
* Copyright 2014 Ryszard Wiśniewski <brut.alll@gmail.com>
* Copyright 2016 Connor Tumbleson <connor.tumbleson@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package brut.androlib;

import brut.common.BrutException;
import brut.common.InvalidUnknownFileException;
import brut.common.RootUnknownFileException;
import brut.common.TraversalUnknownFileException;
import brut.directory.ExtFile;
import brut.util.BrutIO;
import brut.util.OS;
import org.junit.BeforeClass;
import org.junit.Test;

import java.io.File;
import java.io.IOException;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

/**
* @author Connor Tumbleson <connor.tumbleson@gmail.com>
*/
public class UnknownDirectoryTraversalTest {

@BeforeClass
public static void beforeClass() throws Exception {
sTmpDir = new ExtFile(OS.createTempDirectory());
TestUtils.copyResourceDir(UnknownDirectoryTraversalTest.class, "brut/apktool/traversal", sTmpDir);
}

@Test
public void validFileTest() throws IOException, BrutException {
String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "file");
assertEquals(validFilename, "file");

File validFile = new File(sTmpDir, validFilename);
assertTrue(validFile.isFile());
}

@Test(expected = TraversalUnknownFileException.class)
public void invalidBackwardFileTest() throws IOException, BrutException {
BrutIO.sanitizeUnknownFile(sTmpDir, "../file");
}

@Test(expected = RootUnknownFileException.class)
public void invalidRootFileTest() throws IOException, BrutException {
BrutIO.sanitizeUnknownFile(sTmpDir, "/file");
}

@Test(expected = InvalidUnknownFileException.class)
public void noFilePassedTest() throws IOException, BrutException {
BrutIO.sanitizeUnknownFile(sTmpDir, "");
}

@Test
public void validDirectoryFileTest() throws IOException, BrutException {
String validFilename = BrutIO.sanitizeUnknownFile(sTmpDir, "dir" + File.separator + "file");
assertEquals("dir" + File.separator + "file", validFilename);
}

public static File sTmpDir;
}
@@ -0,0 +1,23 @@
/**
* Copyright 2014 Ryszard Wiśniewski <brut.alll@gmail.com>
* Copyright 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package brut.common;

public class InvalidUnknownFileException extends BrutException {
public InvalidUnknownFileException(String message) {
super(message);
}
}
@@ -0,0 +1,23 @@
/**
* Copyright 2014 Ryszard Wiśniewski <brut.alll@gmail.com>
* Copyright 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package brut.common;

public class RootUnknownFileException extends BrutException {
public RootUnknownFileException(String message) {
super(message);
}
}
@@ -0,0 +1,23 @@
/**
* Copyright 2014 Ryszard Wiśniewski <brut.alll@gmail.com>
* Copyright 2017 Connor Tumbleson <connor.tumbleson@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package brut.common;

public class TraversalUnknownFileException extends BrutException {
public TraversalUnknownFileException(String message) {
super(message);
}
}
@@ -22,6 +22,10 @@
import java.util.zip.ZipFile;
import java.util.zip.ZipOutputStream;

import brut.common.BrutException;
import brut.common.InvalidUnknownFileException;
import brut.common.RootUnknownFileException;
import brut.common.TraversalUnknownFileException;
import org.apache.commons.io.IOUtils;

/**
@@ -73,6 +77,26 @@ public static CRC32 calculateCrc(InputStream input) throws IOException {
return crc;
}

public static String sanitizeUnknownFile(final File directory, final String entry) throws IOException, BrutException {
if (entry.length() == 0) {
throw new InvalidUnknownFileException("Invalid Unknown File - " + entry);
}

if (new File(entry).isAbsolute()) {
throw new RootUnknownFileException("Absolute Unknown Files is not allowed - " + entry);
}

final String canonicalDirPath = directory.getCanonicalPath() + File.separator;
final String canonicalEntryPath = new File(directory, entry).getCanonicalPath();

if (!canonicalEntryPath.startsWith(canonicalDirPath)) {
throw new TraversalUnknownFileException("Directory Traversal is not allowed - " + entry);
}

// https://stackoverflow.com/q/2375903/455008
return canonicalEntryPath.substring(canonicalDirPath.length());
}

public static void copy(File inputFile, ZipOutputStream outputFile) throws IOException {
try (
FileInputStream fis = new FileInputStream(inputFile)

0 comments on commit 02c8b62

Please sign in to comment.
You can’t perform that action at this time.