Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[Security issue] Possibility to write files outside specified directory via path traversal #1589
Steps to Reproduce
Hi, I've repacked APK via the following code:
It's clear. Just rename entries in the APK (= ZIP), by appending "../../../../" to any files except sources and manifest. Than run command:
And I see that multiple files were written to out1.
This issue is pretty dangerous and can be used against apktool if it works on the server-side. Please don't allow writing outside specified directory, calculate canonical path of a file which you're going to save and verify that it belongs to the specified directory
While I don't have anything in the readme about security related issues, usually it is the right thing to do to disclose those in private vs a public bug tracker. Not a very responsible thing to do.
It sounds like I patched this recently with malicious files that were unknown to Android, but it seems you are talking about known files like
No, I used it against unknown files (because apktool was throwing errors when it was used against resources and dex files). Maybe there is a way to exploit it again known ones, but it requires to deeply learn how apktool works. Provided exploit by me is really easy.
But anyway, if you see that a zip entry contains any traversals like /./ or /../, isn't it simpler to canonize the entry path and if it points outside root, just skip it?
Based on the 3-8 emails I get a day about Apktool, I'm not sure how people are finding my email then. I will make it more explicit to ensure future security related reports have an avenue to report.
As for the reported issue. I won't have time to look into it today, but I will try and make time when I have a chance.
added a commit
Sep 3, 2017
referenced this issue
Sep 3, 2017
Seems the safest solution is to skip any file with relative paths in it. At first I started normalizing the directory structure within the scope of the executed directory, but this led to applications that were built 1 way, rebuilt another.
Granted, they are rebuilt without those files as well (this time), because of being skipped. It is far less code to maintain/understand. PR above