Inapplicable path traversal attack error message

[CmP-lt]

Opening any DEX file leads to error message of the following type getting logged:

ERROR: Path traversal attack detected, invalid name: C:\Users\Admin\Downloads\classes.dex

It seems that when a DEX file is opened separately, not as part of an APK file, JADX mistakenly treats it as being an entry of a ZIP archive and calls the following method to check validity of file path, as if it was name of an entry in a ZIP archive:

jadx/jadx-plugins/jadx-plugins-api/src/main/java/jadx/api/plugins/utils/ZipSecurity.java

Lines 47 to 62 in d47483f

	// checks that entry name contains no any traversals
	// and prevents cases like "../classes.dex", to limit output only to the specified directory
	public static boolean isValidZipEntryName(String entryName) {
	try {
	File currentPath = new File(".").getCanonicalFile();
	File canonical = new File(currentPath, entryName).getCanonicalFile();
	if (isInSubDirectoryInternal(currentPath, canonical)) {
	return true;
	}
	LOG.error("Path traversal attack detected, invalid name: {}", entryName);
	return false;
	} catch (Exception e) {
	LOG.error("Path traversal attack detected, invalid name: {}", entryName);
	return false;
	}
	}

[skylot]

@CmP-lt I can't reproduce your issue 😞
Can you provide jadx version and how you run jadx-gui (if from command line: share that command)?
Also, maybe someone else saw this issue and can add any detail? Stack trace to that method will be the best option 🤣

[CmP-lt]

JADX version: 1.3.1
Java version: 11.0.12
Startup type: double-clicking "jadx-gui.bat" file

[skylot]

@CmP-lt thanks! I commit a fix 👍
This issue not appear on Linux only on Windows. Unlike Windows, Linux is fine with merging two absolute paths 🤣