[gui] Slow check for zip entrynames

[eybisi]

Issue details

In Windows, loading apk files with many resource files takes additional time because of the getCanonicalFile function

jadx/jadx-core/src/main/java/jadx/api/plugins/utils/ZipSecurity.java

Line 82 in ce60aa8

File canonical = new File(currentPath, entryName).getCanonicalFile();

Following image shows the time that getCanonicalFile took (7sec)

After replacing it with getAbsoluteFile (which doesn't use IO) it took (1sec)

Total load time was 20 sec. 7 seconds makes huge difference.

getCanonicalFile resolves "..", "." and symlinks. In isValidZipEntryName, getCanonicalFile's return value is used to check if entry will be in sub directory of the CWD. Before this ".." is checked. So if we replace it with "getAbsoluteFile" we will be missing only symlinks. If there are no security implications I can create a PR.

Jadx version

dev

Java version

21.0.5

OS

• Windows
• Linux
• macOS

[skylot]

The current implementation is simple and bulletproof, because it is using system native path resolvers and as a result shows exactly how the system will handle the provided file path. Without such resolving, check will become useless, so I don't want to change this code. But, anyway, if someone else has some arguments and/or other approach feel free to share 🙂

[eybisi]

While loading resources, does jadx writes that file to filesystem? When saving a project file path is important yes, but what can happen when entry named "../../x" is loaded. Maybe two different checks can be used

[skylot]

While loading resources, does jadx writes that file to filesystem?

jadx-cli save all valid resources after loading.
In jadx-gui saving is optional, but showing something that can't be saved may be misleading, so now jadx prepare "final" version of resources so you will get same files after saving.

Now, it is possible to disable zip security checks with environment variable, if you want to view removed resources.