Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zip Path Traversal vulnerability #91

Open
webberig opened this issue Jan 28, 2021 · 7 comments · May be fixed by #92
Open

Zip Path Traversal vulnerability #91

webberig opened this issue Jan 28, 2021 · 7 comments · May be fixed by #92

Comments

@webberig
Copy link

We uploaded an app to the play store which is being blocked for production because of following security error:

Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see this Google Help Center article to learn how to fix the issue.

  • org.apache.cordova.Zip.unzipSync

The error links to following article:
https://support.google.com/faqs/answer/9294009
@webberig webberig linked a pull request Jan 29, 2021 that will close this issue
Open
@carlos-hs
Copy link

Hello @webberig ,

I've tried updating the "node_modules\cordova-plugin-zip\src\android\Zip.java" with the changes from your PR and I keep receiving the error from Google play.

Am I doing it right?

@webberig
Copy link
Author

@carlos-hs I'm pretty sure you'll need to update the same file located in the /plugins folder of your project. The files are being copied when Cordova installs the plugins

@priyankaprakasan
Copy link

Hi @webberig ,
Could you able to solve this issue. I also got the same warning in pre-launch report.

@webberig
Copy link
Author

I actually did, see #92...

@ZumelzuR
Copy link

?

@mbilalsardar
Copy link

Sir same issue is arising when i am trying to publish app with latest integration code as of 11 Jan 2021.
Branch : moodle app latest integration branch.

error
Zip Path Traversal
Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see this Google Help Center article to learn how to fix the issue.
    org.apache.cordova.Zip.unzipSync

@uareurapid
Copy link

try to enclose it on an "else" statement, like this:

File file = new File(outputDirectory + compressedName);
          
String canonicalPath = file.getCanonicalPath();
if (!canonicalPath.startsWith(outputDirectory)) {
     String errorMessage = "Zip traversal security error";
     callbackContext.error(errorMessage);
     Log.e(LOG_TAG, errorMessage);
      return;
} else {

    file.getParentFile().mkdirs();
    if(file.exists() || file.createNewFile()){
        Log.w("Zip", "extracting: " + file.getPath());
        FileOutputStream fout = new FileOutputStream(file);
        int count;
        while ((count = zis.read(buffer)) != -1)
        {
           fout.write(buffer, 0, count);
        }
        fout.close();
     } 
}

Worked for me, no errors anymore on Google Play

cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Handle zip traversal vulnerability zimmo-be/cordova-plugin-zip
6 participants
@ZumelzuR @uareurapid @webberig @priyankaprakasan @carlos-hs @mbilalsardar