Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[clipboard][android] Fix path traversal vulnerability in getFileForUri function #25549

Merged
merged 3 commits into from
Nov 23, 2023

Conversation

behenate
Copy link
Member

Why

Fixes low severity vulnerability, which made it possible to read from a wrong root directory.

ENG-10333

How

Used file.startsWith instead of file.path.startsWith

Test Plan

✅ Passes tests in BareExpo on Android 13

@behenate behenate requested a review from lukmccall November 23, 2023 11:47
@behenate behenate requested a review from tsapeta as a code owner November 23, 2023 11:47
@expo-bot expo-bot added the bot: suggestions ExpoBot has some suggestions label Nov 23, 2023
Co-authored-by: Expo Bot <34669131+expo-bot@users.noreply.github.com>
@expo-bot expo-bot added bot: passed checks ExpoBot has nothing to complain about and removed bot: suggestions ExpoBot has some suggestions labels Nov 23, 2023
@behenate behenate merged commit 58a25fa into main Nov 23, 2023
9 checks passed
@behenate behenate deleted the @behenate/clipboard-travelsal-fix branch November 23, 2023 18:04
onizam95 pushed a commit to onizam95/expo-av-drm that referenced this pull request Jan 15, 2024
…ri` function (expo#25549)

# Why

Fixes low severity vulnerability, which made it possible to read from a
wrong root directory.

ENG-10333

# How

Used `file.startsWith` instead of `file.path.startsWith`

# Test Plan

✅  Passes tests in BareExpo on Android 13

---------

Co-authored-by: Expo Bot <34669131+expo-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bot: fingerprint changed bot: passed checks ExpoBot has nothing to complain about
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants