From d381eb32377cad9a8a340b837ff6be1de7fd936a Mon Sep 17 00:00:00 2001 From: Jan Peter Stotz Date: Thu, 6 Oct 2022 20:18:34 +0200 Subject: [PATCH] Logging error messages on invalid file-names or path traversal attacks improved --- jadx-core/src/main/java/jadx/core/xmlgen/ResourcesSaver.java | 2 +- .../src/main/java/jadx/api/plugins/utils/ZipSecurity.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/jadx-core/src/main/java/jadx/core/xmlgen/ResourcesSaver.java b/jadx-core/src/main/java/jadx/core/xmlgen/ResourcesSaver.java index 2583e57be68..1bfa675f1a5 100644 --- a/jadx-core/src/main/java/jadx/core/xmlgen/ResourcesSaver.java +++ b/jadx-core/src/main/java/jadx/core/xmlgen/ResourcesSaver.java @@ -49,7 +49,7 @@ private void saveResources(ResContainer rc) { private void save(ResContainer rc, File outDir) { File outFile = new File(outDir, rc.getFileName()); if (!ZipSecurity.isInSubDirectory(outDir, outFile)) { - LOG.error("Path traversal attack detected, invalid resource name: {}", outFile.getPath()); + LOG.error("Invalid resource name or path traversal attack detected: {}", outFile.getPath()); return; } saveToFile(rc, outFile); diff --git a/jadx-plugins/jadx-plugins-api/src/main/java/jadx/api/plugins/utils/ZipSecurity.java b/jadx-plugins/jadx-plugins-api/src/main/java/jadx/api/plugins/utils/ZipSecurity.java index a5911441f29..f310b58c6fb 100644 --- a/jadx-plugins/jadx-plugins-api/src/main/java/jadx/api/plugins/utils/ZipSecurity.java +++ b/jadx-plugins/jadx-plugins-api/src/main/java/jadx/api/plugins/utils/ZipSecurity.java @@ -53,10 +53,10 @@ public static boolean isValidZipEntryName(String entryName) { if (isInSubDirectoryInternal(currentPath, canonical)) { return true; } - LOG.error("Path traversal attack detected, invalid name: {}", entryName); + LOG.error("Invalid file name or path traversal attack detected: {}", entryName); return false; } catch (Exception e) { - LOG.error("Path traversal attack detected, invalid name: {}", entryName); + LOG.error("Invalid file name or path traversal attack detected: {}", entryName); return false; } }