fix: zip 路径穿透监测

painld6 · painld6 · commit 000aa61ecc6b · 2021-08-18T16:20:09.000+08:00
diff --git a/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt b/library/src/main/java/com/opensource/svgaplayer/SVGACache.kt
@@ -56,7 +56,7 @@ object SVGACache {
     }
 
     // 清除目录下的所有文件
-    private fun clearDir(path: String) {
+    internal fun clearDir(path: String) {
         try {
             val dir = File(path)
             dir.takeIf { it.exists() }?.let { parentDir ->
diff --git a/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt b/library/src/main/java/com/opensource/svgaplayer/SVGAParser.kt
@@ -154,7 +154,7 @@ class SVGAParser(context: Context?) {
                             playCallback
                     )
                 }
-            } catch (e: java.lang.Exception) {
+            } catch (e: Exception) {
                 this.invokeErrorCallback(e, callback)
             }
         }
@@ -501,6 +501,7 @@ class SVGAParser(context: Context?) {
                             continue
                         }
                         val file = File(cacheDir, zipItem.name)
+                        ensureUnzipSafety(file, cacheDir.absolutePath)
                         FileOutputStream(file).use { fileOutputStream ->
                             val buff = ByteArray(2048)
                             while (true) {
@@ -519,8 +520,18 @@ class SVGAParser(context: Context?) {
         } catch (e: Exception) {
             LogUtils.error(TAG, "================ unzip error ================")
             LogUtils.error(TAG, "error", e)
+            SVGACache.clearDir(cacheDir.absolutePath)
             cacheDir.delete()
             throw e
         }
     }
+
+    // 检查 zip 路径穿透
+    private fun ensureUnzipSafety(outputFile: File, dstDirPath: String) {
+        val dstDirCanonicalPath = File(dstDirPath).canonicalPath
+        val outputFileCanonicalPath = outputFile.canonicalPath
+        if (!outputFileCanonicalPath.startsWith(dstDirCanonicalPath)) {
+            throw IOException("Found Zip Path Traversal Vulnerability with $dstDirCanonicalPath")
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ object SVGACache {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`// 清除目录下的所有文件`
`59`		`- private fun clearDir(path: String) {`
	`59`	`+ internal fun clearDir(path: String) {`
`60`	`60`	`try {`
`61`	`61`	`val dir = File(path)`
`62`	`62`	`dir.takeIf { it.exists() }?.let { parentDir ->`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ class SVGAParser(context: Context?) {`
`154`	`154`	`playCallback`
`155`	`155`	`)`
`156`	`156`	`}`
`157`		`- } catch (e: java.lang.Exception) {`
	`157`	`+ } catch (e: Exception) {`
`158`	`158`	`this.invokeErrorCallback(e, callback)`
`159`	`159`	`}`
`160`	`160`	`}`
`@@ -501,6 +501,7 @@ class SVGAParser(context: Context?) {`
`501`	`501`	`continue`
`502`	`502`	`}`
`503`	`503`	`val file = File(cacheDir, zipItem.name)`
	`504`	`+ ensureUnzipSafety(file, cacheDir.absolutePath)`
`504`	`505`	`FileOutputStream(file).use { fileOutputStream ->`
`505`	`506`	`val buff = ByteArray(2048)`
`506`	`507`	`while (true) {`
`@@ -519,8 +520,18 @@ class SVGAParser(context: Context?) {`
`519`	`520`	`} catch (e: Exception) {`
`520`	`521`	`LogUtils.error(TAG, "================ unzip error ================")`
`521`	`522`	`LogUtils.error(TAG, "error", e)`
	`523`	`+ SVGACache.clearDir(cacheDir.absolutePath)`
`522`	`524`	`cacheDir.delete()`
`523`	`525`	`throw e`
`524`	`526`	`}`
`525`	`527`	`}`
	`528`	`+`
	`529`	`+ // 检查 zip 路径穿透`
	`530`	`+ private fun ensureUnzipSafety(outputFile: File, dstDirPath: String) {`
	`531`	`+ val dstDirCanonicalPath = File(dstDirPath).canonicalPath`
	`532`	`+ val outputFileCanonicalPath = outputFile.canonicalPath`
	`533`	`+ if (!outputFileCanonicalPath.startsWith(dstDirCanonicalPath)) {`
	`534`	`+ throw IOException("Found Zip Path Traversal Vulnerability with $dstDirCanonicalPath")`
	`535`	`+ }`
	`536`	`+ }`
`526`	`537`	`}`