Prevent arbitrary file writes with malicious resource names. (#3484)

iBotPeaches · iBotPeaches · commit 087f89ebc0dd · 2024-01-10T13:14:57.000-05:00
* refactor: rename sanitize function * fix: expose getDir * fix: safe handling of untrusted resource names - fixes: GHSA-2hqv-2xv4-5h5w * test: sample file for GHSA-2hqv-2xv4-5h5w * refactor: avoid detection of absolute files for resource check * chore: enable info mode on gradle * test: skip test on windows * chore: debug windows handling * fix: normalize entry with file separators * fix: normalize filepath after cleansing * chore: Android paths are not OS specific * refactor: use java.nio for path traversal checking * chore: align path separator on Windows for Zip files * chore: rework towards basic directory traversal * chore: remove '--info' on build.yml
diff --git a/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java b/brut.apktool/apktool-lib/src/main/java/brut/androlib/res/decoder/ResFileDecoder.java
@@ -25,6 +25,7 @@
 import brut.directory.DirUtil;
 import brut.directory.Directory;
 import brut.directory.DirectoryException;
+import brut.util.BrutIO;
 
 import java.io.*;
 import java.util.Map;
@@ -47,6 +48,13 @@ public void decode(ResResource res, Directory inDir, Directory outDir, Map<Strin
         String outResName = res.getFilePath();
         String typeName = res.getResSpec().getType().getName();
 
+        if (BrutIO.detectPossibleDirectoryTraversal(outResName)) {
+            outResName = inFileName;
+            LOGGER.warning(String.format(
+                "Potentially malicious file path: %s, using instead %s", res.getFilePath(), outResName
+            ));
+        }
+
         String ext = null;
         String outFileName;
         int extPos = inFileName.lastIndexOf(".");
diff --git a/brut.j.util/src/main/java/brut/util/BrutIO.java b/brut.j.util/src/main/java/brut/util/BrutIO.java
@@ -94,6 +94,13 @@ public static String sanitizeUnknownFile(final File directory, final String entr
         return canonicalEntryPath.substring(canonicalDirPath.length());
     }
 
+    public static boolean detectPossibleDirectoryTraversal(String entry) {
+        if (OSDetection.isWindows()) {
+            return entry.contains("..\\") || entry.contains("\\..");
+        }
+        return entry.contains("../") || entry.contains("/..");
+    }
+
     public static String normalizePath(String path) {
         char separator = File.separatorChar;
 
