fix(android): path traversal vulnerability (#698)

vonovak · vonovak · commit ad0b5e58252e · 2024-02-05T14:28:22.000+01:00
* fix: path traversal vulnerability android

* docs: library update
diff --git a/README.md b/README.md
@@ -1,5 +1,9 @@
 # react-native-document-picker
 
+📣📣 A full rewrite of the library is in progress. 📣📣
+
+Please subscribe to [this issue](https://github.com/rnmods/react-native-document-picker/issues/603) to receive updates.
+
 🚧🚧 GH discussions available 🚧🚧
 
 If you want to ask questions, we opened [GH discussions](https://github.com/rnmods/react-native-document-picker/discussions) for that purpose! 🤗 Issue tracker is now reserved for bugs and feature requests only and issues not following the issue template can be closed. Thank you!
diff --git a/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java b/android/src/main/java/com/reactnativedocumentpicker/DocumentPickerModule.java
@@ -311,7 +311,7 @@ private void copyFileToLocalStorage(Context context, WritableMap map, Uri uri) {
         if (fileName == null) {
           fileName = String.valueOf(System.currentTimeMillis());
         }
-        File destFile = new File(dir, fileName);
+        File destFile = safeGetDestination(new File(dir, fileName), dir.getCanonicalPath());
         Uri copyPath = copyFile(context, uri, destFile);
         map.putString(FIELD_FILE_COPY_URI, copyPath.toString());
       } catch (Exception e) {
@@ -321,6 +321,14 @@ private void copyFileToLocalStorage(Context context, WritableMap map, Uri uri) {
       }
     }
 
+    public File safeGetDestination(File destFile, String expectedDir) throws IllegalArgumentException, IOException {
+      String canonicalPath = destFile.getCanonicalPath();
+      if (!canonicalPath.startsWith(expectedDir)) {
+        throw new IllegalArgumentException("The copied file is attempting to write outside of the target directory.");
+      }
+      return destFile;
+    }
+
     public static Uri copyFile(Context context, Uri uri, File destFile) throws IOException {
       try(InputStream inputStream = context.getContentResolver().openInputStream(uri);
           FileOutputStream outputStream = new FileOutputStream(destFile)) {
