Fix MitM vulnerability (#2132)

andreidubov · web-flow · commit a9d5e767c676 · 2021-08-25T10:04:54.000+03:00
diff --git a/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java b/android/app/src/main/java/com/microsoft/codepush/react/FileUtils.java
@@ -123,14 +123,13 @@ public static String readFileToString(String filePath) throws IOException {
         }
     }
 
-    private static String validateFileName(String fileName, String targetDirectory) throws IOException {
-        File file = new File(fileName);
-        String canonicalPath = file.getCanonicalPath();
+    private static String validateFileName(String fileName, File destinationFolder) throws IOException {
+        String destinationFolderCanonicalPath = destinationFolder.getCanonicalPath();
 
-        File targetFile = new File(targetDirectory);
-        String targetCanonicalPath = targetFile.getCanonicalPath();
+        File file = new File(destinationFolderCanonicalPath, fileName);
+        String canonicalPath = file.getCanonicalPath();
 
-        if (!canonicalPath.startsWith(targetCanonicalPath)) {
+        if (!canonicalPath.startsWith(destinationFolderCanonicalPath)) {
             throw new IllegalStateException("File is outside extraction target directory.");
         }
 
@@ -151,12 +150,12 @@ public static void unzipFile(File zipFile, String destination) throws IOExceptio
             if (destinationFolder.exists()) {
                 deleteFileOrFolderSilently(destinationFolder);
             }
-            
+
             destinationFolder.mkdirs();
 
             byte[] buffer = new byte[WRITE_BUFFER_SIZE];
             while ((entry = zipStream.getNextEntry()) != null) {
-                String fileName = validateFileName(entry.getName(), ".");
+                String fileName = validateFileName(entry.getName(), destinationFolder);
                 File file = new File(destinationFolder, fileName);
                 if (entry.isDirectory()) {
                     file.mkdirs();
