fix(android): path traversal vulnerability #698
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This fixes a Path Traversal Vulnerability which was present on Android https://developer.android.com/privacy-and-security/risks/path-traversal.
According to CVSS spec, this is a high severity vulnerability see here.
The prerequisite is that the user has a malicious app installed on their phone that they can pick files from (think Google Drive or Dropbox, or some File browser app, which is malicious), and that the
copyTo
option is passed to the picking functions.What could happen is that the
fileName
obtained from aCursor
when picking a file using the malicious' appDocumentProvider
could contain special characters such as../
which would change the destination that the file is being written to when using thecopyTo
option.The vulnerability was reported by https://github.com/FixedOctocat
This can, generally speaking, lead to files being rewritten. In the context of React Native, this could lead to the js bundle of the application being swapped for another one, if user picked a malicious file from a malicious
DocumentProvider
, and thecopyTo
option is specified.Test Plan
I tested the fix on a Android 10 device and Android 14 simulator. The fix for the issue follows the fix from the recommended mitigation.
What are the steps to reproduce (after prerequisites)?
Given a device or emulator, if you modify the first param passed to
safeGetDestination
to lead to a path outside of thecacheDir
orFilesDir
,copyFileToLocalStorage
will not perform the copy the becausesafeGetDestination
throws aIllegalArgumentException
.Compatibility
Checklist
README.md