Android Question Fixing a Zip Path Traversal Vulnerability

Filippo

Expert
Licensed User
Hi,

I have this warning message in Google Play Console because I am using the library "unzipzip" in my app, how can I solve the problem?

Fixing a Zip Path Traversal Vulnerability
This information is intended for developers with app(s) that contain unsafe unzipping patterns, which may potentially lead to a Zip Path Traversal attack. Locations of vulnerable app classes containing unsafe unzipping patterns can be found in the Play Console notification for your app.

Additional details

Zip files can contain an entry (file or directory) having path traversal characters (“../”) in its name. If developers unzip such zip file entries without validating their name, it can potentially cause a path traversal attack, leading to writes in arbitrary directories or even overwriting the files in the app's private folders.

We recommend fixing this issue in your app by checking if canonical paths to unzipped files are underneath an expected directory. Specifically, before using a File object created using the return value of ZipEntry's getName() method, always check if the return value of File.GetCanonicalPath() belongs to the intended directory path. For example:

InputStream is = new InputStream(untrustedFileName);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(is));
while((ZipEntry ze = zis.getNextEntry()) != null) {
File f = new File(DIR, ze.getName());
String canonicalPath = f.getCanonicalPath();
if (!canonicalPath.startsWith(DIR)) {
// SecurityException
}
// Finish unzipping…
}


Next steps

  1. Update your app using the steps highlighted above.
  2. Sign in to your Play Console and submit the updated version of your app.
Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.
 

Erel

Administrator
Staff member
Licensed User
Are you unzipping external files? If you are only unzipping your own files then this is not really relevant.

Why aren't you using Archiver library (though I'm not sure that it makes this check or not)?
The library developer should add this check.
 

Filippo

Expert
Licensed User
Are you unzipping external files? If you are only unzipping your own files then this is not really relevant.

Why aren't you using Archiver library (though I'm not sure that it makes this check or not)?
The library developer should add this check.
Hi Erel,
Under File.DirInternal, the app creates CSV files. The user has the option to create a backup as a zip file under file.DirRootExternal.
These backups can then also be restored, so I can no longer guarantee whether the backup file is safe.
 

Erel

Administrator
Staff member
Licensed User
You cannot add it yourself. The library author should add it.
 

Erel

Administrator
Staff member
Licensed User
First step is to ask Informatix to update the library. It should be a small change.
 
Top