Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(android): path traversal vulnerability #698

Merged
merged 2 commits into from
Feb 5, 2024
Merged

Conversation

vonovak
Copy link
Collaborator

@vonovak vonovak commented Feb 5, 2024

Summary

This fixes a Path Traversal Vulnerability which was present on Android https://developer.android.com/privacy-and-security/risks/path-traversal.

According to CVSS spec, this is a high severity vulnerability see here.

The prerequisite is that the user has a malicious app installed on their phone that they can pick files from (think Google Drive or Dropbox, or some File browser app, which is malicious), and that the copyTo option is passed to the picking functions.

What could happen is that the fileName obtained from a Cursor when picking a file using the malicious' app DocumentProvider could contain special characters such as ../ which would change the destination that the file is being written to when using the copyTo option.

The vulnerability was reported by https://github.com/FixedOctocat

This can, generally speaking, lead to files being rewritten. In the context of React Native, this could lead to the js bundle of the application being swapped for another one, if user picked a malicious file from a malicious DocumentProvider, and the copyTo option is specified.

Test Plan

I tested the fix on a Android 10 device and Android 14 simulator. The fix for the issue follows the fix from the recommended mitigation.

What are the steps to reproduce (after prerequisites)?

Given a device or emulator, if you modify the first param passed to safeGetDestination to lead to a path outside of the cacheDir or FilesDir, copyFileToLocalStorage will not perform the copy the because safeGetDestination throws a IllegalArgumentException.

Compatibility

OS Implemented
iOS
Android

Checklist

  • I have tested this on a device and a simulator
  • I added the documentation in README.md
  • I updated the typed files (TS and Flow)

@vonovak vonovak merged commit 1ae7cb2 into master Feb 5, 2024
1 check passed
@vonovak vonovak deleted the fix/path-traversal-bug branch February 5, 2024 13:14
vonovak added a commit that referenced this pull request Feb 5, 2024
* fix: path traversal vulnerability android

* docs: library update
@josh-thompson13
Copy link

This issue is fixed in V8.2.2 right?

Please update GHSA-pmgm-h3cc-m4hj to reflect that 8.2.2 if fine.

@vonovak
Copy link
Collaborator Author

vonovak commented Feb 20, 2024

Yes, it is fixed in 8.2.2 as well as 9.1.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants