Fixes for path traversal vulnerabilities#4591
Open
TranceLove wants to merge 2 commits intohotfix/3.11.2from
Open
Fixes for path traversal vulnerabilities#4591TranceLove wants to merge 2 commits intohotfix/3.11.2from
TranceLove wants to merge 2 commits intohotfix/3.11.2from
Conversation
There was a problem hiding this comment.
Pull request overview
Hardens archive extraction against path traversal (“zip slip”) by adding canonical-path checks in multiple extractor implementations and adding regression tests with malicious archives.
Changes:
- Add canonical-path guards to ZIP/RAR/7z and Commons-Compress-based extractors to prevent writes outside the output directory.
- Extend entry-path validation logic in
CompressedHelper.isEntryPathValid. - Add malicious archive fixtures and new unit tests covering traversal attempts.
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/ZipExtractor.kt | Adds canonical-path guard for ZipEntry extraction. |
| app/src/play/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/RarExtractor.kt | Strengthens canonical-path check for RAR extraction. |
| app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/SevenZipExtractor.kt | Adds canonical-path guard for 7z extraction (file entries). |
| app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/AbstractCommonsArchiveExtractor.kt | Adds canonical-path guard for Commons-Compress extractors (file entries). |
| app/src/main/java/com/amaze/filemanager/filesystem/compressed/CompressedHelper.java | Updates entry path validation logic. |
| app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/ZipExtractorTest.kt | Adds malicious ZIP extraction test. |
| app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/TarGzExtractorTest.kt | Adds malicious tar.gz extraction test. |
| app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/SevenZipExtractorTest.kt | Adds malicious 7z extraction test. |
| app/src/test/resources/malicious.zip | Adds malicious ZIP fixture. |
| app/src/test/resources/malicious.tar.gz | Adds malicious tar.gz fixture. |
| app/src/test/resources/malicious.7z | Adds malicious 7z fixture. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
app/src/main/java/com/amaze/filemanager/filesystem/compressed/CompressedHelper.java
Outdated
Show resolved
Hide resolved
...ain/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/ZipExtractor.kt
Outdated
Show resolved
Hide resolved
...ava/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/SevenZipExtractor.kt
Outdated
Show resolved
Hide resolved
...filemanager/filesystem/compressed/extractcontents/helpers/AbstractCommonsArchiveExtractor.kt
Outdated
Show resolved
Hide resolved
...rc/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/ZipExtractorTest.kt
Show resolved
Hide resolved
EmmanuelMess
requested changes
Mar 29, 2026
Member
EmmanuelMess
left a comment
EmmanuelMess
left a comment
There was a problem hiding this comment.
Testing on API 21 emulator:
- extracting the
malicious.tar.gzshows "Done" toast but nothing gets extracted. malicious.7zshows "Error" and half extracts.- Extracting
malicious.tar.gztwice breaks the app, for example, the extraction notification never ends and, for deleting folders, the folder size never loads. - Extracting
malicious.zipshows correct toast, and half extracts.
Should rar be tested?
|
|
||
| public static final boolean isEntryPathValid(String entryPath) { | ||
| return !entryPath.startsWith("..\\") && !entryPath.startsWith("../") && !entryPath.equals(".."); | ||
| public static boolean isEntryPathValid(String entryPath) { |
Member
There was a problem hiding this comment.
This would mark valid paths that contain ".." as invalid. For example: dir1/dir2/.. is valid if dir1 is in the compressed file.
| entry: ArchiveEntry, | ||
| outputDir: String, | ||
| ) { | ||
| val outputFile = File(outputDir, entry.name) |
Member
There was a problem hiding this comment.
I think this code is repeated verbatim 3 times, is it possible to at least move the check to a function?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix Extractor.extractEntry implementations that would allow carefully crafted archives to extract files above allowed places in filesystem.
Issue tracker
Automatic tests
Manual tests
Build tasks success
Successfully running following tasks on local:
./gradlew assembledebug./gradlew spotlessCheck