TeamAmaze · TranceLove · Mar 25, 2026 · Mar 29, 2026 · EmmanuelMess · Mar 29, 2026
diff --git a/app/src/main/java/com/amaze/filemanager/filesystem/compressed/CompressedHelper.java b/app/src/main/java/com/amaze/filemanager/filesystem/compressed/CompressedHelper.java
@@ -228,8 +228,20 @@ public static String getFileName(String compressedName) {
     }
   }
 
-  public static final boolean isEntryPathValid(String entryPath) {
-    return !entryPath.startsWith("..\\") && !entryPath.startsWith("../") && !entryPath.equals("..");
+  public static boolean isEntryPathValid(String entryPath) {
+    if (entryPath == null || entryPath.isEmpty()) {
+      return false;
+    }
+    // Normalize path separators to handle both Unix and Windows-style paths.
+    String normalized = entryPath.replace('\\', '/');
+    // Reject any path that attempts to traverse up the directory tree.
+    String[] segments = normalized.split("/");
+    for (String segment : segments) {
+      if ("..".equals(segment)) {
+        return false;
+      }
+    }
+    return true;
   }
 
   private static boolean isZip(String type) {

diff --git a/...emanager/filesystem/compressed/extractcontents/helpers/AbstractCommonsArchiveExtractor.kt b/...emanager/filesystem/compressed/extractcontents/helpers/AbstractCommonsArchiveExtractor.kt
@@ -67,7 +67,7 @@ abstract class AbstractCommonsArchiveExtractor(
                     }
                 }
             }
-            if (archiveEntries.size > 0) {
+            if (archiveEntries.isNotEmpty()) {
                 listener.onStart(totalBytes, archiveEntries[0].name)
                 inputStream.close()
                 inputStream = createFrom(FileInputStream(filePath))
@@ -96,11 +96,16 @@ abstract class AbstractCommonsArchiveExtractor(
         entry: ArchiveEntry,
         outputDir: String,
     ) {
+        val outputFile = File(outputDir, entry.name)
+        if (!outputFile.canonicalPath.startsWith(File(outputDir).canonicalPath + File.separator) &&
+            outputFile.canonicalPath != File(outputDir).canonicalPath
+        ) {
+            throw IOException("Incorrect archive entry path: ${entry.name}")
+        }
         if (entry.isDirectory) {
             MakeDirectoryOperation.mkdir(File(outputDir, entry.name), context)
             return
         }
-        val outputFile = File(outputDir, entry.name)
         if (false == outputFile.parentFile?.exists()) {
             MakeDirectoryOperation.mkdir(outputFile.parentFile, context)
         }

diff --git a/.../com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/SevenZipExtractor.kt b/.../com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/SevenZipExtractor.kt
@@ -105,12 +105,16 @@ class SevenZipExtractor(
         entry: SevenZArchiveEntry,
         outputDir: String,
     ) {
-        val name = entry.name
+        val outputFile = File(outputDir, entry.name)
+        if (!outputFile.canonicalPath.startsWith(File(outputDir).canonicalPath + File.separator) &&
+            outputFile.canonicalPath != File(outputDir).canonicalPath
+        ) {
+            throw IOException("Incorrect archive entry path: ${entry.name}")
+        }
         if (entry.isDirectory) {
-            MakeDirectoryOperation.mkdir(File(outputDir, name), context)
+            MakeDirectoryOperation.mkdir(File(outputDir, entry.name), context)
             return
         }
-        val outputFile = File(outputDir, name)
         if (!outputFile.parentFile.exists()) {
             MakeDirectoryOperation.mkdir(outputFile.parentFile, context)
         }

diff --git a/.../java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/ZipExtractor.kt b/.../java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/ZipExtractor.kt
@@ -21,7 +21,6 @@
 package com.amaze.filemanager.filesystem.compressed.extractcontents.helpers
 
 import android.content.Context
-import android.os.Build
 import com.amaze.filemanager.R
 import com.amaze.filemanager.application.AppConfig
 import com.amaze.filemanager.fileoperations.filesystem.compressed.ArchivePasswordCache
@@ -47,8 +46,6 @@ class ZipExtractor(
     listener: OnUpdate,
     updatePosition: UpdatePosition,
 ) : Extractor(context, filePath, outputPath, listener, updatePosition) {
-    private val isRobolectricTest = Build.HARDWARE == "robolectric"
-
     @Throws(IOException::class)
     override fun extractWithFilter(filter: Filter) {
         var totalBytes: Long = 0
@@ -110,10 +107,13 @@ class ZipExtractor(
         outputDir: String,
     ) {
         val outputFile = File(outputDir, fixEntryName(entry.fileName))
-        if (!outputFile.canonicalPath.startsWith(outputDir) &&
-            (isRobolectricTest && !outputFile.canonicalPath.startsWith("/private$outputDir"))
-        ) {
-            throw IOException("Incorrect ZipEntry path!")
+        val canonicalOutput = outputFile.canonicalPath
+        val canonicalDir = File(outputDir).canonicalPath + File.separator
+        if (!canonicalOutput.startsWith(canonicalDir)) {
+            throw IOException(
+                "Refusing to extract Zip entry '${entry.fileName}' to '$canonicalOutput' " +
+                    "outside target directory '$canonicalDir'",
+            )
         }
         if (entry.isDirectory) {
             // zip entry is a directory, return after creating new directory

diff --git a/.../java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/RarExtractor.kt b/.../java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/RarExtractor.kt
@@ -77,9 +77,11 @@ class RarExtractor(
                             MainHeaderNullException::class.java.isAssignableFrom(it::class.java) -> {
                             throw BadArchiveNotice(it)
                         }
+
                         UnsupportedRarV5Exception::class.java.isAssignableFrom(it::class.java) -> {
                             throw it
                         }
+
                         else -> {
                             throw PasswordRequiredException(filePath)
                         }
@@ -144,9 +146,9 @@ class RarExtractor(
                 CompressedHelper.SEPARATOR,
             )
         val outputFile = File(outputDir, name)
-        if (!outputFile.canonicalPath.startsWith(outputDir) &&
-            (isRobolectricTest && !outputFile.canonicalPath.startsWith("/private$outputDir"))
-        ) {
+        val canonicalOutput = outputFile.canonicalPath
+        val canonicalDir = File(outputDir).canonicalPath + File.separator
+        if (!canonicalOutput.startsWith(canonicalDir)) {
             throw IOException("Incorrect RAR FileHeader path!")
         }
         if (entry.isDirectory) {
@@ -232,7 +234,12 @@ class RarExtractor(
                             "\\\\".toRegex(),
                             CompressedHelper.SEPARATOR,
                         )
-                    extractEntry(context, archive, header, context.externalCacheDir!!.absolutePath)
+                    extractEntry(
+                        context,
+                        archive,
+                        header,
+                        context.externalCacheDir!!.absolutePath,
+                    )
                     return "${context.externalCacheDir!!.absolutePath}/$filename"
                 }
             }

diff --git a/...java/com/amaze/filemanager/filesystem/compressed/extractcontents/SevenZipExtractorTest.kt b/...java/com/amaze/filemanager/filesystem/compressed/extractcontents/SevenZipExtractorTest.kt
@@ -20,10 +20,66 @@
 
 package com.amaze.filemanager.filesystem.compressed.extractcontents
 
+import android.os.Environment
+import androidx.test.core.app.ApplicationProvider
+import com.amaze.filemanager.asynchronous.management.ServiceWatcherUtil
 import com.amaze.filemanager.filesystem.compressed.extractcontents.helpers.SevenZipExtractor
+import org.junit.Assert.assertFalse
+import org.junit.Assert.fail
+import org.junit.Test
+import java.io.File
+import java.io.IOException
 
 open class SevenZipExtractorTest : AbstractArchiveExtractorTest() {
     override val archiveType: String = "7z"
 
     override fun extractorClass(): Class<out Extractor?> = SevenZipExtractor::class.java
+
+    /**
+     * Verify that a 7-Zip archive carrying a path-traversal entry
+     * (../POC_7Z_PROOF.txt) is blocked by the canonical-path guard:
+     *  - extractEverything() must throw IOException
+     *  - no file is written outside the designated output directory
+     */
+    @Test
+    fun testExtractMalicious7z() {
+        val maliciousArchive = File(Environment.getExternalStorageDirectory(), "malicious.7z")
+        val outputDir = Environment.getExternalStorageDirectory()
+        val extractor =
+            SevenZipExtractor(
+                ApplicationProvider.getApplicationContext(),
+                maliciousArchive.absolutePath,
+                outputDir.absolutePath,
+                object : Extractor.OnUpdate {
+                    override fun onStart(
+                        totalBytes: Long,
+                        firstEntryName: String,
+                    ) = Unit
+
+                    override fun onUpdate(entryPath: String) = Unit
+
+                    override fun isCancelled(): Boolean = false
+
+                    override fun onFinish() = Unit
+                },
+                ServiceWatcherUtil.UPDATE_POSITION,
+            )
+
+        try {
+            extractor.extractEverything()
+            fail("Expected IOException: canonical-path guard must reject the traversal entry")
+        } catch (e: IOException) {
+            // Confirm the guard fired (not a generic bad-archive error)
+            assertFalse(
+                "Exception must not be a BadArchiveNotice",
+                e is Extractor.BadArchiveNotice,
+            )
+        }
+
+        // The malicious file must NOT have been written outside the output directory
+        assertFalse(
+            "Malicious file must not escape the output directory",
+            File(outputDir.parentFile, "POC_7Z_PROOF.txt").exists(),
+        )
+    }
 }
diff --git a/...st/java/com/amaze/filemanager/filesystem/compressed/extractcontents/TarGzExtractorTest.kt b/...st/java/com/amaze/filemanager/filesystem/compressed/extractcontents/TarGzExtractorTest.kt
@@ -20,10 +20,67 @@
 
 package com.amaze.filemanager.filesystem.compressed.extractcontents
 
+import android.os.Environment
+import androidx.test.core.app.ApplicationProvider
+import com.amaze.filemanager.asynchronous.management.ServiceWatcherUtil
 import com.amaze.filemanager.filesystem.compressed.extractcontents.helpers.TarGzExtractor
+import org.junit.Assert.assertFalse
+import org.junit.Assert.fail
+import org.junit.Test
+import java.io.File
+import java.io.IOException
 
 open class TarGzExtractorTest : AbstractArchiveExtractorTest() {
     override val archiveType: String = "tar.gz"
 
     override fun extractorClass(): Class<out Extractor?> = TarGzExtractor::class.java
+
+    /**
+     * Verify that a tar.gz archive carrying a path-traversal entry
+     * (../POC_ZIPSLIP_PROOF.txt) is blocked by the canonical-path guard
+     * in AbstractCommonsArchiveExtractor:
+     *  - extractEverything() must throw IOException
+     *  - no file is written outside the designated output directory
+     */
+    @Test
+    fun testExtractMaliciousTarGz() {
+        val maliciousArchive = File(Environment.getExternalStorageDirectory(), "malicious.tar.gz")
+        val outputDir = Environment.getExternalStorageDirectory()
+        val extractor =
+            TarGzExtractor(
+                ApplicationProvider.getApplicationContext(),
+                maliciousArchive.absolutePath,
+                outputDir.absolutePath,
+                object : Extractor.OnUpdate {
+                    override fun onStart(
+                        totalBytes: Long,
+                        firstEntryName: String,
+                    ) = Unit
+
+                    override fun onUpdate(entryPath: String) = Unit
+
+                    override fun isCancelled(): Boolean = false
+
+                    override fun onFinish() = Unit
+                },
+                ServiceWatcherUtil.UPDATE_POSITION,
+            )
+
+        try {
+            extractor.extractEverything()
+            fail("Expected IOException: canonical-path guard must reject the traversal entry")
+        } catch (e: IOException) {
+            // Confirm the guard fired (not a generic bad-archive error)
+            assertFalse(
+                "Exception must not be a BadArchiveNotice",
+                e is Extractor.BadArchiveNotice,
+            )
+        }
+
+        // The malicious file must NOT have been written outside the output directory
+        assertFalse(
+            "Malicious file must not escape the output directory",
+            File(outputDir.parentFile, "POC_ZIPSLIP_PROOF.txt").exists(),
+        )
+    }
 }
diff --git a/...test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/ZipExtractorTest.kt b/...test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/ZipExtractorTest.kt
@@ -20,10 +20,72 @@
 
 package com.amaze.filemanager.filesystem.compressed.extractcontents
 
+import android.os.Environment
+import androidx.test.core.app.ApplicationProvider
+import com.amaze.filemanager.asynchronous.management.ServiceWatcherUtil
 import com.amaze.filemanager.filesystem.compressed.extractcontents.helpers.ZipExtractor
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertTrue
+import org.junit.Test
+import java.io.File
 
 class ZipExtractorTest : AbstractArchiveExtractorTest() {
     override val archiveType: String = "zip"
 
     override fun extractorClass(): Class<out Extractor?> = ZipExtractor::class.java
+
+    /**
+     * Verify that a ZIP archive carrying a path-traversal entry
+     * (foo/../../POC_ZIP_PROOF.txt) is handled safely:
+     *  - extraction completes without an exception
+     *  - the offending entry is recorded in invalidArchiveEntries
+     *  - no file is written outside the designated output directory
+     */
+    @Test
+    fun testExtractMaliciousZip() {
+        val maliciousArchive = File(Environment.getExternalStorageDirectory(), "malicious.zip")
+        val outputDir = Environment.getExternalStorageDirectory()
+        val extractor =
+            ZipExtractor(
+                ApplicationProvider.getApplicationContext(),
+                maliciousArchive.absolutePath,
+                outputDir.absolutePath,
+                object : Extractor.OnUpdate {
+                    override fun onStart(
+                        totalBytes: Long,
+                        firstEntryName: String,
+                    ) = Unit
+
+                    override fun onUpdate(entryPath: String) = Unit
+
+                    override fun isCancelled(): Boolean = false
+
+                    override fun onFinish() = Unit
+                },
+                ServiceWatcherUtil.UPDATE_POSITION,
+            )
+
+        // Extraction must succeed — path-traversal entries are quarantined, not thrown
+        extractor.extractEverything()
+
+        // The traversal entry must be recorded as invalid …
+        assertTrue(
+            "Malicious path-traversal entry must be captured in invalidArchiveEntries",
+            extractor.invalidArchiveEntries.isNotEmpty(),
+        )
+        assertTrue(
+            "invalidArchiveEntries must contain the POC entry",
+            extractor.invalidArchiveEntries.any { "POC_ZIP_PROOF" in it },
+        )
+        // … and must NOT have been written outside the output directory
+        val escapedFile = File(outputDir, "foo/../../POC_ZIP_PROOF.txt").canonicalFile
+        assertFalse(
+            "Malicious file must not escape the output directory",
+            escapedFile.exists(),
+        )
+        assertFalse(
+            "Escaped file canonical path must not reside under output directory",
+            escapedFile.canonicalPath.startsWith(outputDir.canonicalPath),
+        )
+    }
 }
diff --git a/app/src/test/resources/malicious.7z b/app/src/test/resources/malicious.7z
diff --git a/app/src/test/resources/malicious.tar.gz b/app/src/test/resources/malicious.tar.gz
diff --git a/app/src/test/resources/malicious.zip b/app/src/test/resources/malicious.zip