Google play has raised warning against my app using Graphhopper (0.4 snapshop).
Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see this Google Help Center article to learn how to fix the issue.
Vulnerable locations:
- com.graphhopper.util.Unzipper.unzip
I have now updated my app to 0.8-snapshot. Just wanted to confirm is this fixed in 0.8? Looking at the source it seems it’s not. Can any one please confirm. Did you also get similar warning from Google?
public void unzip(InputStream fromIs, File toFolder, ProgressListener progressListener) throws IOException {
if (!toFolder.exists()) {
toFolder.mkdirs();
}
long sumBytes = 0L;
ZipInputStream zis = new ZipInputStream(fromIs);
try {
ZipEntry ze = zis.getNextEntry();
for(byte[] buffer = new byte[8192]; ze != null; ze = zis.getNextEntry()) {
if (ze.isDirectory()) {
(new File(toFolder, ze.getName())).mkdir();
} else {
double factor = 1.0D;
if (ze.getCompressedSize() > 0L && ze.getSize() > 0L) {
factor = (double)ze.getCompressedSize() / (double)ze.getSize();
}
File newFile = new File(toFolder, ze.getName());
FileOutputStream fos = new FileOutputStream(newFile);
int len;
try {
while((len = zis.read(buffer)) > 0) {
fos.write(buffer, 0, len);
sumBytes = (long)((double)sumBytes + (double)len * factor);
if (progressListener != null) {
progressListener.update(sumBytes);
}
}
} finally {
fos.close();
}
}
}
zis.closeEntry();
} finally {
zis.close();
}
}
Best