search

CodeMinion / another_brother

Another Brother Flutter SDK
BSD 3-Clause "New" or "Revised" License
21 stars 21 forks source link

Vulnerability issue due to outdated Brother SDK #34

Closed grendes-wunder closed 1 year ago

grendes-wunder commented 1 year ago

Hi @CodeMinion ,

we try to publish an app using this dependency, but PlayStore indicated the following error:


Zip Path Traversal
Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see [this Google Help Center article](https://support.google.com/faqs/answer/9294009) to learn how to fix the issue.

 * com.brother.ptouch.sdk.Printer.unzipFile

As far as we could tell, it's due to the fact that this library uses the v3.5.1 version of the Brother Printer SDK from here: https://rouninlabs.jfrog.io/ui/native/rounin-libs-external/com/brother/sdk/printer/1.0.0/

As we checked, the latest v4.6.1 version of the SDK has fixed this issue and it is backward compatible with v3 sdk: https://support.brother.com/g/s/es/dev/en/mobilesdk/download/index.html?c=eu_ot&lang=en&navi=offall&comple=on&redirect=on#android

Could you please update this SDK to the latest? Is there anything we could assist you with this?

CodeMinion commented 1 year ago

Hi @grendes-wunder ,

Thanks for reaching out about this. Fortunately the only braking change between the old and new version was the rename of two methods so the integration went smoothly. I did some initial testing and all seems to be working well.

I will do some additional testing later tonight and if all checks out move forward with the official release. In the meantime you could help me out a lot by validating the latest version works with your printer(s). You may build using this branch: https://github.com/CodeMinion/another_brother/tree/android-4-6-1-update

another_brother: git: url: git://github.com:CodeMinion/another_brother.git path: android-4-6-1-update

Thanks again for reaching out about this and please don't hesitate to reach out if there is anything else I can help with,

grendes-wunder commented 1 year ago

Hi @CodeMinion

gosh, you are fast, i really appreciate! That's the least that we'd test out thoroughly our app with the latest branch, I'll get back to you with this!

CodeMinion commented 1 year ago

Hi @grendes-wunder ,

Don't mention it, I simply got lucky there were only minor changes between the versions. I have tested with the printers I have and it all seems to checkout out.

Version 0.0.29 is now available in pub.dev.

Thanks again for reaching out about this,

grendes-wunder commented 1 year ago

Hi @CodeMinion ,

we can confirm that everything works as expected with the new another_brother (0.0.29) and brother sdk (4.6.1) version. The new version has been already reviewed by Google and i am glad to report, that this time no Errors/Vulnerabilities were reported.

Thank you once again :)

CodeMinion commented 1 year ago

That's great to hear @grendes-wunder ! Thanks again for verifying the latest version.