This is a potential issue for the security of the application using 'receive_sharing_intent' in Android.
In Android, any application can send ACTION_SEND to share a file content to the Flutter app.
When the malicious application is installed and send a intent like below, the Flutter app with 'receive_sharing_intent' will try to process the file path given.
$ adb shell am start -a android.intent.action.SEND -t image/jpeg --eu android.intent.extra.STREAM file:////data/data/my.sample.app.package/database.db
If the application doesn't validate the path and send it through the network, there is a chance to leak the user-information to others.
The purpose of 'receive_sharing_intent' plugin is receiving the file path from another app and delivering to Flutter application. It doesn't include sending a file from the app-private area.
Could you add the path-validation after receiving ACTION_SEND before it is processed in Flutter application?
Potential path traversal "/../" pattern should be removed before processing
The file should not be passed to the application when the file is in app-private area.
This is a potential issue for the security of the application using 'receive_sharing_intent' in Android. In Android, any application can send ACTION_SEND to share a file content to the Flutter app. When the malicious application is installed and send a intent like below, the Flutter app with 'receive_sharing_intent' will try to process the file path given.
If the application doesn't validate the path and send it through the network, there is a chance to leak the user-information to others. The purpose of 'receive_sharing_intent' plugin is receiving the file path from another app and delivering to Flutter application. It doesn't include sending a file from the app-private area. Could you add the path-validation after receiving ACTION_SEND before it is processed in Flutter application?