search

microbit-foundation / microbit-android

micro:bit official Android application code. The application is free to download from https://play.google.com/store/apps/details?id=com.samsung.microbit
Apache License 2.0
16 stars 10 forks source link

Fix zip path traversal error and update to v3.0.6 (56) #46

Closed microbit-grace closed 8 months ago

microbit-grace commented 8 months ago

Error found in pre-launch report.

"Your app contains an unsafe unzipping pattern that may lead to a Path Traversal vulnerability. Please see this Google Help Center article to learn how to fix the issue.

com.samsung.microbit.utils.ProjectsHelper.installSamples"

cc: @jaustin @microbit-matt-hillsdon

martinwork commented 8 months ago

It's not going to happen, because the zip is internal to the app, but...

What happens if the exception gets thrown? Does it get caught, or crash the app? Could we get away without throwing an exception, and just step over files with problem paths and continue copying the rest?

microbit-grace commented 8 months ago

It's not going to happen, because the zip is internal to the app, but...

What happens if the exception gets thrown? Does it get caught, or crash the app? Could we get away without throwing an exception, and just step over files with problem paths and continue copying the rest?

I suppose it would crash the app. I have added a commit to continue instead https://github.com/microbit-foundation/microbit-android/pull/46/commits/1778a8549ee54d19d063f0f82c556ac13bf9d0fb

martinwork commented 8 months ago

Thanks @microbit-grace Hopefully that will get rid of the warning.