Fixing a Zip Path Traversal Vulnerability
This information is intended for developers with app(s) that contain unsafe unzipping patterns, which may potentially lead to a Zip Path Traversal attack. Locations of vulnerable app classes containing unsafe unzipping patterns can be found in the
Play Console notification for your app.
Additional details
Zip files can contain an entry (file or directory) having path traversal characters (“../”) in its name. If developers unzip such zip file entries without validating their name, it can potentially cause a path traversal attack, leading to writes in arbitrary directories or even overwriting the files in the app's private folders.
We recommend fixing this issue in your app by checking if canonical paths to unzipped files are underneath an expected directory. Specifically, before using a
File object created using the return value of
ZipEntry's
getName() method, always check if the return value of
File.GetCanonicalPath() belongs to the intended directory path. For example:
InputStream is = new InputStream(untrustedFileName);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(is));
while((ZipEntry ze = zis.getNextEntry()) != null) {
File f = new File(DIR, ze.getName());
String canonicalPath = f.getCanonicalPath();
if (!canonicalPath.startsWith(DIR)) {
// SecurityException
}
// Finish unzipping…
}
Next steps
- Update your app using the steps highlighted above.
- Sign in to your Play Console and submit the updated version of your app.
Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.
