Skip to content

Fixes for path traversal vulnerabilities#4591

Open
TranceLove wants to merge 2 commits intohotfix/3.11.2from
bugfix/extract-entry
Open

Fixes for path traversal vulnerabilities#4591
TranceLove wants to merge 2 commits intohotfix/3.11.2from
bugfix/extract-entry

Conversation

@TranceLove
Copy link
Copy Markdown
Collaborator

@TranceLove TranceLove commented Mar 25, 2026

Description

Fix Extractor.extractEntry implementations that would allow carefully crafted archives to extract files above allowed places in filesystem.

Issue tracker

Automatic tests

  • Added test cases

Manual tests

  • Done

Build tasks success

Successfully running following tasks on local:

  • ./gradlew assembledebug
  • ./gradlew spotlessCheck

@TranceLove TranceLove requested a review from Copilot March 26, 2026 16:12
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens archive extraction against path traversal (“zip slip”) by adding canonical-path checks in multiple extractor implementations and adding regression tests with malicious archives.

Changes:

  • Add canonical-path guards to ZIP/RAR/7z and Commons-Compress-based extractors to prevent writes outside the output directory.
  • Extend entry-path validation logic in CompressedHelper.isEntryPathValid.
  • Add malicious archive fixtures and new unit tests covering traversal attempts.

Reviewed changes

Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/ZipExtractor.kt Adds canonical-path guard for ZipEntry extraction.
app/src/play/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/RarExtractor.kt Strengthens canonical-path check for RAR extraction.
app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/SevenZipExtractor.kt Adds canonical-path guard for 7z extraction (file entries).
app/src/main/java/com/amaze/filemanager/filesystem/compressed/extractcontents/helpers/AbstractCommonsArchiveExtractor.kt Adds canonical-path guard for Commons-Compress extractors (file entries).
app/src/main/java/com/amaze/filemanager/filesystem/compressed/CompressedHelper.java Updates entry path validation logic.
app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/ZipExtractorTest.kt Adds malicious ZIP extraction test.
app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/TarGzExtractorTest.kt Adds malicious tar.gz extraction test.
app/src/test/java/com/amaze/filemanager/filesystem/compressed/extractcontents/SevenZipExtractorTest.kt Adds malicious 7z extraction test.
app/src/test/resources/malicious.zip Adds malicious ZIP fixture.
app/src/test/resources/malicious.tar.gz Adds malicious tar.gz fixture.
app/src/test/resources/malicious.7z Adds malicious 7z fixture.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TranceLove