Summary
The share_handler_android plugin (v0.0.11, Android) contains path traversal vulnerabilities (CWE-23) where file names obtained from content providers are used directly in
java.io.File constructors without sanitization. A malicious app sharing content via Intent.ACTION_SEND can supply a crafted DISPLAY_NAME containing path traversal sequences
(e.g., ../../) to write files outside the intended cache directory.
Affected Code
1. ShareHandlerPlugin.kt — getFileNameFromUri() (line 276–278) → attachmentForUri() (line 251)
The DISPLAY_NAME from a content provider is used directly as a file name:
// getFileNameFromUri() — line 276-278
val nameIndex = c.getColumnIndex(OpenableColumns.DISPLAY_NAME)
if (nameIndex != -1) {
fileName = c.getString(nameIndex)
}Then used in a File constructor without sanitization:
// attachmentForUri() — line 251
val newFile = File(applicationContext.cacheDir, fileName)
- FileDirectory.kt — getDataColumn() (line 100–103)
Same pattern — _display_name column is used directly:
val columnIndex = cursor.getColumnIndexOrThrow(column) // "_display_name"
val fileName = cursor.getString(columnIndex)
targetFile = File(context.cacheDir, fileName)
The file content is then written to this path via FileOutputStream:
context.contentResolver.openInputStream(uri)?.use { input ->
FileOutputStream(targetFile).use { fileOut ->
input.copyTo(fileOut)
}
}
Attack Scenario
- A malicious app registers as a share source
- User shares content from the malicious app to the victim app (which uses share_handler_android)
- The malicious app's content provider returns ../../shared_prefs/malicious.xml as DISPLAY_NAME
- share_handler_android writes the shared file to {cacheDir}/../../shared_prefs/malicious.xml, escaping the cache directory
- The attacker can overwrite app files within the writable scope
Suggested Fix
Sanitize file names before using them in File constructors:
// Option 1: Strip path separators
val safeName = fileName.replace("/", "").replace("\\", "")
// Option 2: Use only the base name
val safeName = File(fileName).name
// Option 3: Validate canonical path
val targetFile = File(context.cacheDir, fileName)
if (!targetFile.canonicalPath.startsWith(context.cacheDir.canonicalPath)) {
throw SecurityException("Path traversal detected")
}
Both ShareHandlerPlugin.kt and FileDirectory.kt should be patched.
Environment
- share_handler_android version: 0.0.11 (latest on pub.dev)
- Platform: Android
- Tested on Android emulator (API 34)
References
Offer
If you'd like, I can submit a pull request with the fix for both locations.
Summary
The
share_handler_androidplugin (v0.0.11, Android) contains path traversal vulnerabilities (CWE-23) where file names obtained from content providers are used directly injava.io.Fileconstructors without sanitization. A malicious app sharing content viaIntent.ACTION_SENDcan supply a craftedDISPLAY_NAMEcontaining path traversal sequences(e.g.,
../../) to write files outside the intended cache directory.Affected Code
1.
ShareHandlerPlugin.kt—getFileNameFromUri()(line 276–278) →attachmentForUri()(line 251)The
DISPLAY_NAMEfrom a content provider is used directly as a file name:Then used in a File constructor without sanitization:
// attachmentForUri() — line 251
Same pattern — _display_name column is used directly:
The file content is then written to this path via FileOutputStream:
Attack Scenario
Suggested Fix
Sanitize file names before using them in File constructors:
// Option 1: Strip path separators
// Option 2: Use only the base name
// Option 3: Validate canonical path
Both ShareHandlerPlugin.kt and FileDirectory.kt should be patched.
Environment
References
Offer
If you'd like, I can submit a pull request with the fix for both locations.