Improved path traversal mitigation as by security advisory

federicoiosue · federicoiosue · commit 2df9d1c262b7 · 2023-11-12T18:38:45.000+01:00
GHSA-g38r-4cf6-3v32
diff --git a/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt b/omniNotes/src/androidTest/java/it/feio/android/omninotes/utils/SecurityTest.kt
@@ -30,7 +30,8 @@ import org.junit.runner.RunWith
 
 @RunWith(AndroidJUnit4::class)
 class SecurityTest : BaseAndroidTestCase() {
-    private val LOREM = ("Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor"
+
+    private val exampleText = ("Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor"
             + " incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco"
             + " laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit "
             + "esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa "
@@ -57,7 +58,7 @@ class SecurityTest : BaseAndroidTestCase() {
 
     @Test
     fun decryptUnencrypted() {
-        assertNotEquals(0, decrypt(LOREM, PASS)!!.length.toLong())
+        assertNotEquals(0, decrypt(exampleText, PASS)!!.length.toLong())
     }
 
     @Test
@@ -74,6 +75,13 @@ class SecurityTest : BaseAndroidTestCase() {
         assertThrows(ContentSecurityException::class.java) { validatePath(path) }
     }
 
+    @Test
+    fun validatePath_pathTraversal2() {
+        val path = "file:////////data/data/it.feio.android.omninotes.foss/shared_prefs/it.feio.android.omninotes.foss_preferences.xml"
+
+        assertThrows(ContentSecurityException::class.java) { validatePath(path) }
+    }
+
     @Test
     fun validatePath_valid() {
         val path = "/images/screenshot/16844742322307525633366385236595.jpg"
diff --git a/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt b/omniNotes/src/main/java/it/feio/android/omninotes/utils/Security.kt
@@ -90,7 +90,7 @@ class Security private constructor() {
         @JvmStatic
         @Throws(ContentSecurityException::class)
         fun validatePath(path: String?) {
-            val uri = Uri.parse(path).path
+            val uri = Uri.parse(path).path?.replace("/+".toRegex(), "/")
             if (uri?.startsWith("/data")!! || uri.contains("../")) {
                 throw ContentSecurityException("Invalid")
             }

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ class Security private constructor() {`
`90`	`90`	`@JvmStatic`
`91`	`91`	`@Throws(ContentSecurityException::class)`
`92`	`92`	`fun validatePath(path: String?) {`
`93`		`- val uri = Uri.parse(path).path`
	`93`	`+ val uri = Uri.parse(path).path?.replace("/+".toRegex(), "/")`
`94`	`94`	`if (uri?.startsWith("/data")!! \|\| uri.contains("../")) {`
`95`	`95`	`throw ContentSecurityException("Invalid")`
`96`	`96`	`}`