[Security] Path Traversal via unsanitized output_dir parameter in decode_apk tool

[head-blini]

Hi @zinja-coder,

I found a security vulnerability in apktool-mcp-server where the output_dir parameter in the decode_apk tool is not validated against the configured WORKSPACE_DIR, allowing APK contents to be extracted to arbitrary locations on the filesystem.

Affected parameter: output_dir in decode_apk() (apktool_mcp_server.py line 320)
Severity: High (CWE-22)

Root cause:

# apk_path is validated ✓
path_validation = ValidationUtils.validate_path(apk_path, must_exist=True)

# output_dir is NOT validated ✗ — no restriction to WORKSPACE_DIR
if output_dir is None:
    output_dir = os.path.join(WORKSPACE_DIR, apk_name)   # safe default
# But if user provides output_dir, it goes directly to apktool with no check:
command = ["apktool", "d", apk_path, "-o", output_dir]  # arbitrary path!

Attack scenario (concept only):

1. Provide a crafted APK
2. Set output_dir to a sensitive path (e.g. web server root, ~/.ssh/, cron directory)
3. APK contents are extracted to that location → arbitrary file write

Note: This is separate from CVE-2024-21633 (apktool resource name traversal) — this is a vulnerability in the MCP server's own parameter handling.

Could you please enable GitHub Private Vulnerability Reporting so I can share full PoC details privately?

Fix: Validate output_dir against WORKSPACE_DIR using os.path.realpath():

if output_dir is not None:
    real_output = os.path.realpath(output_dir)
    real_workspace = os.path.realpath(WORKSPACE_DIR)
    if not real_output.startswith(real_workspace):
        return {"success": False, "error": "output_dir must be within WORKSPACE_DIR"}

If I don't hear back within 14 days, I will proceed with direct CVE submission via MITRE.

Thanks

[zinja-coder]

Thanks for highlighting the issue. Let me fix this.

[zinja-coder]

The fix has been implemented.